9542963bcd0f9b3bbcf2743d2a184dc9e77391b432556de86f2634a3f5193f38

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9542963bcd0f9b3bbcf2743d2a184dc9e77391b432556de86f2634a3f5193f38_NeikiAnalytics.exe
Size

1.8MB
MD5

ea015a6fafc9090b189960ae61f52340
SHA1

0367d02ca36ef291e7db102bd7c74e382e6ee65c
SHA256

9542963bcd0f9b3bbcf2743d2a184dc9e77391b432556de86f2634a3f5193f38
SHA512

898bf174d14c259338cb38967498445bae4c395ebb4e17fb324bb97363de209656b88dcf51771bd24bbda920de616aede27cadb7048360e4af30726efb5f9a53
SSDEEP

49152:RNMqQ0kwonLVkZep9nWrPWwONrRoODiGgDWAg2CPaSAnYvJW3BTSXff6YNQVWIPz:RiqQ0kwonLVkZep9nWrPWwONrRoODiGw

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe = "C:\\Users\\Admin\\AppData\\Roaming\\darkeye-nosttingspersistent.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firefox.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	9542963bcd0f9b3bbcf2743d2a184dc9e77391b432556de86f2634a3f5193f38_NeikiAnalytics.exe

Executes dropped EXE 3 IoCs

pid	Process
848	Firefox.exe
3348	Firefox.exe
548	Firefox.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3348-34-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/3348-36-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/3348-31-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/548-38-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/548-43-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/548-45-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/3348-50-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/548-51-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/3348-52-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/3348-54-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/3348-58-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/3348-74-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater 3 = "C:\\Users\\Admin\\AppData\\Roaming\\Firefox.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 848 set thread context of 3348	848	Firefox.exe	97
PID 848 set thread context of 548	848	Firefox.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2520	reg.exe
1976	reg.exe
1636	reg.exe
1584	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	3348	Firefox.exe
Token: SeCreateTokenPrivilege	3348	Firefox.exe
Token: SeAssignPrimaryTokenPrivilege	3348	Firefox.exe
Token: SeLockMemoryPrivilege	3348	Firefox.exe
Token: SeIncreaseQuotaPrivilege	3348	Firefox.exe
Token: SeMachineAccountPrivilege	3348	Firefox.exe
Token: SeTcbPrivilege	3348	Firefox.exe
Token: SeSecurityPrivilege	3348	Firefox.exe
Token: SeTakeOwnershipPrivilege	3348	Firefox.exe
Token: SeLoadDriverPrivilege	3348	Firefox.exe
Token: SeSystemProfilePrivilege	3348	Firefox.exe
Token: SeSystemtimePrivilege	3348	Firefox.exe
Token: SeProfSingleProcessPrivilege	3348	Firefox.exe
Token: SeIncBasePriorityPrivilege	3348	Firefox.exe
Token: SeCreatePagefilePrivilege	3348	Firefox.exe
Token: SeCreatePermanentPrivilege	3348	Firefox.exe
Token: SeBackupPrivilege	3348	Firefox.exe
Token: SeRestorePrivilege	3348	Firefox.exe
Token: SeShutdownPrivilege	3348	Firefox.exe
Token: SeDebugPrivilege	3348	Firefox.exe
Token: SeAuditPrivilege	3348	Firefox.exe
Token: SeSystemEnvironmentPrivilege	3348	Firefox.exe
Token: SeChangeNotifyPrivilege	3348	Firefox.exe
Token: SeRemoteShutdownPrivilege	3348	Firefox.exe
Token: SeUndockPrivilege	3348	Firefox.exe
Token: SeSyncAgentPrivilege	3348	Firefox.exe
Token: SeEnableDelegationPrivilege	3348	Firefox.exe
Token: SeManageVolumePrivilege	3348	Firefox.exe
Token: SeImpersonatePrivilege	3348	Firefox.exe
Token: SeCreateGlobalPrivilege	3348	Firefox.exe
Token: 31	3348	Firefox.exe
Token: 32	3348	Firefox.exe
Token: 33	3348	Firefox.exe
Token: 34	3348	Firefox.exe
Token: 35	3348	Firefox.exe
Token: SeDebugPrivilege	548	Firefox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3392	9542963bcd0f9b3bbcf2743d2a184dc9e77391b432556de86f2634a3f5193f38_NeikiAnalytics.exe
848	Firefox.exe
3348	Firefox.exe
3348	Firefox.exe
548	Firefox.exe
3348	Firefox.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 4384	3392	9542963bcd0f9b3bbcf2743d2a184dc9e77391b432556de86f2634a3f5193f38_NeikiAnalytics.exe	91
PID 3392 wrote to memory of 4384	3392	9542963bcd0f9b3bbcf2743d2a184dc9e77391b432556de86f2634a3f5193f38_NeikiAnalytics.exe	91
PID 3392 wrote to memory of 4384	3392	9542963bcd0f9b3bbcf2743d2a184dc9e77391b432556de86f2634a3f5193f38_NeikiAnalytics.exe	91
PID 4384 wrote to memory of 220	4384	cmd.exe	94
PID 4384 wrote to memory of 220	4384	cmd.exe	94
PID 4384 wrote to memory of 220	4384	cmd.exe	94
PID 3392 wrote to memory of 848	3392	9542963bcd0f9b3bbcf2743d2a184dc9e77391b432556de86f2634a3f5193f38_NeikiAnalytics.exe	95
PID 3392 wrote to memory of 848	3392	9542963bcd0f9b3bbcf2743d2a184dc9e77391b432556de86f2634a3f5193f38_NeikiAnalytics.exe	95
PID 3392 wrote to memory of 848	3392	9542963bcd0f9b3bbcf2743d2a184dc9e77391b432556de86f2634a3f5193f38_NeikiAnalytics.exe	95
PID 848 wrote to memory of 3348	848	Firefox.exe	97
PID 848 wrote to memory of 3348	848	Firefox.exe	97
PID 848 wrote to memory of 3348	848	Firefox.exe	97
PID 848 wrote to memory of 3348	848	Firefox.exe	97
PID 848 wrote to memory of 3348	848	Firefox.exe	97
PID 848 wrote to memory of 3348	848	Firefox.exe	97
PID 848 wrote to memory of 3348	848	Firefox.exe	97
PID 848 wrote to memory of 3348	848	Firefox.exe	97
PID 848 wrote to memory of 548	848	Firefox.exe	98
PID 848 wrote to memory of 548	848	Firefox.exe	98
PID 848 wrote to memory of 548	848	Firefox.exe	98
PID 848 wrote to memory of 548	848	Firefox.exe	98
PID 848 wrote to memory of 548	848	Firefox.exe	98
PID 848 wrote to memory of 548	848	Firefox.exe	98
PID 848 wrote to memory of 548	848	Firefox.exe	98
PID 848 wrote to memory of 548	848	Firefox.exe	98
PID 3348 wrote to memory of 2756	3348	Firefox.exe	99
PID 3348 wrote to memory of 2756	3348	Firefox.exe	99
PID 3348 wrote to memory of 2756	3348	Firefox.exe	99
PID 3348 wrote to memory of 4700	3348	Firefox.exe	100
PID 3348 wrote to memory of 4700	3348	Firefox.exe	100
PID 3348 wrote to memory of 4700	3348	Firefox.exe	100
PID 3348 wrote to memory of 3980	3348	Firefox.exe	101
PID 3348 wrote to memory of 3980	3348	Firefox.exe	101
PID 3348 wrote to memory of 3980	3348	Firefox.exe	101
PID 3348 wrote to memory of 4516	3348	Firefox.exe	102
PID 3348 wrote to memory of 4516	3348	Firefox.exe	102
PID 3348 wrote to memory of 4516	3348	Firefox.exe	102
PID 2756 wrote to memory of 1976	2756	cmd.exe	108
PID 2756 wrote to memory of 1976	2756	cmd.exe	108
PID 2756 wrote to memory of 1976	2756	cmd.exe	108
PID 3980 wrote to memory of 2520	3980	cmd.exe	109
PID 3980 wrote to memory of 2520	3980	cmd.exe	109
PID 3980 wrote to memory of 2520	3980	cmd.exe	109
PID 4700 wrote to memory of 1636	4700	cmd.exe	110
PID 4700 wrote to memory of 1636	4700	cmd.exe	110
PID 4700 wrote to memory of 1636	4700	cmd.exe	110
PID 4516 wrote to memory of 1584	4516	cmd.exe	111
PID 4516 wrote to memory of 1584	4516	cmd.exe	111
PID 4516 wrote to memory of 1584	4516	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\9542963bcd0f9b3bbcf2743d2a184dc9e77391b432556de86f2634a3f5193f38_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9542963bcd0f9b3bbcf2743d2a184dc9e77391b432556de86f2634a3f5193f38_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BuyKZ.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Java Updater 3" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox.exe" /f
    3⤵
    - Adds Run key to start application
    PID:220
- C:\Users\Admin\AppData\Roaming\Firefox.exe
  "C:\Users\Admin\AppData\Roaming\Firefox.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Users\Admin\AppData\Roaming\Firefox.exe
    C:\Users\Admin\AppData\Roaming\Firefox.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3348
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1976
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4700
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1636
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3980
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2520
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4516
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1584
- - C:\Users\Admin\AppData\Roaming\Firefox.exe
    C:\Users\Admin\AppData\Roaming\Firefox.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1040,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=4500 /prefetch:8
1⤵
PID:3668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BuyKZ.txt

