Overview

overview

8

Static

static

3

d451b6e07a...cs.exe

windows7-x64

8

d451b6e07a...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 11:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d451b6e07aabf666e575cadab24884e0_NeikiAnalytics.exe

  • Size

    482KB

  • MD5

    d451b6e07aabf666e575cadab24884e0

  • SHA1

    fe90e1fa7d3d7ed12204df462bce622f13d1cb28

  • SHA256

    8a53e642970e248795afacebbe81e4b7c3a3944543ca224a5d8bede2d52cca96

  • SHA512

    ee008176725121ba30f207fe4567ec97edf4943900038bca92f11170d41da10ca46719416c61ef2ef8e573cb54e67ba68ad93ae63335383d2dbc2d108bfd71cb

  • SSDEEP

    12288:vWpijK/sQTpTRDC5Kcv3/ZJEvWsACQ8zUfFv:vWpijK7pQ5XQhDzQv

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Program crash 9 IoCs
  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies registry class 36 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 60 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 26 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d451b6e07aabf666e575cadab24884e0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\d451b6e07aabf666e575cadab24884e0_NeikiAnalytics.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:4524
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 356
      2⤵
      • Program crash
      PID:2532
    • C:\Users\Admin\AppData\Local\Temp\d451b6e07aabf666e575cadab24884e0_NeikiAnalytics.exe
      C:\Users\Admin\AppData\Local\Temp\d451b6e07aabf666e575cadab24884e0_NeikiAnalytics.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      • System policy modification
      PID:1712
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 324
        3⤵
        • Program crash
        PID:1416
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 672
        3⤵
        • Program crash
        PID:4756
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 800
        3⤵
        • Program crash
        PID:2772
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 840
        3⤵
        • Program crash
        PID:2848
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 848
        3⤵
        • Program crash
        PID:1792
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 972
        3⤵
        • Program crash
        PID:4480
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 968
        3⤵
        • Program crash
        PID:4936
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 1300
        3⤵
        • Program crash
        PID:2124
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4524 -ip 4524
    1⤵
      PID:4288
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1712 -ip 1712
      1⤵
        PID:2504
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1712 -ip 1712
        1⤵
          PID:1236
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1712 -ip 1712
          1⤵
            PID:4832
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1712 -ip 1712
            1⤵
              PID:5068
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1712 -ip 1712
              1⤵
                PID:1140
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1712 -ip 1712
                1⤵
                  PID:3676
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1712 -ip 1712
                  1⤵
                    PID:528
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1712 -ip 1712
                    1⤵
                      PID:4520
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:4652
                      • C:\Windows\explorer.exe
                        explorer.exe /LOADSAVEDWINDOWS
                        2⤵
                        • Modifies registry class
                        PID:928
                    • C:\Windows\explorer.exe
                      explorer.exe
                      1⤵
                      • Modifies Installed Components in the registry
                      • Enumerates connected drives
                      • Checks SCSI registry key(s)
                      • Modifies Internet Explorer settings
                      • Modifies registry class
                      • Suspicious behavior: AddClipboardFormatListener
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of SetWindowsHookEx
                      PID:4816
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                      1⤵
                      • Suspicious behavior: AddClipboardFormatListener
                      PID:2768
                    • C:\Windows\System32\rundll32.exe
                      C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
                      1⤵
                        PID:2280
                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                        1⤵
                        • Modifies registry class
                        • Suspicious use of SetWindowsHookEx
                        PID:444
                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                        1⤵
                        • Modifies Internet Explorer settings
                        • Modifies registry class
                        • Suspicious use of SetWindowsHookEx
                        PID:4784
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                        1⤵
                          PID:4128

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133598147574291707.txt
                          Filesize

                          75KB

                          MD5

                          79ea60e4feeffe4483ba2d0ea61852fb

                          SHA1

                          7d5921a1b6240cc717ad4f4478bbcfc42f3af8e8

                          SHA256

                          1e85f6cd486b20682b1a6af9f34e7993a558f3b5dccd1e80a55178847e794923

                          SHA512

                          4d0866c2b63af9570fa20bca628a6e67b3704d7ab5a8a1311fb614f38b54444cc6630390092282f075751cae38000a17e4bf1cb992a8900b0c72965c0b24dbf4

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\d451b6e07aabf666e575cadab24884e0_NeikiAnalytics.exe
                          Filesize

                          482KB

                          MD5

                          cd7e1a5af5b290c3c88a8f2697a9db19

                          SHA1

                          1f663daac2714a83ba120faf9aa48dd6e47a6c1d

                          SHA256

                          78eeaff29deb5972f8f3c3e526525a52c87aecf99ff3e39e2be4fe0668856299

                          SHA512

                          9ff261a06c8aa981e3fe96f4e7ec6eee655ed15c13d9c5dcf805cfc53ce692dc2c7a3064911aae2fa712635006adce8fc458bc2a1678362d97798553107b67a0

                          Download Submit

                        • memory/1712-16-0x0000000000400000-0x000000000045A000-memory.dmp

                          Filesize

                          360KB

                          Download

                        • memory/1712-7-0x0000000000400000-0x0000000000472000-memory.dmp

                          Filesize

                          456KB

                          Download

                        • memory/1712-8-0x0000000004F60000-0x0000000004FD2000-memory.dmp

                          Filesize

                          456KB

                          Download

                        • memory/1712-9-0x0000000000400000-0x000000000045A000-memory.dmp

                          Filesize

                          360KB

                          Download

                        • memory/1712-17-0x00000000014A0000-0x00000000014A1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1712-23-0x0000000000400000-0x000000000045A000-memory.dmp

                          Filesize

                          360KB

                          Download

                        • memory/4524-0-0x0000000000400000-0x0000000000472000-memory.dmp

                          Filesize

                          456KB

                          Download

                        • memory/4524-6-0x0000000000400000-0x0000000000472000-memory.dmp

                          Filesize

                          456KB

                          Download

                        • memory/4784-30-0x000001D1D2F20000-0x000001D1D3020000-memory.dmp

                          Filesize

                          1024KB

                          Download

                        • memory/4784-35-0x000001D1D4080000-0x000001D1D40A0000-memory.dmp

                          Filesize

                          128KB

                          Download

                        • memory/4784-46-0x000001D1D4040000-0x000001D1D4060000-memory.dmp

                          Filesize

                          128KB

                          Download

                        • memory/4784-66-0x000001D1D4450000-0x000001D1D4470000-memory.dmp

                          Filesize

                          128KB

                          Download

                        • memory/4816-28-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

                          Filesize

                          4KB

                          Download