Analysis Overview
SHA256
23f944817dc560fe00ac37450e40f7656b4a9c1018c32851c050b73b3731374e
Threat Level: Known bad
The file 23f944817dc560fe00ac37450e40f7656b4a9c1018c32851c050b73b3731374e_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Detect Blackmoon payload
Blackmoon, KrBanker
UPX packed file
Launches sc.exe
Program crash
Enumerates physical storage devices
Unsigned PE
Runs net.exe
Suspicious use of WriteProcessMemory
Modifies Control Panel
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 01:31
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 01:31
Reported
2024-06-20 01:34
Platform
win7-20240611-en
Max time kernel
142s
Max time network
123s
Command Line
Signatures
Blackmoon, KrBanker
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\23f944817dc560fe00ac37450e40f7656b4a9c1018c32851c050b73b3731374e_NeikiAnalytics.exe |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Appearance\Schemes | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Appearance\Schemes | C:\Windows\SysWOW64\rundll32.exe | N/A |
Runs net.exe
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\23f944817dc560fe00ac37450e40f7656b4a9c1018c32851c050b73b3731374e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\23f944817dc560fe00ac37450e40f7656b4a9c1018c32851c050b73b3731374e_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c sc config "UxSms" start= demand
C:\Windows\SysWOW64\sc.exe
sc config "UxSms" start= demand
C:\Windows\SysWOW64\cmd.exe
cmd /c net stop "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\net.exe
net stop "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\cmd.exe
cmd /c net start "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\net.exe
net start "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\SysWOW64\cmd.exe
cmd /c net stop "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\net.exe
net stop "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\cmd.exe
cmd /c net start "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\net.exe
net start "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
C:\Windows\SysWOW64\cmd.exe
cmd /c net stop "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\net.exe
net stop "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\cmd.exe
cmd /c net start "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\net.exe
net start "Desktop Window Manager Session Manager"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 256
Network
Files
memory/1744-0-0x0000000000400000-0x00000000004A5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | 29e0e345438882a935d2c0baff457f6c |
| SHA1 | aef4d88c8c81bc9d9440e1f94f792f6ab83e2b5a |
| SHA256 | 0c127592f7670047d0b1928fede6ecf7c827b9e8086500b23756e5c02d09a4c6 |
| SHA512 | 8b87df27f7edc9328debeb3a0f68468d1d46615122e815d03330a9682776f85a47ef37889fc210fb28e56d91bf8cf0f0e594f90c3eaff5827dfd57b97a0b359b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | 159bd6a587f370f16522b2a6f690bcc3 |
| SHA1 | c07d14fc439997e2f65b982c0702a985b36b9cf8 |
| SHA256 | 9193c9b28f4e19c5fbd00340dce578825fbc6ce6ab67b1c9082c0d8f64446993 |
| SHA512 | a1ddc058193d778b3935ef8f158bb06f014de72124d5561a4d7af99e77921bcfe5ffcb24a1375917d5e438e0f2a1dccb96c1bdc2fa5b6aaf75ca5cabe1788e46 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | 020570a88c0692f7f3d1d42379058765 |
| SHA1 | bef5e581e4c7ef4f171c165911145dca9c68287e |
| SHA256 | 16efc91532dc5d3d151ce5bdb882e6831d562a54bf8592c31052159ce929cddb |
| SHA512 | 1f47d19f8f2dc77e7ab9fa12b096bb41600f84b67cc22fd41886b9a759c32c3565db23a1dfe039a1d376ffe7d510b3603f0acc5df14886d254235329e074ef9e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | 7c048eaacd1820ac933dccc0b872fa05 |
| SHA1 | 955999eb7463f7e4031d551e24fbd1e1fb812197 |
| SHA256 | 614d7a9ca519b3aa741a512e95f6f99aedd25e8c1630d30d13dd9735b562b3be |
| SHA512 | 09f35a1a69344e64b13f0a54ecc82cd7dd1ee9124bfc274fcd5fe8af2a07e30bbf0841d9230591cbbe12bc8f066f5f36e1577b82d5d1f3f0eb6b9b5154ce5d4b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | 05471356f0ea1c0f5f5b8deb29c3ebd1 |
| SHA1 | 12b14b737d1e0f76ca2494fb7a6841e5792a0504 |
| SHA256 | cf59479c75a8803468dd2a2c1d2803a2694c41992d5a0b3b65b1c69c28d1eac7 |
| SHA512 | 942285259612792c2b3a45a65483e0775314841e397e815d447fd8f69f63f5de1ac48653a051c0121bd73415655c468772d39ce72bb1ba3d8ae367f78143502b |
memory/1744-658-0x0000000000400000-0x00000000004A5000-memory.dmp
memory/1744-660-0x0000000000400000-0x00000000004A5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 01:31
Reported
2024-06-20 01:34
Platform
win10v2004-20240611-en
Max time kernel
139s
Max time network
141s
Command Line
Signatures
Blackmoon, KrBanker
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\23f944817dc560fe00ac37450e40f7656b4a9c1018c32851c050b73b3731374e_NeikiAnalytics.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2128 wrote to memory of 1972 | N/A | C:\Users\Admin\AppData\Local\Temp\23f944817dc560fe00ac37450e40f7656b4a9c1018c32851c050b73b3731374e_NeikiAnalytics.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2128 wrote to memory of 1972 | N/A | C:\Users\Admin\AppData\Local\Temp\23f944817dc560fe00ac37450e40f7656b4a9c1018c32851c050b73b3731374e_NeikiAnalytics.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2128 wrote to memory of 1972 | N/A | C:\Users\Admin\AppData\Local\Temp\23f944817dc560fe00ac37450e40f7656b4a9c1018c32851c050b73b3731374e_NeikiAnalytics.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1972 wrote to memory of 2780 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\sc.exe |
| PID 1972 wrote to memory of 2780 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\sc.exe |
| PID 1972 wrote to memory of 2780 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\sc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\23f944817dc560fe00ac37450e40f7656b4a9c1018c32851c050b73b3731374e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\23f944817dc560fe00ac37450e40f7656b4a9c1018c32851c050b73b3731374e_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c sc config "UxSms" start= demand
C:\Windows\SysWOW64\sc.exe
sc config "UxSms" start= demand
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2128 -ip 2128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 528
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/2128-0-0x0000000000400000-0x00000000004A5000-memory.dmp
memory/2128-1-0x0000000000400000-0x00000000004A5000-memory.dmp