36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/06/2024, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe
Size

7.0MB
MD5

c7524729bc45db3875e9addf87c93a30
SHA1

ba508117ed4ad7cbc3db8152f5635237fae7b2c8
SHA256

36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46
SHA512

7d82046affc0494b8269aa8451d7a40c2c4ea53a4f980dd5e15e9e3387f726b70d2d0026c228cfcbbadeb447defbbf7e2a1ec89093ca8781fe1b4b4470dfb7a3
SSDEEP

98304:bqqZV8yrJISGsMuocD7JAkOaxENWxAmW+vyNCceRybc4q7jmevJzcJEtBN5gd:2oVRXocD9eaG4xAh+iCNi5KRYA

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
3	api.ipify.org

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
856	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe
856	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
856	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2652	WMIC.exe
Token: SeSecurityPrivilege	2652	WMIC.exe
Token: SeTakeOwnershipPrivilege	2652	WMIC.exe
Token: SeLoadDriverPrivilege	2652	WMIC.exe
Token: SeSystemProfilePrivilege	2652	WMIC.exe
Token: SeSystemtimePrivilege	2652	WMIC.exe
Token: SeProfSingleProcessPrivilege	2652	WMIC.exe
Token: SeIncBasePriorityPrivilege	2652	WMIC.exe
Token: SeCreatePagefilePrivilege	2652	WMIC.exe
Token: SeBackupPrivilege	2652	WMIC.exe
Token: SeRestorePrivilege	2652	WMIC.exe
Token: SeShutdownPrivilege	2652	WMIC.exe
Token: SeDebugPrivilege	2652	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2652	WMIC.exe
Token: SeRemoteShutdownPrivilege	2652	WMIC.exe
Token: SeUndockPrivilege	2652	WMIC.exe
Token: SeManageVolumePrivilege	2652	WMIC.exe
Token: 33	2652	WMIC.exe
Token: 34	2652	WMIC.exe
Token: 35	2652	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2652	WMIC.exe
Token: SeSecurityPrivilege	2652	WMIC.exe
Token: SeTakeOwnershipPrivilege	2652	WMIC.exe
Token: SeLoadDriverPrivilege	2652	WMIC.exe
Token: SeSystemProfilePrivilege	2652	WMIC.exe
Token: SeSystemtimePrivilege	2652	WMIC.exe
Token: SeProfSingleProcessPrivilege	2652	WMIC.exe
Token: SeIncBasePriorityPrivilege	2652	WMIC.exe
Token: SeCreatePagefilePrivilege	2652	WMIC.exe
Token: SeBackupPrivilege	2652	WMIC.exe
Token: SeRestorePrivilege	2652	WMIC.exe
Token: SeShutdownPrivilege	2652	WMIC.exe
Token: SeDebugPrivilege	2652	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2652	WMIC.exe
Token: SeRemoteShutdownPrivilege	2652	WMIC.exe
Token: SeUndockPrivilege	2652	WMIC.exe
Token: SeManageVolumePrivilege	2652	WMIC.exe
Token: 33	2652	WMIC.exe
Token: 34	2652	WMIC.exe
Token: 35	2652	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2740	WMIC.exe
Token: SeSecurityPrivilege	2740	WMIC.exe
Token: SeTakeOwnershipPrivilege	2740	WMIC.exe
Token: SeLoadDriverPrivilege	2740	WMIC.exe
Token: SeSystemProfilePrivilege	2740	WMIC.exe
Token: SeSystemtimePrivilege	2740	WMIC.exe
Token: SeProfSingleProcessPrivilege	2740	WMIC.exe
Token: SeIncBasePriorityPrivilege	2740	WMIC.exe
Token: SeCreatePagefilePrivilege	2740	WMIC.exe
Token: SeBackupPrivilege	2740	WMIC.exe
Token: SeRestorePrivilege	2740	WMIC.exe
Token: SeShutdownPrivilege	2740	WMIC.exe
Token: SeDebugPrivilege	2740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2740	WMIC.exe
Token: SeRemoteShutdownPrivilege	2740	WMIC.exe
Token: SeUndockPrivilege	2740	WMIC.exe
Token: SeManageVolumePrivilege	2740	WMIC.exe
Token: 33	2740	WMIC.exe
Token: 34	2740	WMIC.exe
Token: 35	2740	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2740	WMIC.exe
Token: SeSecurityPrivilege	2740	WMIC.exe
Token: SeTakeOwnershipPrivilege	2740	WMIC.exe
Token: SeLoadDriverPrivilege	2740	WMIC.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 2680	856	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe	30
PID 856 wrote to memory of 2680	856	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe	30
PID 856 wrote to memory of 2680	856	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe	30
PID 2680 wrote to memory of 2652	2680	cmd.exe	31
PID 2680 wrote to memory of 2652	2680	cmd.exe	31
PID 2680 wrote to memory of 2652	2680	cmd.exe	31
PID 856 wrote to memory of 2732	856	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe	32
PID 856 wrote to memory of 2732	856	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe	32
PID 856 wrote to memory of 2732	856	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe	32
PID 2732 wrote to memory of 2740	2732	cmd.exe	33
PID 2732 wrote to memory of 2740	2732	cmd.exe	33
PID 2732 wrote to memory of 2740	2732	cmd.exe	33
PID 856 wrote to memory of 2728	856	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe	34
PID 856 wrote to memory of 2728	856	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe	34
PID 856 wrote to memory of 2728	856	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe	34
PID 2728 wrote to memory of 2616	2728	cmd.exe	35
PID 2728 wrote to memory of 2616	2728	cmd.exe	35
PID 2728 wrote to memory of 2616	2728	cmd.exe	35
PID 856 wrote to memory of 2480	856	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe	36
PID 856 wrote to memory of 2480	856	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe	36
PID 856 wrote to memory of 2480	856	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe	36
PID 2480 wrote to memory of 2200	2480	cmd.exe	37
PID 2480 wrote to memory of 2200	2480	cmd.exe	37
PID 2480 wrote to memory of 2200	2480	cmd.exe	37
PID 856 wrote to memory of 2504	856	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe	38
PID 856 wrote to memory of 2504	856	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe	38
PID 856 wrote to memory of 2504	856	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe	38
PID 2504 wrote to memory of 2512	2504	cmd.exe	39
PID 2504 wrote to memory of 2512	2504	cmd.exe	39
PID 2504 wrote to memory of 2512	2504	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic bios get serialnumber /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get serialnumber /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    PID:2616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get serialnumber
    3⤵
    PID:2200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:2512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/856-0-0x000000014002E000-0x0000000140474000-memory.dmp

