ce523103cb5e5b37fb2a55228dddc43c5654057a0a9ea7f142c8ab9fd85539cb

General

Target

4043ca7b69b272b4659c032a45488510_NeikiAnalytics.exe
Size

349KB
MD5

4043ca7b69b272b4659c032a45488510
SHA1

b77e2de5d36a5548430ba9c5c5e08a7671afdb36
SHA256

ce523103cb5e5b37fb2a55228dddc43c5654057a0a9ea7f142c8ab9fd85539cb
SHA512

df704d86f0664ee0ccf9d5205f073bec8c40bf54311b0db67640f7f905f5c98dcc1e62cdb79150f1861a8b1b86774f9367ab9f2d28fdcdecaa0a508eb1458b5c
SSDEEP

6144:eVTQqSiexKAK4y6UvcZSeNH49qQQOH+ym4LLIoTqHSMaxzL:ASiOK4yjNQOGzoTCSMG

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2808	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
2200	4043ca7b69b272b4659c032a45488510_NeikiAnalytics.exe
2200	4043ca7b69b272b4659c032a45488510_NeikiAnalytics.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\340a6d3f = "C:\\Windows\\apppatch\\svchost.exe"	4043ca7b69b272b4659c032a45488510_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\340a6d3f = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	4043ca7b69b272b4659c032a45488510_NeikiAnalytics.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	4043ca7b69b272b4659c032a45488510_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2820	2808	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2808	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2200	4043ca7b69b272b4659c032a45488510_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2808	2200	4043ca7b69b272b4659c032a45488510_NeikiAnalytics.exe	28
PID 2200 wrote to memory of 2808	2200	4043ca7b69b272b4659c032a45488510_NeikiAnalytics.exe	28
PID 2200 wrote to memory of 2808	2200	4043ca7b69b272b4659c032a45488510_NeikiAnalytics.exe	28
PID 2200 wrote to memory of 2808	2200	4043ca7b69b272b4659c032a45488510_NeikiAnalytics.exe	28
PID 2808 wrote to memory of 2820	2808	svchost.exe	29
PID 2808 wrote to memory of 2820	2808	svchost.exe	29
PID 2808 wrote to memory of 2820	2808	svchost.exe	29
PID 2808 wrote to memory of 2820	2808	svchost.exe	29

C:\Users\Admin\AppData\Local\Temp\4043ca7b69b272b4659c032a45488510_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4043ca7b69b272b4659c032a45488510_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 484
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\AppPatch\svchost.exe

Filesize
349KB

MD5
5bc3501dee9003f300ee93a3426a67b9

SHA1
92450c0c48a900596d33e717d986d4221f2b8659

SHA256
6d04df67302b7c7dcb132db4a7d4c4e396adac4d27cada82e56d980ef522c18a

SHA512
caadabdd38c499cbf422241b4ec9ada14bcd71c5f94ed394d47001f2c46fa1ab5a0d73089df1bf477cc77c7a222db3abb692ddf93679af0aa6c5f4c149dcf5bf

Download Submit
memory/2200-12-0x0000000000020000-0x0000000000089000-memory.dmp

Filesize
420KB

Download
memory/2808-16-0x0000000000420000-0x000000000046A000-memory.dmp

Filesize
296KB

Download
memory/2808-22-0x0000000000420000-0x000000000046A000-memory.dmp

Filesize
296KB

Download
memory/2808-20-0x0000000000420000-0x000000000046A000-memory.dmp

Filesize
296KB

Download
memory/2808-18-0x0000000000420000-0x000000000046A000-memory.dmp

Filesize
296KB

Download
memory/2808-14-0x0000000000420000-0x000000000046A000-memory.dmp

Filesize
296KB

Download
memory/2808-26-0x0000000000470000-0x00000000004C8000-memory.dmp

Filesize
352KB

Download
memory/2808-25-0x0000000000470000-0x00000000004C8000-memory.dmp

Filesize
352KB

Download
memory/2808-23-0x0000000000470000-0x00000000004C8000-memory.dmp

Filesize
352KB

Download
memory/2808-28-0x0000000000470000-0x00000000004C8000-memory.dmp

Filesize
352KB

Download
memory/2808-35-0x0000000000470000-0x00000000004C8000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads