Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 12:26
Static task
static1
Behavioral task
behavioral1
Sample
ab5d5afea2926b81471be684fbd1010a896ae85b5aef52001fe5f340f98a1263_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ab5d5afea2926b81471be684fbd1010a896ae85b5aef52001fe5f340f98a1263_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
ab5d5afea2926b81471be684fbd1010a896ae85b5aef52001fe5f340f98a1263_NeikiAnalytics.exe
-
Size
266KB
-
MD5
d4e7ed34298e33e0254e4c9ffec34bf0
-
SHA1
664dee42a1951d81f61d5ea1446cdbcba677df70
-
SHA256
ab5d5afea2926b81471be684fbd1010a896ae85b5aef52001fe5f340f98a1263
-
SHA512
88716f13d00040bc05a7e2393d0fb2b83b75d5346e692cc27394a31d03731156e14c9d8fa372098e557e8f700d5d6ec5a624dd1e8440156f96d8850bee9e3254
-
SSDEEP
3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/sq:WFzDqa86hV6uRRqX1evPlwAEq
Malware Config
Signatures
-
Contains code to disable Windows Defender 5 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/2660-34-0x0000000000400000-0x0000000000430000-memory.dmp disable_win_def behavioral1/memory/2660-36-0x0000000000400000-0x0000000000430000-memory.dmp disable_win_def behavioral1/memory/2660-31-0x0000000000400000-0x0000000000430000-memory.dmp disable_win_def behavioral1/memory/2660-29-0x0000000000400000-0x0000000000430000-memory.dmp disable_win_def behavioral1/memory/2660-35-0x0000000000400000-0x0000000000430000-memory.dmp disable_win_def -
Executes dropped EXE 1 IoCs
Processes:
HiPatchService.exepid process 2576 HiPatchService.exe -
Loads dropped DLL 1 IoCs
Processes:
ab5d5afea2926b81471be684fbd1010a896ae85b5aef52001fe5f340f98a1263_NeikiAnalytics.exepid process 2240 ab5d5afea2926b81471be684fbd1010a896ae85b5aef52001fe5f340f98a1263_NeikiAnalytics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ab5d5afea2926b81471be684fbd1010a896ae85b5aef52001fe5f340f98a1263_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\HiPatch = "C:\\Users\\Admin\\AppData\\Roaming\\HiPatch\\HiPatchService.exe" ab5d5afea2926b81471be684fbd1010a896ae85b5aef52001fe5f340f98a1263_NeikiAnalytics.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
HiPatchService.exedescription pid process target process PID 2576 set thread context of 2660 2576 HiPatchService.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
RegAsm.exepid process 2660 RegAsm.exe 2660 RegAsm.exe 2660 RegAsm.exe 2660 RegAsm.exe 2660 RegAsm.exe 2660 RegAsm.exe 2660 RegAsm.exe 2660 RegAsm.exe 2660 RegAsm.exe 2660 RegAsm.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
ab5d5afea2926b81471be684fbd1010a896ae85b5aef52001fe5f340f98a1263_NeikiAnalytics.exeHiPatchService.exedescription pid process target process PID 2240 wrote to memory of 2576 2240 ab5d5afea2926b81471be684fbd1010a896ae85b5aef52001fe5f340f98a1263_NeikiAnalytics.exe HiPatchService.exe PID 2240 wrote to memory of 2576 2240 ab5d5afea2926b81471be684fbd1010a896ae85b5aef52001fe5f340f98a1263_NeikiAnalytics.exe HiPatchService.exe PID 2240 wrote to memory of 2576 2240 ab5d5afea2926b81471be684fbd1010a896ae85b5aef52001fe5f340f98a1263_NeikiAnalytics.exe HiPatchService.exe PID 2240 wrote to memory of 2576 2240 ab5d5afea2926b81471be684fbd1010a896ae85b5aef52001fe5f340f98a1263_NeikiAnalytics.exe HiPatchService.exe PID 2240 wrote to memory of 2576 2240 ab5d5afea2926b81471be684fbd1010a896ae85b5aef52001fe5f340f98a1263_NeikiAnalytics.exe HiPatchService.exe PID 2240 wrote to memory of 2576 2240 ab5d5afea2926b81471be684fbd1010a896ae85b5aef52001fe5f340f98a1263_NeikiAnalytics.exe HiPatchService.exe PID 2240 wrote to memory of 2576 2240 ab5d5afea2926b81471be684fbd1010a896ae85b5aef52001fe5f340f98a1263_NeikiAnalytics.exe HiPatchService.exe PID 2240 wrote to memory of 2968 2240 ab5d5afea2926b81471be684fbd1010a896ae85b5aef52001fe5f340f98a1263_NeikiAnalytics.exe cmd.exe PID 2240 wrote to memory of 2968 2240 ab5d5afea2926b81471be684fbd1010a896ae85b5aef52001fe5f340f98a1263_NeikiAnalytics.exe cmd.exe PID 2240 wrote to memory of 2968 2240 ab5d5afea2926b81471be684fbd1010a896ae85b5aef52001fe5f340f98a1263_NeikiAnalytics.exe cmd.exe PID 2240 wrote to memory of 2968 2240 ab5d5afea2926b81471be684fbd1010a896ae85b5aef52001fe5f340f98a1263_NeikiAnalytics.exe cmd.exe PID 2240 wrote to memory of 2968 2240 ab5d5afea2926b81471be684fbd1010a896ae85b5aef52001fe5f340f98a1263_NeikiAnalytics.exe cmd.exe PID 2240 wrote to memory of 2968 2240 ab5d5afea2926b81471be684fbd1010a896ae85b5aef52001fe5f340f98a1263_NeikiAnalytics.exe cmd.exe PID 2240 wrote to memory of 2968 2240 ab5d5afea2926b81471be684fbd1010a896ae85b5aef52001fe5f340f98a1263_NeikiAnalytics.exe cmd.exe PID 2576 wrote to memory of 2660 2576 HiPatchService.exe RegAsm.exe PID 2576 wrote to memory of 2660 2576 HiPatchService.exe RegAsm.exe PID 2576 wrote to memory of 2660 2576 HiPatchService.exe RegAsm.exe PID 2576 wrote to memory of 2660 2576 HiPatchService.exe RegAsm.exe PID 2576 wrote to memory of 2660 2576 HiPatchService.exe RegAsm.exe PID 2576 wrote to memory of 2660 2576 HiPatchService.exe RegAsm.exe PID 2576 wrote to memory of 2660 2576 HiPatchService.exe RegAsm.exe PID 2576 wrote to memory of 2660 2576 HiPatchService.exe RegAsm.exe PID 2576 wrote to memory of 2660 2576 HiPatchService.exe RegAsm.exe PID 2576 wrote to memory of 2660 2576 HiPatchService.exe RegAsm.exe PID 2576 wrote to memory of 2660 2576 HiPatchService.exe RegAsm.exe PID 2576 wrote to memory of 2660 2576 HiPatchService.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab5d5afea2926b81471be684fbd1010a896ae85b5aef52001fe5f340f98a1263_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ab5d5afea2926b81471be684fbd1010a896ae85b5aef52001fe5f340f98a1263_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe"C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2660 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.bat""2⤵PID:2968
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
213B
MD50955cb4b691d44b37f8b6fad48a33b8e
SHA19dae759ae014cc124ab6eed7c8035788c124ae4a
SHA2569092dbb1ca1767d1966b7f79349dd95a802a68248251bf070c0f1d74d5681d71
SHA51208b868a028c1e8d29ed643416850df16f58d44668f9193b46bd3934965e5617a0a4015fc52815c5456023dbde01023450d295b76d936a936f26b602e764b0235
-
Filesize
266KB
MD53165ab9eefe26d35d8f519b0ca2b27f7
SHA1be27cd6a8971d7162bece3590609ff06fa3bccd8
SHA25688e8f3102763df1ccd57e257351a1c59d17f3413e3257834a2fae7dbe9476ba2
SHA5120ac08053ca7c1e544fe49eb4bb1881bd493d446fd18e633280ab0abd4afc1a7543cf574ca4be89512e7ffb79f1abb0592a0181e92afea9401bc6245cddc2b48d