Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 06:25
Behavioral task
behavioral1
Sample
48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exe
-
Size
1.8MB
-
MD5
c48d3c62e9034dd9a5403dad78bb06b0
-
SHA1
3819c3caf9f78e9245c0c621f15260d9b014912d
-
SHA256
48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552
-
SHA512
28be800f6ac75e0cf2a9e8b62b77c8f43ae120cc122df800dcfe7047da03928b2d948f13247ecaefaece0dabfc5951600ad15cf387950e920e199c1157949b31
-
SSDEEP
24576:Dr0TxazTID9UhQtRlA6Jz7kzSRciXSD3FbbBN/IyZJbOOEHqBh3SWgSklWNyH:DZzED7tRX8SWwWpNN/IyjEOBST1WNyH
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\UOKHTV.GBQBV family_blackmoon -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SKinH_EL.dll acprotect -
Executes dropped EXE 1 IoCs
Processes:
UOKHTV.GBQBVpid process 640 UOKHTV.GBQBV -
Loads dropped DLL 4 IoCs
Processes:
UOKHTV.GBQBVpid process 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV -
Processes:
resource yara_rule behavioral2/memory/1780-38-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/1780-44-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/1780-45-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/640-71-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/640-69-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/640-67-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/640-65-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/640-63-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/640-61-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/640-59-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/640-57-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/640-55-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/640-53-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/640-52-0x0000000010000000-0x000000001003E000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\SKinH_EL.dll upx behavioral2/memory/1780-42-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/1780-40-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/640-94-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/1780-36-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/1780-34-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/1780-32-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/1780-30-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/1780-28-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/1780-26-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/1780-24-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/1780-10-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/1780-8-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/1780-6-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/1780-2-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/1780-22-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/1780-20-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/1780-18-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/1780-16-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/1780-14-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/1780-12-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/1780-4-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/1780-3-0x0000000010000000-0x000000001003E000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
UOKHTV.GBQBVdescription ioc process File created C:\Windows\SysWOW64\ESPI11.dll UOKHTV.GBQBV File opened for modification C:\Windows\SysWOW64\ESPI11.dll UOKHTV.GBQBV -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
UOKHTV.GBQBVpid process 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
UOKHTV.GBQBVdescription pid process Token: SeDebugPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV Token: SeIncBasePriorityPrivilege 640 UOKHTV.GBQBV Token: 33 640 UOKHTV.GBQBV -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exeUOKHTV.GBQBVpid process 1780 48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exe 1780 48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exe 1780 48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exe 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV 640 UOKHTV.GBQBV -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exeUOKHTV.GBQBVdescription pid process target process PID 1780 wrote to memory of 640 1780 48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exe UOKHTV.GBQBV PID 1780 wrote to memory of 640 1780 48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exe UOKHTV.GBQBV PID 1780 wrote to memory of 640 1780 48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exe UOKHTV.GBQBV PID 640 wrote to memory of 1708 640 UOKHTV.GBQBV netsh.exe PID 640 wrote to memory of 1708 640 UOKHTV.GBQBV netsh.exe PID 640 wrote to memory of 1708 640 UOKHTV.GBQBV netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Users\Admin\AppData\Local\Temp\UOKHTV.GBQBV"C:\Users\Admin\AppData\Local\Temp\UOKHTV.GBQBV"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\netsh.exenetsh winsock reset3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1708
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120KB
MD5c3adbb35a05b44bc877a895d273aa270
SHA18afe20d8261d217fd23ccfe53bd45ad3bec82d2d
SHA256b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c
SHA512614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc
-
Filesize
86KB
MD5114054313070472cd1a6d7d28f7c5002
SHA19a044986e6101df1a126035da7326a50c3fe9a23
SHA256e15d9e1b772fed3db19e67b8d54533d1a2d46a37f8b12702a5892c6b886e9db1
SHA512a2ff8481e89698dae4a1c83404105093472e384d7a3debbd7014e010543e08efc8ebb3f67c8a4ce09029e6b2a8fb7779bb402aae7c9987e61389cd8a72c73522
-
Filesize
1.8MB
MD5f100b5781a7f66b210a91e4e95aae853
SHA103ffaff9a166d24a06b6396c0dda1a88f63d5010
SHA256e899dfd3f16b89f3d3d3c39569a864a739f3abb130d66bcec39437e64a78c07b
SHA512221b723bbc744650dccae3e1ca0783cf0114ab1d90df6a7d7294bb7a3dcaa32ef1f8099588377393a88db790e99b1245f7c520394cc4280e2127311968486cc8