Overview

overview

10

Static

static

3

85e3c66edc...cs.exe

windows7-x64

10

85e3c66edc...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 16:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    85e3c66edc63b7c513d7f6c7eede6670_NeikiAnalytics.exe

  • Size

    44KB

  • MD5

    85e3c66edc63b7c513d7f6c7eede6670

  • SHA1

    c5e0bc65c8f03d7c3bca7eab73c7bd5c1e62c520

  • SHA256

    74253a048bc323d16b2264cd296dd934c94d7859b730b2fcfd04f6635403a1fd

  • SHA512

    5f9100552e7fb6dd8a69c75bca0ff712136f15cc2745e07c5166e86a7aaacc53aaad580b193d1a9e7d2339ff26afd99c844fe3f8b21ea20e2069dc3c15600d70

  • SSDEEP

    768:WAUJmQCcmLCXQq6fsKiJYsIkjJVzqsVG5kuGVAQvr9Vu18yb:RUNHFKQbIkHvGkA65q

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Drivers directory 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Sets file execution options in registry 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:604
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3448
        • C:\Users\Admin\AppData\Local\Temp\85e3c66edc63b7c513d7f6c7eede6670_NeikiAnalytics.exe
          "C:\Users\Admin\AppData\Local\Temp\85e3c66edc63b7c513d7f6c7eede6670_NeikiAnalytics.exe"
          2⤵
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:848
          • C:\Windows\SysWOW64\rmass.exe
            "C:\Windows\system32\rmass.exe"
            3⤵
            • Windows security bypass
            • Drops file in Drivers directory
            • Modifies Installed Components in the registry
            • Sets file execution options in registry
            • Executes dropped EXE
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:872
            • C:\Windows\SysWOW64\rmass.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:1456

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\RECOVER32.DLL
        Filesize

        5KB

        MD5

        2b2c28a7a01f9584fe220ef84003427f

        SHA1

        5fc023df0b5064045eb8de7f2dbe26f07f6fec70

        SHA256

        9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb

        SHA512

        39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

        Download Submit

      • C:\Windows\SysWOW64\ahuy.exe
        Filesize

        46KB

        MD5

        0d49d9b72db6f3184597efe9885ef29b

        SHA1

        d399a3eef6c64a3c5068565b063eed200afc685c

        SHA256

        94fb5cc2cf6da316faf3a55483dc2d20b5cff9c5406c53811767aac9a964111b

        SHA512

        328244e7f47d0c78cfaf1f2eb4e920a78ceb23d7b23e2b4ebc407284e0a3ce0ca4179ef60f153031bec08cb3979206839fe5bbde868cd8c7c56fbadc397a92b0

        Download Submit

      • C:\Windows\SysWOW64\ntdbg.exe
        Filesize

        47KB

        MD5

        7ece58c0a67dae76b56300e87fd7dabb

        SHA1

        a3468b492192b8f6adf636d2b27b1929a6e175a6

        SHA256

        6981d5c81189a9b8729a7bc0c4b7ea25048479116f861b0669353db69410629c

        SHA512

        50d89fe7ca4e46fde4a477934af94c1c8de15ce31f9fb6624818cf87b34a858aae5f86c35888baa96eb2e3c310bbda5b1e042d25a57d3c032adabb002687bc70

        Download Submit

      • C:\Windows\SysWOW64\rmass.exe
        Filesize

        44KB

        MD5

        85e3c66edc63b7c513d7f6c7eede6670

        SHA1

        c5e0bc65c8f03d7c3bca7eab73c7bd5c1e62c520

        SHA256

        74253a048bc323d16b2264cd296dd934c94d7859b730b2fcfd04f6635403a1fd

        SHA512

        5f9100552e7fb6dd8a69c75bca0ff712136f15cc2745e07c5166e86a7aaacc53aaad580b193d1a9e7d2339ff26afd99c844fe3f8b21ea20e2069dc3c15600d70

        Download Submit

      • C:\Windows\System32\drivers\etc\hosts
        Filesize

        1KB

        MD5

        6f47b62de25d1745e296a06b3f98ed19

        SHA1

        a688bb35a4c8a5cc198985d624a1b5a6ac5b9f6f

        SHA256

        15c7218eb9cef5fa0573db657b15ce3a5f0e0609f1166df8098ca7152df505b4

        SHA512

        dea26fff8060f44bf20fe4fff2ecbacf428727f10c0f5886fb4813e28fce9cbc3d088337c84edd9857b18514c83f1bb1cf0f51518aaecef09f30e921f4d758d7

        Download Submit

      • memory/848-5-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/872-49-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1456-50-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

        Download