Analysis
-
max time kernel
149s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 07:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
684e81e1d4d59bd45dd8f1078743ae2ac452618efd0ec4cfca448a3d1967fbac_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
684e81e1d4d59bd45dd8f1078743ae2ac452618efd0ec4cfca448a3d1967fbac_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
684e81e1d4d59bd45dd8f1078743ae2ac452618efd0ec4cfca448a3d1967fbac_NeikiAnalytics.exe
-
Size
73KB
-
MD5
83f7ca5b686c184e23ddc3958b51c200
-
SHA1
e17afcab61042a7a22ae822f6ea1916491a0bf0a
-
SHA256
684e81e1d4d59bd45dd8f1078743ae2ac452618efd0ec4cfca448a3d1967fbac
-
SHA512
33541bf670fa4d2ace1cb9784a2aa89f2285704ee08c7bfe9a46437ad2fd7e440250d4fbfa6ab9c6509cc55014721b27bc38437111cc4baa8d6a04ec8f09ca06
-
SSDEEP
1536:xbmCbyQvM4jA0oMYGy59Y7aSaT0BlOExfxIvkcyDR6ftBO7+Ri:YFQtjiM051j4BlOSfK1c8i
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" emgeatet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" emgeatet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" emgeatet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" emgeatet.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47534147-4d48-4351-4753-41474D484351} emgeatet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47534147-4d48-4351-4753-41474D484351}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" emgeatet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47534147-4d48-4351-4753-41474D484351}\IsInstalled = "1" emgeatet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47534147-4d48-4351-4753-41474D484351}\StubPath = "C:\\Windows\\system32\\oucxoxaf-agur.exe" emgeatet.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe emgeatet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" emgeatet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\imbeapeam-oumid.exe" emgeatet.exe -
Executes dropped EXE 2 IoCs
pid Process 1148 emgeatet.exe 4020 emgeatet.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" emgeatet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" emgeatet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" emgeatet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" emgeatet.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" emgeatet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\itfobig.dll" emgeatet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" emgeatet.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} emgeatet.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify emgeatet.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\oucxoxaf-agur.exe emgeatet.exe File created C:\Windows\SysWOW64\oucxoxaf-agur.exe emgeatet.exe File opened for modification C:\Windows\SysWOW64\emgeatet.exe emgeatet.exe File opened for modification C:\Windows\SysWOW64\emgeatet.exe 684e81e1d4d59bd45dd8f1078743ae2ac452618efd0ec4cfca448a3d1967fbac_NeikiAnalytics.exe File created C:\Windows\SysWOW64\emgeatet.exe 684e81e1d4d59bd45dd8f1078743ae2ac452618efd0ec4cfca448a3d1967fbac_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\imbeapeam-oumid.exe emgeatet.exe File created C:\Windows\SysWOW64\imbeapeam-oumid.exe emgeatet.exe File opened for modification C:\Windows\SysWOW64\itfobig.dll emgeatet.exe File created C:\Windows\SysWOW64\itfobig.dll emgeatet.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 4020 emgeatet.exe 4020 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe 1148 emgeatet.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1148 emgeatet.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3592 wrote to memory of 1148 3592 684e81e1d4d59bd45dd8f1078743ae2ac452618efd0ec4cfca448a3d1967fbac_NeikiAnalytics.exe 80 PID 3592 wrote to memory of 1148 3592 684e81e1d4d59bd45dd8f1078743ae2ac452618efd0ec4cfca448a3d1967fbac_NeikiAnalytics.exe 80 PID 3592 wrote to memory of 1148 3592 684e81e1d4d59bd45dd8f1078743ae2ac452618efd0ec4cfca448a3d1967fbac_NeikiAnalytics.exe 80 PID 1148 wrote to memory of 4020 1148 emgeatet.exe 81 PID 1148 wrote to memory of 4020 1148 emgeatet.exe 81 PID 1148 wrote to memory of 4020 1148 emgeatet.exe 81 PID 1148 wrote to memory of 632 1148 emgeatet.exe 5 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56 PID 1148 wrote to memory of 3444 1148 emgeatet.exe 56
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:632
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\684e81e1d4d59bd45dd8f1078743ae2ac452618efd0ec4cfca448a3d1967fbac_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\684e81e1d4d59bd45dd8f1078743ae2ac452618efd0ec4cfca448a3d1967fbac_NeikiAnalytics.exe"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\emgeatet.exe"C:\Windows\SysWOW64\emgeatet.exe"3⤵
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\emgeatet.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4020
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD5bc89a4de10baf23c4fdca69def7735bf
SHA18e50ef5fa8023f38c12b4abf1f251a763bf0aeb6
SHA256bc60918fd92dc8a869f696023b1cea1867bec6dca4d8dabb69e2bfcf3ff0131f
SHA512b58a28de777c03160474e686a73a11e2ec6c645c2bf6ac6ec33f47e28704d64d60d32c2f11cc4c8f5b723e32269a10e0544bab9d2874e6fcbb456bd408f54f6f
-
Filesize
74KB
MD510813c741ac6325cf99eb0d311fa9307
SHA1be1292121d80d9ff66dfd770f00ee2d8c0a8db1b
SHA25605ed8c2266ce07a3a34e8ddd432484691b3997e414cbd0c91392ab9ccc3e2a9a
SHA51293986eca68428e4af42e8b78bf4fd63e7665d7713d98dee34d5f47bfde5a00918a30735cf5dffa8775f68a1440abd97d02bd29ba6168deff876284e0c58f87a4
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
73KB
MD5860a62bbae47a3fd91460d1a45e1beab
SHA1139717a70a561d4c35a046331f7afc8e4b18547f
SHA256220f4d971144221adfc3799bcdfca89da434bea3ee1d47d31c7c1da77e8f0754
SHA5129df53194c781998e13a534ab2eed76fefa9da9ef8bf77a86ea1c258195bfcbfac457a6fbddd1cddbcdf6446734d603192b78495ec2ef4945458ecb7ec325b0cb