514117fd550f4d4da94d4f78eb1109a59fe7ee956ffc75a3a1a42e81d7e04274

General

Target

514117fd550f4d4da94d4f78eb1109a59fe7ee956ffc75a3a1a42e81d7e04274_NeikiAnalytics.exe
Size

218KB
MD5

7f85b1e0a0c19b3f052ece60b37e9d30
SHA1

d1aff094d38f8fdb3aa195eebe1553e75ef1bb02
SHA256

514117fd550f4d4da94d4f78eb1109a59fe7ee956ffc75a3a1a42e81d7e04274
SHA512

e2bc8544d4bcf4e935177fe1e12d0568cc44e1509497039ffbdd93203b5f940a37eca29bffe6bf183725d5cdfbeac1dee35dd4099f008e44f5fe3e3f8aed6053
SSDEEP

3072:tvm4SZsQrNzPrl6rjGMjp39d4u8iqddCxMIJOb2o5DsBPjim6hwM2H6:h1SyAJp6rjn1gOObn4b6h9h

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1504	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\15fe80ed = "2\aP3\x18\x1d=\x13\|È\x10ìÙô\\\\½ç\x06iE-¸SLíØÊ‰¹1=Ük\x1esÃäÄTdK\x0e¹\f\x05ä=ÛF$[D¼®ÃÅqì1u«t\x04$6lsq\\\x1b½\x0e4S‹Y{\x13<\x14i\x04\féŒ)¥e\|nÔ\x01ë\x05£\|4ÔÌéNÑüä³Ólþ£\fT™™Ü\\aÔ³ëk4©UÜFLCKdK\x05üFS4é\x11ä»Þ)“´\u0081ëœ•DäËéÕ\v•Œñ\\ÌkÙ©„U-ƒ‹üÃùÔd¬ÉN\x1b\x13üË{ÞyDÖ\\TQ\x06Û&U\x1cÆ”<©ã\u009dã\f´\v‹6Tñä!D=½Ì]ÔF‹ÆÝyd”4sÓ1ô\x1clÄ{¶%„\f“y„,N³\u00ad+$;[Ãv\x03SŒtklŒFŽ\x13d\x1cñ"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\15fe80ed = "2\aP3\x18\x1d=\x13\|È\x10ìÙô\\\\½ç\x06iE-¸SLíØÊ‰¹1=Ük\x1esÃäÄTdK\x0e¹\f\x05ä=ÛF$[D¼®ÃÅqì1u«t\x04$6lsq\\\x1b½\x0e4S‹Y{\x13<\x14i\x04\féŒ)¥e\|nÔ\x01ë\x05£\|4ÔÌéNÑüä³Ólþ£\fT™™Ü\\aÔ³ëk4©UÜFLCKdK\x05üFS4é\x11ä»Þ)“´\u0081ëœ•DäËéÕ\v•Œñ\\ÌkÙ©„U-ƒ‹üÃùÔd¬ÉN\x1b\x13üË{ÞyDÖ\\TQ\x06Û&U\x1cÆ”<©ã\u009dã\f´\v‹6Tñä!D=½Ì]ÔF‹ÆÝyd”4sÓ1ô\x1clÄ{¶%„\f“y„,N³\u00ad+$;[Ãv\x03SŒtklŒFŽ\x13d\x1cñ"	514117fd550f4d4da94d4f78eb1109a59fe7ee956ffc75a3a1a42e81d7e04274_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	514117fd550f4d4da94d4f78eb1109a59fe7ee956ffc75a3a1a42e81d7e04274_NeikiAnalytics.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	514117fd550f4d4da94d4f78eb1109a59fe7ee956ffc75a3a1a42e81d7e04274_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4716	514117fd550f4d4da94d4f78eb1109a59fe7ee956ffc75a3a1a42e81d7e04274_NeikiAnalytics.exe
4716	514117fd550f4d4da94d4f78eb1109a59fe7ee956ffc75a3a1a42e81d7e04274_NeikiAnalytics.exe
4716	514117fd550f4d4da94d4f78eb1109a59fe7ee956ffc75a3a1a42e81d7e04274_NeikiAnalytics.exe
4716	514117fd550f4d4da94d4f78eb1109a59fe7ee956ffc75a3a1a42e81d7e04274_NeikiAnalytics.exe
4716	514117fd550f4d4da94d4f78eb1109a59fe7ee956ffc75a3a1a42e81d7e04274_NeikiAnalytics.exe
4716	514117fd550f4d4da94d4f78eb1109a59fe7ee956ffc75a3a1a42e81d7e04274_NeikiAnalytics.exe
4716	514117fd550f4d4da94d4f78eb1109a59fe7ee956ffc75a3a1a42e81d7e04274_NeikiAnalytics.exe
4716	514117fd550f4d4da94d4f78eb1109a59fe7ee956ffc75a3a1a42e81d7e04274_NeikiAnalytics.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4716	514117fd550f4d4da94d4f78eb1109a59fe7ee956ffc75a3a1a42e81d7e04274_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 1504	4716	514117fd550f4d4da94d4f78eb1109a59fe7ee956ffc75a3a1a42e81d7e04274_NeikiAnalytics.exe	84
PID 4716 wrote to memory of 1504	4716	514117fd550f4d4da94d4f78eb1109a59fe7ee956ffc75a3a1a42e81d7e04274_NeikiAnalytics.exe	84
PID 4716 wrote to memory of 1504	4716	514117fd550f4d4da94d4f78eb1109a59fe7ee956ffc75a3a1a42e81d7e04274_NeikiAnalytics.exe	84

C:\Users\Admin\AppData\Local\Temp\514117fd550f4d4da94d4f78eb1109a59fe7ee956ffc75a3a1a42e81d7e04274_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\514117fd550f4d4da94d4f78eb1109a59fe7ee956ffc75a3a1a42e81d7e04274_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\apppatch\svchost.exe

Filesize
218KB

MD5
4987ef7ce17c445fdec3d79df9a75456

SHA1
2465fbc540e8dc70c352353dc90af124426fc3c7

SHA256
d6400668fa0ebbc033cefddd98bb9da714dd9c774a05655e6c32b9b7094ec20f

SHA512
e3dfa453eb2286c31c205aef1f9fbf03e2b71008977accf93e51c4d5801c2bfd5090017f4441f75c5598943b01a2b46f59aab203cb9f2acce18d744c17479ed3

Download Submit
memory/1504-17-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/1504-14-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/1504-15-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/1504-16-0x00000000028D0000-0x0000000002978000-memory.dmp

Filesize
672KB

Download
memory/1504-18-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/1504-22-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/1504-20-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4716-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4716-13-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4716-12-0x0000000000760000-0x00000000007B1000-memory.dmp

Filesize
324KB

Download
memory/4716-11-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/4716-0-0x0000000000760000-0x00000000007B1000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads