50dba9c5aa44ad0a65aeb8cf8d552a2928b7d441f1a8ffa20280757f146c5d76

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
17/06/2024, 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe
Size

88KB
MD5

2dc958d58978bbd7b1108c8a0da50cf0
SHA1

bc4051bba1812f7fc6cb6c175b7a00490c8520a6
SHA256

50dba9c5aa44ad0a65aeb8cf8d552a2928b7d441f1a8ffa20280757f146c5d76
SHA512

42ad6a9174965f23b744c3dea27c5472df8d4ad93f269f032591b9af69921e8a7c9f6928094c19053cf7ae155c4edfb9c3da3988ad591c6de3b3e9b719892c6c
SSDEEP

1536:ahUDofByDJWbMGcEFLPEPKOJUsy1+VMA:aIofBHbKMP0PvMA

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2888	explorer.exe
2368	explorer.exe
1876	explorer.exe
1400	explorer.exe

Loads dropped DLL 5 IoCs

pid	Process
2288	2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe
2288	2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe
2288	2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe
2288	2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe
2288	2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2288-144-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2288-142-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2288-141-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2288-138-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2288-136-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2288-314-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2368-424-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\Video Driver = "C:\\Users\\Admin\\AppData\\Roaming\\config\\explorer.exe"	reg.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2172 set thread context of 2288	2172	2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe	28
PID 2888 set thread context of 2368	2888	explorer.exe	33
PID 2888 set thread context of 1876	2888	explorer.exe	34
PID 1876 set thread context of 1400	1876	explorer.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2172	2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe
2288	2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe
2888	explorer.exe
2368	explorer.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2288	2172	2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe	28
PID 2172 wrote to memory of 2288	2172	2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe	28
PID 2172 wrote to memory of 2288	2172	2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe	28
PID 2172 wrote to memory of 2288	2172	2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe	28
PID 2172 wrote to memory of 2288	2172	2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe	28
PID 2172 wrote to memory of 2288	2172	2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe	28
PID 2172 wrote to memory of 2288	2172	2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe	28
PID 2172 wrote to memory of 2288	2172	2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe	28
PID 2288 wrote to memory of 2356	2288	2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe	29
PID 2288 wrote to memory of 2356	2288	2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe	29
PID 2288 wrote to memory of 2356	2288	2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe	29
PID 2288 wrote to memory of 2356	2288	2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe	29
PID 2356 wrote to memory of 2012	2356	cmd.exe	31
PID 2356 wrote to memory of 2012	2356	cmd.exe	31
PID 2356 wrote to memory of 2012	2356	cmd.exe	31
PID 2356 wrote to memory of 2012	2356	cmd.exe	31
PID 2288 wrote to memory of 2888	2288	2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe	32
PID 2288 wrote to memory of 2888	2288	2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe	32
PID 2288 wrote to memory of 2888	2288	2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe	32
PID 2288 wrote to memory of 2888	2288	2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe	32
PID 2888 wrote to memory of 2368	2888	explorer.exe	33
PID 2888 wrote to memory of 2368	2888	explorer.exe	33
PID 2888 wrote to memory of 2368	2888	explorer.exe	33
PID 2888 wrote to memory of 2368	2888	explorer.exe	33
PID 2888 wrote to memory of 2368	2888	explorer.exe	33
PID 2888 wrote to memory of 2368	2888	explorer.exe	33
PID 2888 wrote to memory of 2368	2888	explorer.exe	33
PID 2888 wrote to memory of 2368	2888	explorer.exe	33
PID 2888 wrote to memory of 1876	2888	explorer.exe	34
PID 2888 wrote to memory of 1876	2888	explorer.exe	34
PID 2888 wrote to memory of 1876	2888	explorer.exe	34
PID 2888 wrote to memory of 1876	2888	explorer.exe	34
PID 2888 wrote to memory of 1876	2888	explorer.exe	34
PID 2888 wrote to memory of 1876	2888	explorer.exe	34
PID 2888 wrote to memory of 1876	2888	explorer.exe	34
PID 2888 wrote to memory of 1876	2888	explorer.exe	34
PID 1876 wrote to memory of 1400	1876	explorer.exe	35
PID 1876 wrote to memory of 1400	1876	explorer.exe	35
PID 1876 wrote to memory of 1400	1876	explorer.exe	35
PID 1876 wrote to memory of 1400	1876	explorer.exe	35
PID 1876 wrote to memory of 1400	1876	explorer.exe	35
PID 1876 wrote to memory of 1400	1876	explorer.exe	35
PID 1876 wrote to memory of 1400	1876	explorer.exe	35
PID 1876 wrote to memory of 1400	1876	explorer.exe	35

C:\Users\Admin\AppData\Local\Temp\2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\2dc958d58978bbd7b1108c8a0da50cf0_NeikiAnalytics.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\RDBFA.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Video Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\config\explorer.exe" /f
      4⤵
      Adds Run key to start application
      PID:2012
- - C:\Users\Admin\AppData\Roaming\config\explorer.exe
    "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Users\Admin\AppData\Roaming\config\explorer.exe
      "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2368
  - - C:\Users\Admin\AppData\Roaming\config\explorer.exe
      "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1876
    - - C:\Users\Admin\AppData\Roaming\config\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
        5⤵
        Executes dropped EXE
        
        PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab23C8.tmp

Filesize
67KB

MD5
2d3dcf90f6c99f47e7593ea250c9e749

SHA1
51be82be4a272669983313565b4940d4b1385237

SHA256
8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

SHA512
9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RDBFA.bat

Filesize
149B

MD5
fc1798b7c7938454220fda837a76f354

SHA1
b232912930b2bc24ff18bf7ecd58f872bbe01ea0

SHA256
7f0a5917b5aca9c5beb153aad0ef95bf0aeafb83768da5b086c3f029ba42d7c8

SHA512
d1abdd45a8e5d33893b9d19424174a07feed145d2e6b4be318ab5fde503f850579a4a101a010f30e16ecde2c7123f45357a8341214655321ee0f0097ca911331

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar242D.tmp

Filesize
160KB

MD5
7186ad693b8ad9444401bd9bcd2217c2

SHA1
5c28ca10a650f6026b0df4737078fa4197f3bac1

SHA256
9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed

SHA512
135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

Download Submit
\Users\Admin\AppData\Roaming\config\explorer.exe

Filesize
88KB

MD5
9fc491f45348957d359766e866b18ea6

SHA1
95340b71e83fbe05de163aa2c2ccbd54b55b8bce

SHA256
1cb606272c30ba9f53aff87bf8b1293d20efc6ff285243903ac32cd5e4e41cfa

SHA512
c2195c661f0a63fad4741ab7f30174a8afc7e116214ba0d046d630cdb1cc29e96b2f2f230eebee31f679124e6cc109c27befc8bea7600f33a5809ec0749266f5

Download Submit
memory/1876-329-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1876-311-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2172-84-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2172-2-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2172-82-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2172-133-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/2172-132-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/2172-83-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2172-89-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/2172-88-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2172-87-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2172-86-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2172-85-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2288-134-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2288-136-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2288-138-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2288-140-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2288-314-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2288-141-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2288-142-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2288-144-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2368-424-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads