Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 07:32
Behavioral task
behavioral1
Sample
3fd3a75f444058929ae6292627c81640362dabe2df7d25a76c81946a226de220_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
3fd3a75f444058929ae6292627c81640362dabe2df7d25a76c81946a226de220_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
3fd3a75f444058929ae6292627c81640362dabe2df7d25a76c81946a226de220_NeikiAnalytics.exe
-
Size
23KB
-
MD5
a72661611c2c32ae2225c1618fb7c3d0
-
SHA1
c717b184fff0a32a900e34d8ce442ba1ba4ff926
-
SHA256
3fd3a75f444058929ae6292627c81640362dabe2df7d25a76c81946a226de220
-
SHA512
ebb3a192eea38c6169b7bc6eb23269303d31dc0323e492f118ce92b0bbd0832c7860ad5473d2a6560e73431e578ed37f5a1da4490053bce10a3d16cb42e77993
-
SSDEEP
384:kwTSiYWD2Z7w3CsJeiecwJ3fw6FgzeAh33RtmRvR6JZlbw8hqIusZzZFvA:rvZiBK1edJRpcnuqI
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1252 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3fd3a75f444058929ae6292627c81640362dabe2df7d25a76c81946a226de220_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation 3fd3a75f444058929ae6292627c81640362dabe2df7d25a76c81946a226de220_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 5032 server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\93a9e7c038454dbd9f3d62e55ea7bceb = "\"C:\\Users\\Admin\\server.exe\" .." server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\93a9e7c038454dbd9f3d62e55ea7bceb = "\"C:\\Users\\Admin\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe Token: 33 5032 server.exe Token: SeIncBasePriorityPrivilege 5032 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3fd3a75f444058929ae6292627c81640362dabe2df7d25a76c81946a226de220_NeikiAnalytics.exeserver.exedescription pid process target process PID 4796 wrote to memory of 5032 4796 3fd3a75f444058929ae6292627c81640362dabe2df7d25a76c81946a226de220_NeikiAnalytics.exe server.exe PID 4796 wrote to memory of 5032 4796 3fd3a75f444058929ae6292627c81640362dabe2df7d25a76c81946a226de220_NeikiAnalytics.exe server.exe PID 4796 wrote to memory of 5032 4796 3fd3a75f444058929ae6292627c81640362dabe2df7d25a76c81946a226de220_NeikiAnalytics.exe server.exe PID 5032 wrote to memory of 1252 5032 server.exe netsh.exe PID 5032 wrote to memory of 1252 5032 server.exe netsh.exe PID 5032 wrote to memory of 1252 5032 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fd3a75f444058929ae6292627c81640362dabe2df7d25a76c81946a226de220_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3fd3a75f444058929ae6292627c81640362dabe2df7d25a76c81946a226de220_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\server.exe"C:\Users\Admin\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\server.exeFilesize
23KB
MD5a72661611c2c32ae2225c1618fb7c3d0
SHA1c717b184fff0a32a900e34d8ce442ba1ba4ff926
SHA2563fd3a75f444058929ae6292627c81640362dabe2df7d25a76c81946a226de220
SHA512ebb3a192eea38c6169b7bc6eb23269303d31dc0323e492f118ce92b0bbd0832c7860ad5473d2a6560e73431e578ed37f5a1da4490053bce10a3d16cb42e77993
-
memory/4796-0-0x0000000074C12000-0x0000000074C13000-memory.dmpFilesize
4KB
-
memory/4796-1-0x0000000074C10000-0x00000000751C1000-memory.dmpFilesize
5.7MB
-
memory/4796-2-0x0000000074C10000-0x00000000751C1000-memory.dmpFilesize
5.7MB
-
memory/4796-21-0x0000000074C10000-0x00000000751C1000-memory.dmpFilesize
5.7MB
-
memory/5032-23-0x0000000074C10000-0x00000000751C1000-memory.dmpFilesize
5.7MB
-
memory/5032-22-0x0000000074C10000-0x00000000751C1000-memory.dmpFilesize
5.7MB
-
memory/5032-24-0x0000000074C10000-0x00000000751C1000-memory.dmpFilesize
5.7MB