3ebc28f73b2b9e567386f041d68aafd6ed1ed533c22e22d2102daa20e6ad8d33

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ebc28f73b2b9e567386f041d68aafd6ed1ed533c22e22d2102daa20e6ad8d33_NeikiAnalytics.exe
Size

11KB
MD5

b674fa93c907168da53fc129bd253cd0
SHA1

28057c6950dda94eaa4ef60c65c9286a83dec49f
SHA256

3ebc28f73b2b9e567386f041d68aafd6ed1ed533c22e22d2102daa20e6ad8d33
SHA512

f67051eb54e5cbb417fa02d1b491c405164756b41f9955560883ca01ac296c306b93ef213a55de4587246a399154ed7bc2a64d9017a21ee451da0f4305328043
SSDEEP

192:Zg6eHLE5KxkDpnqKjIdtaCRYvRtCk1rE1Ty68A3CuYYpZ7E:G6eHIAx0pqNgHvRtoyhASuYYpZ7E

Score

7^/10

evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2476	xplorer.exe

Loads dropped DLL 5 IoCs

pid	Process
2820	3ebc28f73b2b9e567386f041d68aafd6ed1ed533c22e22d2102daa20e6ad8d33_NeikiAnalytics.exe
2820	3ebc28f73b2b9e567386f041d68aafd6ed1ed533c22e22d2102daa20e6ad8d33_NeikiAnalytics.exe
2820	3ebc28f73b2b9e567386f041d68aafd6ed1ed533c22e22d2102daa20e6ad8d33_NeikiAnalytics.exe
2820	3ebc28f73b2b9e567386f041d68aafd6ed1ed533c22e22d2102daa20e6ad8d33_NeikiAnalytics.exe
2820	3ebc28f73b2b9e567386f041d68aafd6ed1ed533c22e22d2102daa20e6ad8d33_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\xplorer = "C:\\Windows\\xplorer\\xplorer.exe"	reg.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3ebc28f73b2b9e567386f041d68aafd6ed1ed533c22e22d2102daa20e6ad8d33_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xplorer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\xplorer\xplorer.exe	3ebc28f73b2b9e567386f041d68aafd6ed1ed533c22e22d2102daa20e6ad8d33_NeikiAnalytics.exe
File opened for modification	C:\Windows\xplorer\xplorer.exe	3ebc28f73b2b9e567386f041d68aafd6ed1ed533c22e22d2102daa20e6ad8d33_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe
Token: SeDebugPrivilege	2476	xplorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2820	3ebc28f73b2b9e567386f041d68aafd6ed1ed533c22e22d2102daa20e6ad8d33_NeikiAnalytics.exe
2476	xplorer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2600	2820	3ebc28f73b2b9e567386f041d68aafd6ed1ed533c22e22d2102daa20e6ad8d33_NeikiAnalytics.exe	28
PID 2820 wrote to memory of 2600	2820	3ebc28f73b2b9e567386f041d68aafd6ed1ed533c22e22d2102daa20e6ad8d33_NeikiAnalytics.exe	28
PID 2820 wrote to memory of 2600	2820	3ebc28f73b2b9e567386f041d68aafd6ed1ed533c22e22d2102daa20e6ad8d33_NeikiAnalytics.exe	28
PID 2820 wrote to memory of 2600	2820	3ebc28f73b2b9e567386f041d68aafd6ed1ed533c22e22d2102daa20e6ad8d33_NeikiAnalytics.exe	28
PID 2600 wrote to memory of 2624	2600	cmd.exe	30
PID 2600 wrote to memory of 2624	2600	cmd.exe	30
PID 2600 wrote to memory of 2624	2600	cmd.exe	30
PID 2600 wrote to memory of 2624	2600	cmd.exe	30
PID 2820 wrote to memory of 2476	2820	3ebc28f73b2b9e567386f041d68aafd6ed1ed533c22e22d2102daa20e6ad8d33_NeikiAnalytics.exe	31
PID 2820 wrote to memory of 2476	2820	3ebc28f73b2b9e567386f041d68aafd6ed1ed533c22e22d2102daa20e6ad8d33_NeikiAnalytics.exe	31
PID 2820 wrote to memory of 2476	2820	3ebc28f73b2b9e567386f041d68aafd6ed1ed533c22e22d2102daa20e6ad8d33_NeikiAnalytics.exe	31
PID 2820 wrote to memory of 2476	2820	3ebc28f73b2b9e567386f041d68aafd6ed1ed533c22e22d2102daa20e6ad8d33_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\3ebc28f73b2b9e567386f041d68aafd6ed1ed533c22e22d2102daa20e6ad8d33_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3ebc28f73b2b9e567386f041d68aafd6ed1ed533c22e22d2102daa20e6ad8d33_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\XYALQ.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "xplorer" /t REG_SZ /d "C:\Windows\xplorer\xplorer.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2624
- C:\Windows\xplorer\xplorer.exe
  "C:\Windows\xplorer\xplorer.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XYALQ.bat

Filesize
124B

MD5
4e6e99d38b1264af2b53a68c7cd6d648

SHA1
55ffe17732d1d9c539d702a1311ef9674fe7b3cf

SHA256
168d9cdf4849fde3b4817db207e60934b6c877be439289f3fb3a4eb9e4326ff0

SHA512
bde21abed1bfc3dbdd6afc83614aa27c3f33dfbb434e139523ac57ecd84875b0e96a241f5828eda0b055f787ec7f95850b0f4ab0ee752ac36484b2bfd78a859d

Download Submit
\Windows\xplorer\xplorer.exe

Filesize
11KB

MD5
f584ef0f11c8a0f040168c258769d563

SHA1
673b4b0552e3dc5a41a3d043133606ee2bda845e

SHA256
1ca8cd1ece0fdd7bcaafdbad2b956f2832e8b5d7aabe2ac884465fd363620929

SHA512
3772aa2a4180692a495db865befe8a304b7d5d2f9e2bf4e90b1595a004eead255b10b7d8d1bc6389564a6e71c38b4bf46e5c7f6a768251c57c54539397c5e0cc

Download Submit
memory/2476-45-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2476-49-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2820-40-0x00000000025D0000-0x00000000025D9000-memory.dmp

Filesize
36KB

Download
memory/2820-44-0x00000000025E0000-0x00000000025E9000-memory.dmp

Filesize
36KB

Download
memory/2820-43-0x00000000025E0000-0x00000000025E9000-memory.dmp

Filesize
36KB

Download
memory/2820-41-0x00000000025D0000-0x00000000025D9000-memory.dmp

Filesize
36KB

Download
memory/2820-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2820-48-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2820-42-0x00000000025E0000-0x00000000025E9000-memory.dmp

Filesize
36KB

Download
memory/2820-52-0x00000000025D0000-0x00000000025D9000-memory.dmp

Filesize
36KB

Download
memory/2820-56-0x00000000025E0000-0x00000000025E9000-memory.dmp

Filesize
36KB

Download
memory/2820-55-0x00000000025E0000-0x00000000025E9000-memory.dmp

Filesize
36KB

Download
memory/2820-54-0x00000000025E0000-0x00000000025E9000-memory.dmp

Filesize
36KB

Download
memory/2820-53-0x00000000025D0000-0x00000000025D9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads