36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/06/2024, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe
Size

7.0MB
MD5

c7524729bc45db3875e9addf87c93a30
SHA1

ba508117ed4ad7cbc3db8152f5635237fae7b2c8
SHA256

36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46
SHA512

7d82046affc0494b8269aa8451d7a40c2c4ea53a4f980dd5e15e9e3387f726b70d2d0026c228cfcbbadeb447defbbf7e2a1ec89093ca8781fe1b4b4470dfb7a3
SSDEEP

98304:bqqZV8yrJISGsMuocD7JAkOaxENWxAmW+vyNCceRybc4q7jmevJzcJEtBN5gd:2oVRXocD9eaG4xAh+iCNi5KRYA

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	api.ipify.org
15	api.ipify.org

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3660	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe
3660	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3660	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe
3660	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3960	WMIC.exe
Token: SeSecurityPrivilege	3960	WMIC.exe
Token: SeTakeOwnershipPrivilege	3960	WMIC.exe
Token: SeLoadDriverPrivilege	3960	WMIC.exe
Token: SeSystemProfilePrivilege	3960	WMIC.exe
Token: SeSystemtimePrivilege	3960	WMIC.exe
Token: SeProfSingleProcessPrivilege	3960	WMIC.exe
Token: SeIncBasePriorityPrivilege	3960	WMIC.exe
Token: SeCreatePagefilePrivilege	3960	WMIC.exe
Token: SeBackupPrivilege	3960	WMIC.exe
Token: SeRestorePrivilege	3960	WMIC.exe
Token: SeShutdownPrivilege	3960	WMIC.exe
Token: SeDebugPrivilege	3960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3960	WMIC.exe
Token: SeRemoteShutdownPrivilege	3960	WMIC.exe
Token: SeUndockPrivilege	3960	WMIC.exe
Token: SeManageVolumePrivilege	3960	WMIC.exe
Token: 33	3960	WMIC.exe
Token: 34	3960	WMIC.exe
Token: 35	3960	WMIC.exe
Token: 36	3960	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3960	WMIC.exe
Token: SeSecurityPrivilege	3960	WMIC.exe
Token: SeTakeOwnershipPrivilege	3960	WMIC.exe
Token: SeLoadDriverPrivilege	3960	WMIC.exe
Token: SeSystemProfilePrivilege	3960	WMIC.exe
Token: SeSystemtimePrivilege	3960	WMIC.exe
Token: SeProfSingleProcessPrivilege	3960	WMIC.exe
Token: SeIncBasePriorityPrivilege	3960	WMIC.exe
Token: SeCreatePagefilePrivilege	3960	WMIC.exe
Token: SeBackupPrivilege	3960	WMIC.exe
Token: SeRestorePrivilege	3960	WMIC.exe
Token: SeShutdownPrivilege	3960	WMIC.exe
Token: SeDebugPrivilege	3960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3960	WMIC.exe
Token: SeRemoteShutdownPrivilege	3960	WMIC.exe
Token: SeUndockPrivilege	3960	WMIC.exe
Token: SeManageVolumePrivilege	3960	WMIC.exe
Token: 33	3960	WMIC.exe
Token: 34	3960	WMIC.exe
Token: 35	3960	WMIC.exe
Token: 36	3960	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1368	WMIC.exe
Token: SeSecurityPrivilege	1368	WMIC.exe
Token: SeTakeOwnershipPrivilege	1368	WMIC.exe
Token: SeLoadDriverPrivilege	1368	WMIC.exe
Token: SeSystemProfilePrivilege	1368	WMIC.exe
Token: SeSystemtimePrivilege	1368	WMIC.exe
Token: SeProfSingleProcessPrivilege	1368	WMIC.exe
Token: SeIncBasePriorityPrivilege	1368	WMIC.exe
Token: SeCreatePagefilePrivilege	1368	WMIC.exe
Token: SeBackupPrivilege	1368	WMIC.exe
Token: SeRestorePrivilege	1368	WMIC.exe
Token: SeShutdownPrivilege	1368	WMIC.exe
Token: SeDebugPrivilege	1368	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1368	WMIC.exe
Token: SeRemoteShutdownPrivilege	1368	WMIC.exe
Token: SeUndockPrivilege	1368	WMIC.exe
Token: SeManageVolumePrivilege	1368	WMIC.exe
Token: 33	1368	WMIC.exe
Token: 34	1368	WMIC.exe
Token: 35	1368	WMIC.exe
Token: 36	1368	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1368	WMIC.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 3824	3660	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe	83
PID 3660 wrote to memory of 3824	3660	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe	83
PID 3824 wrote to memory of 3960	3824	cmd.exe	84
PID 3824 wrote to memory of 3960	3824	cmd.exe	84
PID 3660 wrote to memory of 3936	3660	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe	85
PID 3660 wrote to memory of 3936	3660	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe	85
PID 3936 wrote to memory of 1368	3936	cmd.exe	86
PID 3936 wrote to memory of 1368	3936	cmd.exe	86
PID 3660 wrote to memory of 1672	3660	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe	87
PID 3660 wrote to memory of 1672	3660	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe	87
PID 1672 wrote to memory of 3200	1672	cmd.exe	88
PID 1672 wrote to memory of 3200	1672	cmd.exe	88
PID 3660 wrote to memory of 5012	3660	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe	89
PID 3660 wrote to memory of 5012	3660	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe	89
PID 5012 wrote to memory of 2636	5012	cmd.exe	90
PID 5012 wrote to memory of 2636	5012	cmd.exe	90
PID 3660 wrote to memory of 440	3660	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe	91
PID 3660 wrote to memory of 440	3660	36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe	91
PID 440 wrote to memory of 2792	440	cmd.exe	92
PID 440 wrote to memory of 2792	440	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\36a4e0eee17e3d6b7abe09582fc8e832cfc05fce07614c39ced5f9869daf6e46_NeikiAnalytics.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic bios get serialnumber /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get serialnumber /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    PID:3200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get serialnumber
    3⤵
    PID:2636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:2792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3660-0-0x00007FF6AA6CE000-0x00007FF6AAB14000-memory.dmp

Filesize
4.3MB

Download
memory/3660-2-0x00007FFEB64A0000-0x00007FFEB64A2000-memory.dmp

Filesize
8KB

Download
memory/3660-7-0x00007FF6AA630000-0x00007FF6AB211000-memory.dmp

Filesize
11.9MB

Download
memory/3660-3-0x00007FF6AA630000-0x00007FF6AB211000-memory.dmp

Filesize
11.9MB

Download
memory/3660-1-0x00007FFEB6490000-0x00007FFEB6492000-memory.dmp

Filesize
8KB

Download
memory/3660-8-0x00007FF6AA630000-0x00007FF6AB211000-memory.dmp

Filesize
11.9MB

Download
memory/3660-9-0x00007FF6AA6CE000-0x00007FF6AAB14000-memory.dmp

Filesize
4.3MB

Download
memory/3660-10-0x00007FF6AA630000-0x00007FF6AB211000-memory.dmp

Filesize
11.9MB

Download