Overview

overview

10

Static

static

3

9a1d494a00...cs.exe

windows7-x64

10

9a1d494a00...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    11-05-2024 07:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a1d494a00012d72607e80975c18d260_NeikiAnalytics.exe

  • Size

    1.1MB

  • MD5

    9a1d494a00012d72607e80975c18d260

  • SHA1

    74bd2e7d5f846770ab8e6d077c67965b25f7df2f

  • SHA256

    bf6cc829ea87f7f6ab6d89f575cefb8edf4a43dafa43f79d9680b6f446d38e4e

  • SHA512

    719b5ad877d16a42901b831b8d0be673c97ff343c7a42bee1ee7552b889ca0cfc4b23ce2cee4f11283a75bbe1e10c994ccd637412534f21efa9a51251810eda9

  • SSDEEP

    6144:BDCwjtev1dQ7sdtTS9lE2cmttDCwjtev1dQ7sdtTS9lE2cmtqDCwjtev1dQ7sdtT:B3sRC9f3sRC9Q3sRC9f3sRC90

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 6 IoCs
    persistence
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a1d494a00012d72607e80975c18d260_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9a1d494a00012d72607e80975c18d260_NeikiAnalytics.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      2⤵
      • Modifies registry key
      PID:3000
    • C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2996
      • C:\Users\Admin\AppData\Local\Temp\avscan.exe
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2852
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\windows\W_X_C.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2064
        • C:\windows\hosts.exe
          C:\windows\hosts.exe
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2468
          • C:\Users\Admin\AppData\Local\Temp\avscan.exe
            C:\Users\Admin\AppData\Local\Temp\avscan.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2460
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c c:\windows\W_X_C.bat
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\windows\hosts.exe
              C:\windows\hosts.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:1540
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
              6⤵
              • Adds policy Run key to start application
              PID:1948
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:2632
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:1984
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:1308
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:2908
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
          4⤵
          • Adds policy Run key to start application
          PID:2484
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:1916
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:412
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:1304
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:988
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\windows\hosts.exe
        C:\windows\hosts.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2808
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        3⤵
        • Adds policy Run key to start application
        PID:2916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    2.2MB

    MD5

    7839aa8f1c323b5e940193bfe2d501ef

    SHA1

    0187023b575da818c15a7cbc6e35a685f75cf995

    SHA256

    06d46ecd031851d40f325c7ea0f6b9a586e20bd585166b951e0fd7170a65fe90

    SHA512

    d107ea593812be3dd0baa0d79c3d3ddfafc38b5066f5674f66d4924a7d97e476f25e951fa78a450f5433f2c66a971a1b11942bd4dce09de51d89ce942bace7d3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    4.4MB

    MD5

    cc66410a91b5aaa9b364bd9ac48f711e

    SHA1

    92a4ec5a5fcf0d950f851b5d10e37368123ec215

    SHA256

    dcf7b2ade6bdb475839375340138ebeb58b1398ad1883c7b2775ecbca939771b

    SHA512

    5e317808591c09ed216fa8d3d656b93a7623526a8fc00909fbc6a98d111f8773aeec1ddae5f27df68eeb2e9cb2d5db8e0a40ea568317eac39b2931de1a709949

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    4.4MB

    MD5

    983861c84bbb06df5f8db69845008ce0

    SHA1

    a734a756a9256d2fd60fb01a217094e700687a0d

    SHA256

    44daba24b189df08dca57fabf3902390088354078a3f5596e0310ae6cc39f443

    SHA512

    709c72992536d94da304a748cb1c2dba89c6818908fc33721dcbdd6784a218c6e23bce9b5525f70c58849c395dd7914aa549f4567e4f545d4f2369bf744fbf2e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    6.6MB

    MD5

    d0da78aedbe6252855d3dd3cb5b9f5de

    SHA1

    d14ae4bd5221665284009983a71cde3d5dc10d70

    SHA256

    b32ecfaa9c50225185211c2838da02a9b6895a7884b74aa781ce4558ca4fb6b6

    SHA512

    ee4ead7a4a4c993085bbcfa90bf009fd466cdfe1d8ce394b7e051f4dca7ca75b4b0a6e97d65944fc1a45af22a72686f73386613cc050dd1e507cd27111ce7d56

