09ba4899b5b72361605b1faae89c6b209742135d1ca29ef7cf82dbd76bd10eb8

General

Target

09ba4899b5b72361605b1faae89c6b209742135d1ca29ef7cf82dbd76bd10eb8_NeikiAnalytics.exe
Size

28KB
MD5

9e7a1241a309aa2bff90fb9792220190
SHA1

6e7ac6019fba1a615f6339408008308074751afa
SHA256

09ba4899b5b72361605b1faae89c6b209742135d1ca29ef7cf82dbd76bd10eb8
SHA512

4058f7d6a18bb23f6e2950f65475c6f0a540c24bdbb8acf25b9215ae9c3a3fc68e129570fd2b7177e3ff291e7637ba1de7afba19feba8407ad5769dc1f6ff620
SSDEEP

384:Xng4j8Gs/sRHSv9W705ZqSA7hyTM/0uOhXmaVmLlG4J:XnDj8GsmIlAFyTqUhWaUw4J

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2208	winupd.exe

Loads dropped DLL 2 IoCs

pid	Process
1928	09ba4899b5b72361605b1faae89c6b209742135d1ca29ef7cf82dbd76bd10eb8_NeikiAnalytics.exe
1928	09ba4899b5b72361605b1faae89c6b209742135d1ca29ef7cf82dbd76bd10eb8_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winupd.exe -notray"	reg.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2492	ipconfig.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2840	reg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1928	09ba4899b5b72361605b1faae89c6b209742135d1ca29ef7cf82dbd76bd10eb8_NeikiAnalytics.exe
2208	winupd.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2208	1928	09ba4899b5b72361605b1faae89c6b209742135d1ca29ef7cf82dbd76bd10eb8_NeikiAnalytics.exe	28
PID 1928 wrote to memory of 2208	1928	09ba4899b5b72361605b1faae89c6b209742135d1ca29ef7cf82dbd76bd10eb8_NeikiAnalytics.exe	28
PID 1928 wrote to memory of 2208	1928	09ba4899b5b72361605b1faae89c6b209742135d1ca29ef7cf82dbd76bd10eb8_NeikiAnalytics.exe	28
PID 1928 wrote to memory of 2208	1928	09ba4899b5b72361605b1faae89c6b209742135d1ca29ef7cf82dbd76bd10eb8_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2492	2208	winupd.exe	29
PID 2208 wrote to memory of 2492	2208	winupd.exe	29
PID 2208 wrote to memory of 2492	2208	winupd.exe	29
PID 2208 wrote to memory of 2492	2208	winupd.exe	29
PID 2208 wrote to memory of 2492	2208	winupd.exe	29
PID 2208 wrote to memory of 2492	2208	winupd.exe	29
PID 2492 wrote to memory of 2664	2492	ipconfig.exe	31
PID 2492 wrote to memory of 2664	2492	ipconfig.exe	31
PID 2492 wrote to memory of 2664	2492	ipconfig.exe	31
PID 2492 wrote to memory of 2664	2492	ipconfig.exe	31
PID 2664 wrote to memory of 2840	2664	cmd.exe	33
PID 2664 wrote to memory of 2840	2664	cmd.exe	33
PID 2664 wrote to memory of 2840	2664	cmd.exe	33
PID 2664 wrote to memory of 2840	2664	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\09ba4899b5b72361605b1faae89c6b209742135d1ca29ef7cf82dbd76bd10eb8_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\09ba4899b5b72361605b1faae89c6b209742135d1ca29ef7cf82dbd76bd10eb8_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe"
    3⤵
    - Gathers network information
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\NFVEMBAB.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WinUpdate /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NFVEMBAB.bat

Filesize
151B

MD5
cac890d00365d07b9ca89def17cc3a36

SHA1
6fa99679ede791c16b5d3e6d243a98e8bbdb7eab

SHA256
4f98ddee89760080a5c8a93666d2f5c97be52b741265ef4d1ce9aaebf05f12da

SHA512
124dc0b18e13425bde43bcbbe2a99005928e398bffcb458d498aac9e754bc5b92b703270667800876c60b0801343f2de8c6b9a1eebafd80bb4f6d5dc295dd9f1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

Filesize
28KB

MD5
985c076c8f8c1e7ef4f2eed65e4f8110

SHA1
a958879b9e07c7565ee7843bc6c22624151657d9

SHA256
7688d765620074f803d75a084699a054ff40b475a824b5618175c465a21d7225

SHA512
5cf008de7169a75c6f9e45c460b95bc27bbca66d4b0eedd314888e989ce274e420d894a821075b18fbf40300a23e551ee893035dc50bc0fabeffc381edb207f1

Download Submit
memory/2492-14-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads