Overview

overview

7

Static

static

3

6e4f08a9ad...cs.exe

windows7-x64

7

6e4f08a9ad...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2024 15:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6e4f08a9ad3277c5c57f2de49f1cbef0_NeikiAnalytics.exe

  • Size

    88KB

  • MD5

    6e4f08a9ad3277c5c57f2de49f1cbef0

  • SHA1

    6b6601759d29e1d40b899716fddcb847f489ac0c

  • SHA256

    5c510cf0d5afeebbac2cc1648702593334a23275d85dc29701f99e43e6b6e1de

  • SHA512

    63ccea9ad7ba1c9c117bac3471863245b2df1cd0faf53ec35531d0a4a6b6683c01d2fbcf7e201347a121bfe11d1f99e395cbd1a193737d3510345898aa1da1be

  • SSDEEP

    1536:ahUDofByDJWbMGcEFLPEPKOJUsy1+VMA:aIofBHbKMP0PvMA

Score
7/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6e4f08a9ad3277c5c57f2de49f1cbef0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\6e4f08a9ad3277c5c57f2de49f1cbef0_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Users\Admin\AppData\Local\Temp\6e4f08a9ad3277c5c57f2de49f1cbef0_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\6e4f08a9ad3277c5c57f2de49f1cbef0_NeikiAnalytics.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JDIXY.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:752
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Video Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\config\explorer.exe" /f
          4⤵
          • Adds Run key to start application
          PID:1460
      • C:\Users\Admin\AppData\Roaming\config\explorer.exe
        "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1196
        • C:\Users\Admin\AppData\Roaming\config\explorer.exe
          "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:696
        • C:\Users\Admin\AppData\Roaming\config\explorer.exe
          "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2528
          • C:\Users\Admin\AppData\Roaming\config\explorer.exe
            "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
            5⤵
            • Executes dropped EXE
            • Modifies system certificate store
            PID:2740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    1724b86cf8d81c54b3db2b593684f913

    SHA1

    501fbbd3adbc49aa7316904079cafca4180e7b85

    SHA256

    a6586336849cd9b13895a3567feda0d0d3be041358edade55ab5b31eafe38410

    SHA512

    52c46a07dadfb76f04d7de933743aeb3639fe503ad7bd0e503833496c75d90fdadc149e65a6fe4250c518e61daaee8c052f02d36f15b543dcfce7c3a40dd6325

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\JDIXY.bat
    Filesize

    149B

    MD5

    fc1798b7c7938454220fda837a76f354

    SHA1

    b232912930b2bc24ff18bf7ecd58f872bbe01ea0

    SHA256

    7f0a5917b5aca9c5beb153aad0ef95bf0aeafb83768da5b086c3f029ba42d7c8

    SHA512

    d1abdd45a8e5d33893b9d19424174a07feed145d2e6b4be318ab5fde503f850579a4a101a010f30e16ecde2c7123f45357a8341214655321ee0f0097ca911331

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarAB44.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    Download Submit

  • \Users\Admin\AppData\Roaming\config\explorer.exe
    Filesize

    88KB

    MD5

    2c503e712c0fb5ca78a0ea81c583fadf

    SHA1

    25d7ac2aa450a3ec84e80c4990ae0af22ff814c4

    SHA256

    446795f95607a424ed79b872d4d07142d428b463aa15bb1f13a0627f7df4f3a1

    SHA512

    a0e1ae8f841449fd8d33ec1c4bb0c512f8d2ac6b7f2f8dc786ee75f4301812dd4445ef0b05f75960a9567bdfdd9734f76df8048787660e3a0bbd5d6791cdcf5e

    Download Submit

  • memory/696-479-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/696-309-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1584-313-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1584-130-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1584-135-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1584-139-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1584-133-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1584-131-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1584-136-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1584-137-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1664-2-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1664-83-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1664-86-0x0000000000480000-0x0000000000481000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1664-85-0x0000000000430000-0x0000000000431000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1664-84-0x0000000000420000-0x0000000000421000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1664-82-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2528-310-0x0000000000400000-0x0000000000403000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2528-325-0x0000000000400000-0x0000000000403000-memory.dmp

    Filesize

    12KB

    Download