Overview

overview

10

Static

static

3

46fee5990c...cs.exe

windows7-x64

10

46fee5990c...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-05-2024 18:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    46fee5990cf50ea7d9e2906c9825f7f0_NeikiAnalytics.exe

  • Size

    24KB

  • MD5

    46fee5990cf50ea7d9e2906c9825f7f0

  • SHA1

    d2b0f165238f62bd470467287b2e69ab7eb82ce4

  • SHA256

    e453864ee00e8613b9501b65a190f7f604778aff061277add4ed2d8200d83130

  • SHA512

    3a181c0cd6739136b91cca0e83876377ee65df516ef6cc0c25493b95e38dcf196992b493fd95f49ca9009ea43d97364df113672839c6d81239ce22609eb077a1

  • SSDEEP

    384:jIz4QFC6l7f3qw+GyMjkNFeIcs1zPR+vJGRzUtV+/O0O+8oUfzjm:jIUmC6NfIWwNAp4dJRzUtV+/VJszjm

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Drivers directory 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Sets file execution options in registry 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:436
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1196
        • C:\Users\Admin\AppData\Local\Temp\46fee5990cf50ea7d9e2906c9825f7f0_NeikiAnalytics.exe
          "C:\Users\Admin\AppData\Local\Temp\46fee5990cf50ea7d9e2906c9825f7f0_NeikiAnalytics.exe"
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:2364
          • C:\Windows\SysWOW64\rmass.exe
            "C:\Windows\SysWOW64\rmass.exe"
            3⤵
            • Windows security bypass
            • Drops file in Drivers directory
            • Modifies Installed Components in the registry
            • Sets file execution options in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2196
            • C:\Windows\SysWOW64\rmass.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2024

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\RECOVER32.DLL
        Filesize

        5KB

        MD5

        2b2c28a7a01f9584fe220ef84003427f

        SHA1

        5fc023df0b5064045eb8de7f2dbe26f07f6fec70

        SHA256

        9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb

        SHA512

        39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

        Download Submit

      • C:\Windows\SysWOW64\ahuy.exe
        Filesize

        24KB

        MD5

        9ff7c9120f64ee104d00a5c4dd93a8dd

        SHA1

        3ff6c9ce044e1e989e20339b28056d803fefd335

        SHA256

        050bbd18d99733434be41e1eba4f2dc567bf55d6337398235249bf3eff6f12a2

        SHA512

        042ebae9743e5cbb7d8658578f910d776a3b08027ef32b8d7b143fc3537c3ddc9725ffd990e22460cb57b3af8858dc4582cd76997b418294ca85d0c9d56aed9b

        Download Submit

      • C:\Windows\SysWOW64\ntdbg.exe
        Filesize

        25KB

        MD5

        62bde4aa4ae81fa2de95d74011e91c87

        SHA1

        5c9b200a6f2b60d620609416bc4c7d72c3c7cebd

        SHA256

        c20590df26b8855cacfee17b539b3df72f2a597b557f4e063ca8018712930c3e

        SHA512

        1cee9f65af2d2ae6a1a5f2a1ce3a50b290e292c5f9b8507f122e37298c8f6cf3818e030a4f9c2a0e1abe72eede22c53514ba3fc9cbb8b9f71b908d7be6688a96

        Download Submit

      • C:\Windows\System32\drivers\etc\hosts
        Filesize

        1KB

        MD5

        b10b13206b0f2cf3968050072f6979bf

        SHA1

        699db21ba9cecf3f13ac3d76e22cfa41aa94da80

        SHA256

        0eef3217095cb97b695c434e74d6314bf9e869a013d6e9c88e58c34576a276b4

        SHA512

        d33bfd931be6676539507a69101d99fa4c5ef36b12422bd11f063b9b6a47b7444f6c4ad5f35e044714fdb872e96cd9fddf049e8329af1219483887f6ac5f4a5d

        Download Submit

      • \Windows\SysWOW64\rmass.exe
        Filesize

        22KB

        MD5

        419123698f01b3b91fb1c596ace3f608

        SHA1

        cfe93e70d6d6475f5784c8425a86d1c6f1360531

        SHA256

        f9b5926cbae9c6b8345810c1f331b33e25daf29f2931733383a6e901aaf2be0f

        SHA512

        5c9186a1ccb4906e14ac90b517f284d92966f69ebf0e86a7acb29233a6fbca9769c18341d2498a49c8f468c51e979f96bdac3847098328b6f0ac2bb335a3ce4c

        Download Submit

      • memory/2024-57-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2196-13-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2196-56-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2196-96-0x0000000000360000-0x0000000000371000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2364-2-0x0000000000020000-0x0000000000031000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2364-9-0x0000000000020000-0x0000000000031000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2364-8-0x0000000000400000-0x0000000000403000-memory.dmp

        Filesize

        12KB

        Download