Analysis
-
max time kernel
149s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 18:54
Behavioral task
behavioral1
Sample
1277b10f80a1e61fe1f20bb24adc43e69f621ce73cf4e88ec8419f32dd261123_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1277b10f80a1e61fe1f20bb24adc43e69f621ce73cf4e88ec8419f32dd261123_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
1277b10f80a1e61fe1f20bb24adc43e69f621ce73cf4e88ec8419f32dd261123_NeikiAnalytics.exe
-
Size
23KB
-
MD5
7bb78cc20bfe85ed1d48d92440ed3860
-
SHA1
b82a13b4d2ea6de6a0c152f2c16ca33e11383c91
-
SHA256
1277b10f80a1e61fe1f20bb24adc43e69f621ce73cf4e88ec8419f32dd261123
-
SHA512
a4f6c84a8b5b0c3a21863f9584b43d1ced6275e6097626efbfeb09b88ef6c4a98238cba9190258728add6a543ce02f4de2604b37aec0a2c3e14f6bbd87cbde6d
-
SSDEEP
384:N8aLWS0dABLYVq6RxP8MDFF09vK563gRMmJKUv0mRvR6JZlbw8hqIusZzZbZ:uXcwt3tRpcnue
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 220 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1277b10f80a1e61fe1f20bb24adc43e69f621ce73cf4e88ec8419f32dd261123_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 1277b10f80a1e61fe1f20bb24adc43e69f621ce73cf4e88ec8419f32dd261123_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 3100 server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bc4633c7cad50e9fd5e79a99a4157416 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bc4633c7cad50e9fd5e79a99a4157416 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 3100 server.exe Token: 33 3100 server.exe Token: SeIncBasePriorityPrivilege 3100 server.exe Token: 33 3100 server.exe Token: SeIncBasePriorityPrivilege 3100 server.exe Token: 33 3100 server.exe Token: SeIncBasePriorityPrivilege 3100 server.exe Token: 33 3100 server.exe Token: SeIncBasePriorityPrivilege 3100 server.exe Token: 33 3100 server.exe Token: SeIncBasePriorityPrivilege 3100 server.exe Token: 33 3100 server.exe Token: SeIncBasePriorityPrivilege 3100 server.exe Token: 33 3100 server.exe Token: SeIncBasePriorityPrivilege 3100 server.exe Token: 33 3100 server.exe Token: SeIncBasePriorityPrivilege 3100 server.exe Token: 33 3100 server.exe Token: SeIncBasePriorityPrivilege 3100 server.exe Token: 33 3100 server.exe Token: SeIncBasePriorityPrivilege 3100 server.exe Token: 33 3100 server.exe Token: SeIncBasePriorityPrivilege 3100 server.exe Token: 33 3100 server.exe Token: SeIncBasePriorityPrivilege 3100 server.exe Token: 33 3100 server.exe Token: SeIncBasePriorityPrivilege 3100 server.exe Token: 33 3100 server.exe Token: SeIncBasePriorityPrivilege 3100 server.exe Token: 33 3100 server.exe Token: SeIncBasePriorityPrivilege 3100 server.exe Token: 33 3100 server.exe Token: SeIncBasePriorityPrivilege 3100 server.exe Token: 33 3100 server.exe Token: SeIncBasePriorityPrivilege 3100 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1277b10f80a1e61fe1f20bb24adc43e69f621ce73cf4e88ec8419f32dd261123_NeikiAnalytics.exeserver.exedescription pid process target process PID 2584 wrote to memory of 3100 2584 1277b10f80a1e61fe1f20bb24adc43e69f621ce73cf4e88ec8419f32dd261123_NeikiAnalytics.exe server.exe PID 2584 wrote to memory of 3100 2584 1277b10f80a1e61fe1f20bb24adc43e69f621ce73cf4e88ec8419f32dd261123_NeikiAnalytics.exe server.exe PID 2584 wrote to memory of 3100 2584 1277b10f80a1e61fe1f20bb24adc43e69f621ce73cf4e88ec8419f32dd261123_NeikiAnalytics.exe server.exe PID 3100 wrote to memory of 220 3100 server.exe netsh.exe PID 3100 wrote to memory of 220 3100 server.exe netsh.exe PID 3100 wrote to memory of 220 3100 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1277b10f80a1e61fe1f20bb24adc43e69f621ce73cf4e88ec8419f32dd261123_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1277b10f80a1e61fe1f20bb24adc43e69f621ce73cf4e88ec8419f32dd261123_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD57bb78cc20bfe85ed1d48d92440ed3860
SHA1b82a13b4d2ea6de6a0c152f2c16ca33e11383c91
SHA2561277b10f80a1e61fe1f20bb24adc43e69f621ce73cf4e88ec8419f32dd261123
SHA512a4f6c84a8b5b0c3a21863f9584b43d1ced6275e6097626efbfeb09b88ef6c4a98238cba9190258728add6a543ce02f4de2604b37aec0a2c3e14f6bbd87cbde6d
-
memory/2584-0-0x0000000074C02000-0x0000000074C03000-memory.dmpFilesize
4KB
-
memory/2584-1-0x0000000074C00000-0x00000000751B1000-memory.dmpFilesize
5.7MB
-
memory/2584-2-0x0000000074C00000-0x00000000751B1000-memory.dmpFilesize
5.7MB
-
memory/2584-12-0x0000000074C00000-0x00000000751B1000-memory.dmpFilesize
5.7MB
-
memory/3100-13-0x0000000074C00000-0x00000000751B1000-memory.dmpFilesize
5.7MB
-
memory/3100-14-0x0000000074C00000-0x00000000751B1000-memory.dmpFilesize
5.7MB
-
memory/3100-15-0x0000000074C00000-0x00000000751B1000-memory.dmpFilesize
5.7MB