6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d

Analysis

max time kernel
125s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
Size

989KB
MD5

991ca34ddd5dd8615fe906a88d80fb30
SHA1

9c870be932ba1396d3e33df1e6e455a20ddd99b2
SHA256

6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d
SHA512

433f506691da6f04928351287c8cd5bcf658f14513779c949ec66e500b8a68f340e01feb82beefcdb21a30496eaef19d3f8fd94e217cac0bbadc3f1411cc72f4
SSDEEP

12288:iDDjV0vdloI9mDZ1vDFki1WT08fcUkuoRm/SIo6I6JT/sRfpdC6M:KjWvsIMZ1hkSuoYaY/sRfXC6M

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

xfiles.exe

pid process

2124 xfiles.exe

pid	process
2124	xfiles.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xfiless = "C:\\Users\\Admin\\AppData\\Roaming\\xfiles.exe"	reg.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1544 PING.EXE
684 PING.EXE
1016 PING.EXE

pid	process
1544	PING.EXE
684	PING.EXE
1016	PING.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exexfiles.exe

pid	process
4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
2124	xfiles.exe
2124	xfiles.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exexfiles.exe

description pid process

Token: SeDebugPrivilege 4336 6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
Token: SeDebugPrivilege 2124 xfiles.exe

description	pid	process
Token: SeDebugPrivilege	4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
Token: SeDebugPrivilege	2124	xfiles.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.execmd.execmd.exexfiles.exe

description	pid	process	target process
PID 4336 wrote to memory of 616	4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe	cmd.exe
PID 4336 wrote to memory of 616	4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe	cmd.exe
PID 4336 wrote to memory of 616	4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe	cmd.exe
PID 616 wrote to memory of 1544	616	cmd.exe	PING.EXE
PID 616 wrote to memory of 1544	616	cmd.exe	PING.EXE
PID 616 wrote to memory of 1544	616	cmd.exe	PING.EXE
PID 4336 wrote to memory of 4964	4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe	cmd.exe
PID 4336 wrote to memory of 4964	4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe	cmd.exe
PID 4336 wrote to memory of 4964	4336	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe	cmd.exe
PID 4964 wrote to memory of 684	4964	cmd.exe	PING.EXE
PID 4964 wrote to memory of 684	4964	cmd.exe	PING.EXE
PID 4964 wrote to memory of 684	4964	cmd.exe	PING.EXE
PID 616 wrote to memory of 3204	616	cmd.exe	reg.exe
PID 616 wrote to memory of 3204	616	cmd.exe	reg.exe
PID 616 wrote to memory of 3204	616	cmd.exe	reg.exe
PID 4964 wrote to memory of 1016	4964	cmd.exe	PING.EXE
PID 4964 wrote to memory of 1016	4964	cmd.exe	PING.EXE
PID 4964 wrote to memory of 1016	4964	cmd.exe	PING.EXE
PID 4964 wrote to memory of 2124	4964	cmd.exe	xfiles.exe
PID 4964 wrote to memory of 2124	4964	cmd.exe	xfiles.exe
PID 4964 wrote to memory of 2124	4964	cmd.exe	xfiles.exe
PID 2124 wrote to memory of 5112	2124	xfiles.exe	InstallUtil.exe
PID 2124 wrote to memory of 5112	2124	xfiles.exe	InstallUtil.exe
PID 2124 wrote to memory of 5112	2124	xfiles.exe	InstallUtil.exe
PID 2124 wrote to memory of 5112	2124	xfiles.exe	InstallUtil.exe
PID 2124 wrote to memory of 5112	2124	xfiles.exe	InstallUtil.exe
PID 2124 wrote to memory of 5112	2124	xfiles.exe	InstallUtil.exe
PID 2124 wrote to memory of 5112	2124	xfiles.exe	InstallUtil.exe
PID 2124 wrote to memory of 5112	2124	xfiles.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 29 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xfiless" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\xfiles.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 29
3⤵
- Runs ping.exe
PID:1544

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xfiless" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\xfiles.exe"
3⤵
- Adds Run key to start application
PID:3204

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 39 > nul && copy "C:\Users\Admin\AppData\Local\Temp\6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe" "C:\Users\Admin\AppData\Roaming\xfiles.exe" && ping 127.0.0.1 -n 39 > nul && "C:\Users\Admin\AppData\Roaming\xfiles.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 39
3⤵
- Runs ping.exe
PID:684

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 39
3⤵
- Runs ping.exe
PID:1016

C:\Users\Admin\AppData\Roaming\xfiles.exe
"C:\Users\Admin\AppData\Roaming\xfiles.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
4⤵
PID:5112

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\xfiles.exe
Filesize
989KB

MD5
991ca34ddd5dd8615fe906a88d80fb30

SHA1
9c870be932ba1396d3e33df1e6e455a20ddd99b2

SHA256
6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d

SHA512
433f506691da6f04928351287c8cd5bcf658f14513779c949ec66e500b8a68f340e01feb82beefcdb21a30496eaef19d3f8fd94e217cac0bbadc3f1411cc72f4

Download Submit
memory/2124-23-0x0000000009E90000-0x0000000009E96000-memory.dmp

Filesize
24KB

Download
memory/2124-22-0x0000000007820000-0x000000000783A000-memory.dmp

Filesize
104KB

Download
memory/2124-21-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/2124-20-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/2124-19-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/2124-18-0x0000000000420000-0x000000000051C000-memory.dmp

Filesize
1008KB

Download
memory/4336-4-0x00000000051C0000-0x0000000005252000-memory.dmp

Filesize
584KB

Download
memory/4336-8-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/4336-9-0x0000000074DBE000-0x0000000074DBF000-memory.dmp

Filesize
4KB

Download
memory/4336-10-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/4336-12-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/4336-7-0x00000000064C0000-0x00000000064CA000-memory.dmp

Filesize
40KB

Download
memory/4336-6-0x0000000006200000-0x0000000006244000-memory.dmp

Filesize
272KB

Download
memory/4336-5-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/4336-0-0x0000000074DBE000-0x0000000074DBF000-memory.dmp

Filesize
4KB

Download
memory/4336-3-0x00000000056D0000-0x0000000005C74000-memory.dmp

Filesize
5.6MB

Download
memory/4336-2-0x0000000005070000-0x000000000510C000-memory.dmp

Filesize
624KB

Download
memory/4336-1-0x0000000000F50000-0x000000000104C000-memory.dmp

Filesize
1008KB

Download