neshta | 601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82

General

Target

601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
Size

161KB
MD5

4d23f8e8d6e5754a939f244c0ae20340
SHA1

a9e158c7d655099bc18a11496d30de72cbc64a32
SHA256

601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82
SHA512

d2c587089b0e23c7df16b12d073a6bdf3476c4f91080334459f6aa95f202a0fc61a8cb0e7a14e15ead3ee75a4a11dfd9f666435671180b3da50c23baf22ea7ff
SSDEEP

1536:JxqjQ+P04wsmJC/tp9eSFStfFfeeeeeeeeWeeeeeg3Mz8WZp3fh1LCh1G0dz3Mzh:sr85C/bfFStfFTwc5lI1G3wc5lI1Gh

Score

10^/10

neshta phorphiex evasion loader persistence spyware stealer trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

http://77.91.77.92/

http://91.202.233.141/

Wallets

0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b

THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto

1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6

qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL

LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX

rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH

ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH

t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn

bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd

bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg

bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE

0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b

THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto

1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6

Attributes

mutex
79588678
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36

Signatures

Detect Neshta payload 2 IoCs

Processes:

resource	yara_rule
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe	family_neshta
behavioral1/memory/2864-96-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

sysmablsvr.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" sysmablsvr.exe
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysmablsvr.exe

Phorphiex payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3582-490\601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe	family_phorphiex
\Users\Admin\AppData\Local\Temp\272906782.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysfreavs.exesysmablsvr.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysfreavs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysfreavs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysfreavs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysfreavs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysfreavs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysfreavs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

Processes:

601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exesysfreavs.exe272906782.exesysmablsvr.exe1454012120.exe1027132879.exe2870526128.exe

pid	process
2976	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
2156	sysfreavs.exe
1628	272906782.exe
376	sysmablsvr.exe
324	1454012120.exe
2704	1027132879.exe
548	2870526128.exe

Loads dropped DLL 9 IoCs

Processes:

601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exesysfreavs.exesysmablsvr.exe1027132879.exe

pid	process
2864	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
2864	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
2864	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
2156	sysfreavs.exe
2156	sysfreavs.exe
376	sysmablsvr.exe
376	sysmablsvr.exe
376	sysmablsvr.exe
2704	1027132879.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysfreavs.exesysmablsvr.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysfreavs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysfreavs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysfreavs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysfreavs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysfreavs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysfreavs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysfreavs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysmablsvr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe272906782.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysfreavs.exe"	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmablsvr.exe"	272906782.exe

Drops file in Program Files directory 64 IoCs

Processes:

601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe

Drops file in Windows directory 5 IoCs

Processes:

601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe272906782.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File created	C:\Windows\sysfreavs.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File opened for modification	C:\Windows\sysfreavs.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
File created	C:\Windows\sysmablsvr.exe	272906782.exe
File opened for modification	C:\Windows\sysmablsvr.exe	272906782.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

sysmablsvr.exe

pid process

376 sysmablsvr.exe

pid	process
376	sysmablsvr.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exesysfreavs.exe272906782.exesysmablsvr.exe1027132879.exe

description	pid	process	target process
PID 2864 wrote to memory of 2976	2864	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
PID 2864 wrote to memory of 2976	2864	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
PID 2864 wrote to memory of 2976	2864	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
PID 2864 wrote to memory of 2976	2864	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
PID 2976 wrote to memory of 2156	2976	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe	sysfreavs.exe
PID 2976 wrote to memory of 2156	2976	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe	sysfreavs.exe
PID 2976 wrote to memory of 2156	2976	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe	sysfreavs.exe
PID 2976 wrote to memory of 2156	2976	601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe	sysfreavs.exe
PID 2156 wrote to memory of 1628	2156	sysfreavs.exe	272906782.exe
PID 2156 wrote to memory of 1628	2156	sysfreavs.exe	272906782.exe
PID 2156 wrote to memory of 1628	2156	sysfreavs.exe	272906782.exe
PID 2156 wrote to memory of 1628	2156	sysfreavs.exe	272906782.exe
PID 1628 wrote to memory of 376	1628	272906782.exe	sysmablsvr.exe
PID 1628 wrote to memory of 376	1628	272906782.exe	sysmablsvr.exe
PID 1628 wrote to memory of 376	1628	272906782.exe	sysmablsvr.exe
PID 1628 wrote to memory of 376	1628	272906782.exe	sysmablsvr.exe
PID 376 wrote to memory of 324	376	sysmablsvr.exe	1454012120.exe
PID 376 wrote to memory of 324	376	sysmablsvr.exe	1454012120.exe
PID 376 wrote to memory of 324	376	sysmablsvr.exe	1454012120.exe
PID 376 wrote to memory of 324	376	sysmablsvr.exe	1454012120.exe
PID 376 wrote to memory of 2704	376	sysmablsvr.exe	1027132879.exe
PID 376 wrote to memory of 2704	376	sysmablsvr.exe	1027132879.exe
PID 376 wrote to memory of 2704	376	sysmablsvr.exe	1027132879.exe
PID 376 wrote to memory of 2704	376	sysmablsvr.exe	1027132879.exe
PID 2704 wrote to memory of 548	2704	1027132879.exe	2870526128.exe
PID 2704 wrote to memory of 548	2704	1027132879.exe	2870526128.exe
PID 2704 wrote to memory of 548	2704	1027132879.exe	2870526128.exe
PID 2704 wrote to memory of 548	2704	1027132879.exe	2870526128.exe

C:\Users\Admin\AppData\Local\Temp\601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\3582-490\601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\sysfreavs.exe
    C:\Windows\sysfreavs.exe
    3⤵
    - Windows security bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\272906782.exe
      C:\Users\Admin\AppData\Local\Temp\272906782.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:1628
    - - C:\Windows\sysmablsvr.exe
        
        C:\Windows\sysmablsvr.exe
        5⤵
        Modifies security service
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Suspicious behavior: SetClipboardViewer
        Suspicious use of WriteProcessMemory
        
        PID:376
      - C:\Users\Admin\AppData\Local\Temp\1454012120.exe
        
        C:\Users\Admin\AppData\Local\Temp\1454012120.exe
        6⤵
        Executes dropped EXE
        
        PID:324
      - C:\Users\Admin\AppData\Local\Temp\1027132879.exe
        
        C:\Users\Admin\AppData\Local\Temp\1027132879.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\2870526128.exe
        
        C:\Users\Admin\AppData\Local\Temp\2870526128.exe
        7⤵
        Executes dropped EXE
        
        PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\41934108.exe

Filesize
86KB

MD5
fe1e93f12cca3f7c0c897ef2084e1778

SHA1
fb588491ddad8b24ea555a6a2727e76cec1fade3

SHA256
2ebc4a92f4fdc27d4ab56e57058575a8b18adb076cbd30feea2ecdc8b7fcd41f

SHA512
36e0524c465187ae9ad207c724aee45bcd61cfd3fa66a79f9434d24fcbadc0a743834d5e808e6041f3bd88e75deb5afd34193574f005ed97e4b17c6b0388cb93

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\1027132879.exe

Filesize
10KB

MD5
6567b839ec69322ba1aa41b15fbd1e64

SHA1
0a2a0770afe094765a5eb88f6201847bf642bea9

SHA256
8a4b87ed94fc50767d0bc91291a8b8a436b941b273b29ab0d442ba1cc10b76fb

SHA512
2e4798244bf3891beea64ee0b0d106c6f47b7c7d6daf222af6192874dc0ef67491c82e93821c1ff9fbd25cf9ec50178e959adb466b210ff9754dd4e8387a30cf

Download Submit
\Users\Admin\AppData\Local\Temp\272906782.exe

Filesize
88KB

MD5
ababca6d12d96e8dd2f1d7114b406fae

SHA1
dcd9798e83ec688aacb3de8911492a232cb41a32

SHA256
a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba

SHA512
b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f

Download Submit
\Users\Admin\AppData\Local\Temp\2870526128.exe

Filesize
5.4MB

MD5
41ab08c1955fce44bfd0c76a64d1945a

SHA1
2b9cb05f4de5d98c541d15175d7f0199cbdd0eea

SHA256
dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493

SHA512
38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\601bcdce53e91668510a0bfd0be470b06f2102cfe10a5fb0d6e3573b2cafcb82_NeikiAnalytics.exe

Filesize
121KB

MD5
100ce2ff0190ee64fa91383f3eb50fa1

SHA1
b9c1c6b36b7299d5c2ba08418bc0ba8a10cb4208

SHA256
6a687faa5afd7879ad74989ac928bd3514851da2f883868caa82bf7b7bf3aa0a

SHA512
cfbf3fd656edc007251c8136e44017365a0978e68003738b029d816a24fa55be2bb48eec21588cebd639486177c3bd82c2e4a05fe692c420a60159b4ebe943b2

Download Submit
memory/2864-96-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads