Overview

overview

10

Static

static

3

0033f524ed...cs.exe

windows7-x64

10

0033f524ed...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/05/2024, 12:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0033f524ed64f1e7c21b6908aa8f8710_NeikiAnalytics.exe

  • Size

    71KB

  • MD5

    0033f524ed64f1e7c21b6908aa8f8710

  • SHA1

    65aac2c4dd5f7d5669b3bf98fb1c944db1823db4

  • SHA256

    5e6772b13d6a3a42096b78dbdb9facd1febf708ea4aae5a1f0913da73177b2f4

  • SHA512

    4cd6bf8264da641bfb4eb1d92e6c853adbc2d9da921cc60a215dfde16375fd34e0b0a26147204139c1af801cd62077eafbc1f9b0a59165ddeebee12296d58189

  • SSDEEP

    1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8slntm:Olg35GTslA5t3/w8wk

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Sets file execution options in registry 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:608
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3512
        • C:\Users\Admin\AppData\Local\Temp\0033f524ed64f1e7c21b6908aa8f8710_NeikiAnalytics.exe
          "C:\Users\Admin\AppData\Local\Temp\0033f524ed64f1e7c21b6908aa8f8710_NeikiAnalytics.exe"
          2⤵
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2028
          • C:\Windows\SysWOW64\offoadoac.exe
            "C:\Windows\system32\offoadoac.exe"
            3⤵
            • Windows security bypass
            • Modifies Installed Components in the registry
            • Sets file execution options in registry
            • Executes dropped EXE
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:212
            • C:\Windows\SysWOW64\offoadoac.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2948
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4024,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:8
        1⤵
          PID:2448

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\acpugeaf.exe
          Filesize

          73KB

          MD5

          4d0ae1eba76c07809a73779077dc4b2d

          SHA1

          6f002031b5874f0cdc24a8a7cfdc16d44d66c9c8

          SHA256

          a5529b4399179570e043d466952ea7c4ff0a98e4cbea204b556f4b0d84a4ee35

          SHA512

          34e1e5fc7364ac749419349a756aa6fdd6663721893bcb9659644a8825199c4862af676fe2260fd17df53823d439894c5fbf8c5398fd6f35555b4f71a67290ee

          Download Submit

        • C:\Windows\SysWOW64\arvucet.dll
          Filesize

          5KB

          MD5

          f37b21c00fd81bd93c89ce741a88f183

          SHA1

          b2796500597c68e2f5638e1101b46eaf32676c1c

          SHA256

          76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

          SHA512

          252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

          Download Submit

        • C:\Windows\SysWOW64\offoadoac.exe
          Filesize

          71KB

          MD5

          0033f524ed64f1e7c21b6908aa8f8710

          SHA1

          65aac2c4dd5f7d5669b3bf98fb1c944db1823db4

          SHA256

          5e6772b13d6a3a42096b78dbdb9facd1febf708ea4aae5a1f0913da73177b2f4

          SHA512

          4cd6bf8264da641bfb4eb1d92e6c853adbc2d9da921cc60a215dfde16375fd34e0b0a26147204139c1af801cd62077eafbc1f9b0a59165ddeebee12296d58189

          Download Submit

        • C:\Windows\SysWOW64\ouxtevog-ador.exe
          Filesize

          74KB

          MD5

          a10953fea6a5198c2a7d96d4bc102025

          SHA1

          dd6c8e0b49f073dcb3d01383d638eda29288c090

          SHA256

          7bba8c011d2da39333a1c789f4c9215787fde96a5c7422ec3370e8bccd839dc9

          SHA512

          5ff9a09ecde9a1ab16422c60322b0dbe47c88350c6e8ff5db0f9122742dffe25c54ab1dd32bb536f58a5309c8228d52f6a5af2f3bb9642da42d0ad1d6f03fded

          Download Submit

        • memory/212-49-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2028-5-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2948-50-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

          Download