Overview

overview

9

Static

static

3

abd50c1cd9...cs.exe

windows7-x64

9

abd50c1cd9...cs.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    11/05/2024, 10:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    abd50c1cd984b84e7bb9171a4d668b40_NeikiAnalytics.exe

  • Size

    326KB

  • MD5

    abd50c1cd984b84e7bb9171a4d668b40

  • SHA1

    8285299d0c83f821624a65406cf43837bb088099

  • SHA256

    e5e429693573761352e4532fd4a95ab01d83d0242fb7612623be497f88a47d84

  • SHA512

    d6c398941acb40317f7e2673a7e41e25f25debf26dea59869ace7aafa6b8987d8481b726caaf77db9d98890114c4becdc4f92b52958b4fbd44cb8e19d2431efc

  • SSDEEP

    6144:Z5CKlxyOYbUUSgigL/dz69B+4w3DzCosAZgbTfipFvWTBFcoy+z:3lxypUUStgL/dKB+4wTZPObTfipNWTH7

Score
9/10
persistenceransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (175) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\abd50c1cd984b84e7bb9171a4d668b40_NeikiAnalytics.exe
        "C:\Users\Admin\AppData\Local\Temp\abd50c1cd984b84e7bb9171a4d668b40_NeikiAnalytics.exe"
        2⤵
        • Drops file in Drivers directory
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1424
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2172
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2976
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1A25.bat
            3⤵
            • Deletes itself
            PID:2648
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Adds Run key to start application
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2688
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2884
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2768
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3012
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2984

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$a1A25.bat
            Filesize

            620B

            MD5

            73a6178f4fc08914f2289ef6bac9ca6e

            SHA1

            dbe2821bb86c8806f33fe448067c811230f9254d

            SHA256

            4515156576b73b340e38cc424baa889d97018a86b0368903f21de5f5a132c2a8

            SHA512

            2de2a65a317448a178b1e87dacf2b4cba62f06f4392738a3d11adf4cbdd213e64550ad8254d4717261069359950809f70dbb9080409b985b6572bedad587b77c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\abd50c1cd984b84e7bb9171a4d668b40_NeikiAnalytics.exe.exe
            Filesize

            268KB

            MD5

            2b45c64a6386f554b46c34829f410fdb

            SHA1

            d784b871c1ee4a5429c2c14b5823a19e25c8c1be

            SHA256

            55f14ed958f1dd04a79a9dafa6da11ff54c0d2bf1e1273e86959a0d375b88bc5

            SHA512

            d792ed1c2f85f5c413f7da01fe9b92999fb4d0786cb5f1db200cf4cee0c8da78c0b8974893a9993fc7a374c3ba467bd0a494b015530a29dca492b9eace2524a0

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            57KB

            MD5

            43695e2b27fd99feb89c7c9c031f2c7f

            SHA1

            c0d574c9219a3b242627969b1d60e35f57e26084

            SHA256

            c9b03492eb5dc22bdc6e0a1b5dc9cc9d3a13d3818203dbeb3cc92e39ec51820a

            SHA512

            55a3a582d96a1e3378f0d0dc4dc8f0a92036e151668958effc4398ec41b2c65c7a43c8479712173718fa41d320acd5b3f56f18d74ec9325be4345867489b28e1

            Download Submit

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            832B

            MD5

            7e3a0edd0c6cd8316f4b6c159d5167a1

            SHA1

            753428b4736ffb2c9e3eb50f89255b212768c55a

            SHA256

            1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

            SHA512

            9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

            Download Submit

          • memory/1208-66-0x0000000002D10000-0x0000000002D11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1424-0-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

            Download

          • memory/1424-1-0x000000000042E000-0x000000000042F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1424-18-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

            Download

          • memory/1424-2-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

            Download

          • memory/2648-58-0x0000000002610000-0x0000000002611000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2688-20-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

            Download

          • memory/2688-23-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

            Download

          • memory/2688-22-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

            Download

          • memory/2688-72-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

            Download