Overview

overview

8

Static

static

7

930813b309...cs.exe

windows7-x64

8

930813b309...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 16:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    930813b309e9d70f22987bf32f5ef750_NeikiAnalytics.exe

  • Size

    57KB

  • MD5

    930813b309e9d70f22987bf32f5ef750

  • SHA1

    d020f0e740cd185150eb0ac615326a32198fa611

  • SHA256

    44619967b76a37ac3bd45929c33e8895bbb6061d368bf58708b1da4860718af8

  • SHA512

    9d62d4ebca7b98cc6184f4894fd25d10308f730c73c973d9a3c42532235fcfb441a81510b59c81332a4f66cc32a44735223dc354089d8cdfa3051b033a706c77

  • SSDEEP

    1536:MEiBwAw/cGYQi1y2QNAx1FcLD12Qs7yGVd7UihTNEQhrUnouy8f2Ou:OB9wUGYQN2XD6Ud1cQqoutfU

Score
8/10
evasionupx

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\930813b309e9d70f22987bf32f5ef750_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\930813b309e9d70f22987bf32f5ef750_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3709.tmp\37B6.tmp\37B7.bat C:\Users\Admin\AppData\Local\Temp\930813b309e9d70f22987bf32f5ef750_NeikiAnalytics.exe"
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4528
      • C:\Windows\system32\certutil.exe
        certutil -decode "ZSC_FILE_ENCODED.bin" "HydrogenXX.PC.Temp.zsc"
        3⤵
          PID:4916
        • C:\Windows\system32\attrib.exe
          attrib +r +s +h "HydrogenXX.PC.Temp.zsc"
          3⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:1608
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2696
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:1652

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\3709.tmp\37B6.tmp\37B7.bat
        Filesize

        11KB

        MD5

        56eec90a8618693359580752c43e896f

        SHA1

        2d130f8a0ae5d1af2a9a1bd9cc2be39dc05e62f7

        SHA256

        b61a3c1fa83f79c6b0c36074b1f1f6fea58ec5c7ff1088e632e3e5739fdfdc62

        SHA512

        aa6c1af7495e6b212b5c25f4e613344f9e3e675d8b16d0857e1b52aa231c0741d284a8a65a563f40f2812d8c0f404693e73fa611b54ae5482ac3d0badffa0461

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\HydrogenXX.PC.Temp.zsc
        Filesize

        7KB

        MD5

        7960b763ec38e30b1db14cf31e6af6e8

        SHA1

        8be70e5167cf387a227b511caa33a8887fdd0fed

        SHA256

        f69ca06f1339b5c2bb80eb24f9a2586d82128e1876af62b5f96fa10f0743094a

        SHA512

        48c3a6dc517710a65f09af7199eae4416dd6010d2e96da7a25bef517e5c18bce5df58afc9434c2906d5455287d0f78ae9d7f68feed57aa867fe46c88990cde05

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ZSC_FILE_ENCODED.bin
        Filesize

        9KB

        MD5

        0cd468c579582fa3cbe0586d3281af30

        SHA1

        39fb6ea059f15842b0b5abc8c769c29f38ef7804

        SHA256

        083080d03c2f5c3b698b88bfc1768219115bd989b7a3b11547c3805b5dfbbbb5

        SHA512

        d3bb1dec90df0274756bd09638a15e72d035fb99924ab0b24dd765917f613984dfb7c74408283807f50a1e1408a997684699cc9e57f8ed4a08e0d9a780365666

        Download Submit

      • memory/3020-0-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3020-2-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3020-8-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download