Filesize
4.3MB

Download
memory/856-11-0x000000013FF90000-0x0000000140B71000-memory.dmp

Filesize
11.9MB

Download
memory/856-10-0x00000000777C0000-0x00000000777C2000-memory.dmp

Filesize
8KB

Download
memory/856-8-0x00000000777C0000-0x00000000777C2000-memory.dmp

Filesize
8KB

Download
memory/856-6-0x00000000777C0000-0x00000000777C2000-memory.dmp

Filesize
8KB

Download
memory/856-5-0x00000000777B0000-0x00000000777B2000-memory.dmp

Filesize
8KB

Download
memory/856-3-0x00000000777B0000-0x00000000777B2000-memory.dmp

Filesize
8KB

Download
memory/856-1-0x00000000777B0000-0x00000000777B2000-memory.dmp

Filesize
8KB

Download
memory/856-15-0x000000013FF90000-0x0000000140B71000-memory.dmp

Filesize
11.9MB

Download
memory/856-17-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/856-16-0x000000013FF90000-0x0000000140B71000-memory.dmp

Filesize
11.9MB

Download
memory/856-18-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/856-19-0x000000014002E000-0x0000000140474000-memory.dmp

Filesize
4.3MB

Download
memory/856-20-0x000000013FF90000-0x0000000140B71000-memory.dmp

Filesize
11.9MB

Download