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    6.6MB

    MD5

    31c654ecd6f88f69da801f18964747b6

    SHA1

    68180b508e06e040506d82f3b602754dddbc1409

    SHA256

    6434470500d0ce94e2e62796a27dc40adcaf969874ac5b293d42a37bc32a4b07

    SHA512

    135a87cdaa721411ae746f61ec26bb0027915c1f2e7194ca204ca6b42444e410931545ad70b35dfe1d201b55562597a09ff8bc77d06a17fa2abcefa9a939c52e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    8.7MB

    MD5

    5b0232d83a739ce484f032dacd55a377

    SHA1

    f1c710ec322518baa6094d266dbd3a1b529a6143

    SHA256

    469fc0e495dc4ec1998a43c83b79e14db365eb52d15ba488576ce9950010253e

    SHA512

    72e43f158a662d81006fc302dd1ee328674b6cf3508b537c536723d52f1389b65c4d7a2b5db0a1fe4c6103f776763539843d2076c355d71492ec0c3e56f78b0c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp
    Filesize

    8.7MB

    MD5

    13dadfa1140ad1811b302c2dd0996175

    SHA1

    3d454f8666026e35e02fe49ee4f393310f1b9364

    SHA256

    2a93ba133be433a5a84a0e72519eca7a6204ca8342e1ef67ec9e3971e49f80bd

    SHA512

    4a448197f01849d05192c1af113eb8b5f09ea663c0bd8227ae1e2526f1a33a8f9d7a719fc4c5d8324724f03359b13a3059b4528045a132bca4732da2d5cff042

    Download Submit

  • C:\Windows\W_X_C.vbs
    Filesize

    195B

    MD5

    7fd017e8c0f6e808ab92dd24fc015f50

    SHA1

    917f0c6f8588a70a1044dfd2b0dd94d2738ac705

    SHA256

    009ab8b53bde4a5b671cddc837eeab5e1023557db347ed33f355d75d230d0ae1

    SHA512

    91f7dc20c39ddb47221416ec3ffd8b91e1ccdfe2cb8b60294380df08c6e4edef19387da198107eedb47a75e7ad311cc5933095eeddfcb47d7d45d5a8b0a40ae3

    Download Submit

  • C:\Windows\hosts.exe
    Filesize

    1.1MB

    MD5

    5c36655bb0e2cee7874d6b3cf67ae698

    SHA1

    65882f8a02502f8e778ce04be6e764d57295c1d4

    SHA256

    cf51463b15e86ed1496bd98f7735e071d5ec8ccdbc149734e3861e6fd302267a

    SHA512

    2047d912daa536d2990b884a731eb3be138d42ae75e169c8f8b6e087c2c09478abfac2abb0197e6880acb9cc90c3a2aca41ef6bb97ac298660e611826899041d

    Download Submit

  • \??\c:\windows\W_X_C.bat
    Filesize

    336B

    MD5

    4db9f8b6175722b62ececeeeba1ce307

    SHA1

    3b3ba8414706e72a6fa19e884a97b87609e11e47

    SHA256

    d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

    SHA512

    1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\avscan.exe
    Filesize

    1.1MB

    MD5

    b1313f32f873c47efa993f2270b71486

    SHA1

    0dabae4229ed1b722402e93abd4a0cdd6f679b29

    SHA256

    0f8ed30511047b3cddc40d9da318a5b75263b2212a3feda31faed2b97a3168f9

    SHA512

    9579e3079e747f32afbd569537022a745bfaa5c265f1108b6fec669fdacfed08989e3d17a65d8fc0c12abb8d982fa0473de7ca50cb938cd48f2a7eca9596902b

    Download Submit

  • memory/1540-88-0x0000000000380000-0x0000000000390000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1540-90-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1540-89-0x0000000000380000-0x0000000000390000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1732-15-0x0000000002720000-0x0000000002749000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1732-0-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1732-16-0x0000000002720000-0x0000000002749000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1732-28-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2064-35-0x0000000000170000-0x0000000000199000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2064-34-0x0000000000170000-0x0000000000199000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2460-48-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2468-44-0x00000000003D0000-0x00000000003F9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2468-45-0x00000000003D0000-0x00000000003F9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2616-76-0x0000000000510000-0x0000000000539000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2720-37-0x0000000000180000-0x00000000001A9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2808-50-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2808-49-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2808-51-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2808-38-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2852-27-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2996-29-0x00000000004A0000-0x00000000004C9000-memory.dmp

    Filesize

    164KB

    Download