Filesize
143B

MD5
962bc493b87f298696ad6e3eed7c7937

SHA1
985cc0c7e37e2465c4349abd528e120663ebd205

SHA256
c167e2faa5307ac291ff833b8a1f5f802eaa028d1aba8d1ad342ca84c07bdb01

SHA512
9dd2b755a404b74206b713ab17d2ddedacc48910e942dab71cf7e98d8d25322c24e32648f0881136e5425134aaccfbfd9bdc52ceb4519bd07e97c5564116f173

Download Submit
C:\Users\Admin\AppData\Roaming\Firefox.txt

Filesize
1.8MB

MD5
a5a3d418986a55cdef28928a12392514

SHA1
a5b4c43a065485de4c9bde70eb9ef289685f55ac

SHA256
e904466dd70a45b7ca29c5aa10b8b4bd1216dfce4a6ea632edc7b2144147e5d5

SHA512
2c38c5f48630aa8e335b2e71dcf0d163bf1a391643251e51d3bc67d38f60dbcbcf7cfd85ee51da2c35e7ea56b99c44f4e4129b8cd830deb5f09680a969731f20

Download Submit
memory/548-38-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/548-51-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/548-45-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/548-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3348-34-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3348-31-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3348-36-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3348-50-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3348-52-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3348-54-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3348-58-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3348-74-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3392-0-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads