3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242

General

Target

3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242_NeikiAnalytics.exe
Size

1.6MB
MD5

ee4b1348bea0e0f67b4345f7889d7a20
SHA1

f68aea4feeeaa9ddd13491b1dcfa3e34d909abf2
SHA256

3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242
SHA512

ec974b2b61bc6e205d91c40bbc5a70265f0a8fa6c30f12f562a0ead806fb9f17dcef69f3b044b5981d8877fa2b7f759f997b6870e59f76ab87599d2f8d4623e4
SSDEEP

49152:YZ+ZKAKXsNolSGaumNJyo63e/gMirsV7G16PVtv0Qvx8M:c1/sNo0X9aSgQ016PXxR

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000a0000000120fa-2.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2576	hidcon.exe

Loads dropped DLL 5 IoCs

pid	Process
1688	3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242_NeikiAnalytics.exe
1688	3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242_NeikiAnalytics.exe
1688	3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242_NeikiAnalytics.exe
1688	3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242_NeikiAnalytics.exe
1688	3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242_NeikiAnalytics.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1688-0-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/files/0x000a0000000120fa-2.dat	upx
behavioral1/memory/1688-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/files/0x0005000000019228-56.dat	upx
behavioral1/files/0x000500000001925d-59.dat	upx
behavioral1/memory/1688-117-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1688-119-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242_NeikiAnalytics.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1688	3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1688	3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2700	1688	3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 2700	1688	3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 2700	1688	3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 2700	1688	3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 2548	1688	3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242_NeikiAnalytics.exe	30
PID 1688 wrote to memory of 2548	1688	3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242_NeikiAnalytics.exe	30
PID 1688 wrote to memory of 2548	1688	3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242_NeikiAnalytics.exe	30
PID 1688 wrote to memory of 2548	1688	3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242_NeikiAnalytics.exe	30
PID 1688 wrote to memory of 2576	1688	3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242_NeikiAnalytics.exe	32
PID 1688 wrote to memory of 2576	1688	3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242_NeikiAnalytics.exe	32
PID 1688 wrote to memory of 2576	1688	3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242_NeikiAnalytics.exe	32
PID 1688 wrote to memory of 2576	1688	3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242_NeikiAnalytics.exe	32
PID 2576 wrote to memory of 2440	2576	hidcon.exe	33
PID 2576 wrote to memory of 2440	2576	hidcon.exe	33
PID 2576 wrote to memory of 2440	2576	hidcon.exe	33
PID 2576 wrote to memory of 2440	2576	hidcon.exe	33

C:\Users\Admin\AppData\Local\Temp\3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3f38aab09a8ac04cd49ae46a7a6a2c012c6e0b0a309f3bbabcd3e0d8e7327242_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c if exist X:\Windows\SysWOW64\esent.dll (copy 764\* X:\Windows\SysWOW64)
  2⤵
  PID:2700
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c if exist X:\Windows\wrp64.dll (copy 864\* X:\Windows\SysWOW64)
  2⤵
  PID:2548
- C:\Users\Admin\AppData\Local\Temp\2k10\SDI\hidcon.exe
  "C:\Users\Admin\AppData\Local\Temp\2k10\SDI\hidcon.exe" SDI_R.cmd C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c SDI_R.cmd C:\Users\Admin\AppData\Local\Temp
    3⤵
    PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2k10\SDI\SDI_R.cmd

Filesize
1KB

MD5
508853d510b243edbfe923ca4176b530

SHA1
ee5045bfc571675a1f5d847687ee303b6fba7bed

SHA256
6d18193a7ac003ddcd3e92393c7e79729003308a36c297a24b061025a60d0910

SHA512
32616af5a4913da31095d43aaefc4ac6037b3038e50f7f2a8cf72a75c14e41b3d90638fb5a7bb359edd9e06dd8f189018babec554fa24abc33c442e81190400b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2k10\SDI\SDI_R.exe

Filesize
4.6MB

MD5
e8d1ebad7357ab99bcf2a1f289a37e43

SHA1
869af77a2f330467e25051d7fc70c750c4110956

SHA256
5ec2e117e3802b58be1e2dcb88e487bb178d8e5f7093cfa6f44e6efd630db7e5

SHA512
55b2b53264f89ca31ccaa68a016f8a8578eb79f35136d0072cffe2182b50465d2176373569417be59d8f1b0cf8666c34728a22225b3b090a4766071a22c6e6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2k10\SDI\hidcon.exe

Filesize
2KB

MD5
b2dadab18c318443301d0087cd7200ba

SHA1
c0adf61a17a3698548bee1ef225ad824ab901e0d

SHA256
b88a4d442bcd94457fc75dc5a541dc3437fd01091a2b6500569c699260e65238

SHA512
4bae11cde7936c9ef0549074f2e03307f3cf13f4a824744c68e7fb46c656bb136ebf590675ab43f5cb7b247483ad5bb939be30e8b3a3c4fbf70c9884af7988ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\2k10\SDI\nircmdc.exe

Filesize
43KB

MD5
0e69b6bd18e064c83a11b48495c1b01e

SHA1
21c4cc08d3600c564bd0d04c8553e59f564bfff4

SHA256
67e0d635825cbf7cc213670f671544da9ff18047742dd4a0696a508b79eef607

SHA512
e7c9b9209359183ade3502ad9c8807b7948d38fd0ef883655decef2e5f212be646a0e3fd93b51988595511b979c669dee8f9f2a3ba90a4b0cecf0423ff2d3f51

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Users\Admin\AppData\Local\Temp\2k10\SDI\SDI_R.exe.tmp

Filesize
4.7MB

MD5
e5bfb71d4e2ee270ec191cd8f9617280

SHA1
059ce1485a4b3f3f0f3ce7af5a97c67db8e3d808

SHA256
afcdb0329beab4d32a1e5b3c859adc52d3b9ece3d5200e057e2ca6fe6d8554b9

SHA512
d2c384526c12e0f9215cd2327927f6296daf6c261c9779e3811e80b0d6836bd7959eb1f75a6261a211959c913d8a0a0dba6ec3a0735c46ce4c8f7303d3bb3018

Download Submit
\Users\Admin\AppData\Local\Temp\2k10\SDI\nircmdc.exe.tmp

Filesize
119KB

MD5
92a75724434b43bef7aa663d027215d8

SHA1
24a07ca2ba5dadeadd8b9cbaef120d2c5fec7ec7

SHA256
9c76e8281b843b512977bfbbfec60fcc20877daf99dbb09a723889414ca23611

SHA512
5f8e2a8f69bcc1da2153b56b5c6bb2f34d207614e6e31daf1af86bde1f139419168f6afafccd1365cc8d02c7f2587c78cebc9d5e9022f392f48ab5661cb195d5

Download Submit
memory/1688-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1688-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1688-65-0x00000000029F0000-0x0000000002A0B000-memory.dmp

Filesize
108KB

Download
memory/1688-117-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1688-119-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing