2f74fbc202004cc839c592fb5257a0fadf323a589d3b2767791fdcb28854b3c5

General

Target

d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
Size

99KB
MD5

d9b63767590d4a1803da096521fccce0
SHA1

3b291582a1a4a2e9106cf1f521d585fea977e863
SHA256

2f74fbc202004cc839c592fb5257a0fadf323a589d3b2767791fdcb28854b3c5
SHA512

171d90654496d16abbd6ec7aacff841520e4119e7dd943895d512f09c6b8d562d1dff32a9f251143a362b5bfa2db94cfb166d89421e46ed4dd2df1b03e3989d6
SSDEEP

1536:eshfSWHHNvoLqNwDDGwCe6cLJxtdlmTgja52YN3e0zm:vhfxHNIie6cLJxtdlmTgja52YN3e0zm

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
224	rundll32.exe

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\¢«.exe	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\¢«.exe	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\notepad¢¬.exe	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\notepad¢¬.exe	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\rundll32.exe	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
File created	C:\Windows\system\rundll32.exe	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\MSipv	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718516337"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1"	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1"	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSipv	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718516337"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rundll32.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
224	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
224	rundll32.exe
224	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 224	4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe	85
PID 4396 wrote to memory of 224	4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe	85
PID 4396 wrote to memory of 224	4396	d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe	85

C:\Users\Admin\AppData\Local\Temp\d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d9b63767590d4a1803da096521fccce0_NeikiAnalytics.exe"
1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\system\rundll32.exe
  C:\Windows\system\rundll32.exe
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\notepad¢¬.exe

Filesize
95KB

MD5
9adf77f469253c9c0d9d3dc7a3e6a15a

SHA1
b6f02a04cc1007b0ed3239162aa95ceb14a2cd8f

SHA256
089f2df5a4adf63f2faf14e8c168f9b65563a67ba49876e538a91bf98e69c85e

SHA512
9f630b47f63876ee6280219349ffbdc968ef89cce2544f6616b6870c774d7df862e03f86f6f9492ade60251ab6874ef4932dcab07f81ecfd327ac1eb031899d0

Download Submit
C:\Windows\System\rundll32.exe

Filesize
99KB

MD5
9ceaa8e83f32ac3e9e965febba76b73c

SHA1
cd84408b2374025bc574dce856e42364640d932e

SHA256
191124ab0eb3dd64b9c3d276df7b7effcbed1cd998ea374681d3ae4aab7a613f

SHA512
dab88104b522ba5ff1c0e4fcdbff01e88aad83adb34513cd3f9d63a2f33e22faab78ba87774f6f8896dabec2968a2e0fd241605451318e18fa6775c4bef27694

Download Submit
memory/224-14-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4396-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4396-13-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads