Overview

overview

10

Static

static

3

0262814989...cs.exe

windows7-x64

10

0262814989...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    11/05/2024, 12:22

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    026281498999d944f7a72ec151c2fd50_NeikiAnalytics.exe

  • Size

    70KB

  • MD5

    026281498999d944f7a72ec151c2fd50

  • SHA1

    8d329d232804af77e093379d987d187db3224ba0

  • SHA256

    68b13f28eb7c157beced1f6f8c8ad6b1fa2b669c1b97e9635ed0472b08ba0801

  • SHA512

    1d9da23a582410ccf95ca650e908b4d1b8fd68ff555cac8179c912032e81b6cbaa1fd7c76790e5e3b0230a6afbd741ac7e4eddc0b5c648f431f44894abb51070

  • SSDEEP

    1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8n:Olg35GTslA5t3/w8n

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Sets file execution options in registry 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:432
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1216
        • C:\Users\Admin\AppData\Local\Temp\026281498999d944f7a72ec151c2fd50_NeikiAnalytics.exe
          "C:\Users\Admin\AppData\Local\Temp\026281498999d944f7a72ec151c2fd50_NeikiAnalytics.exe"
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3016
          • C:\Windows\SysWOW64\encadeb.exe
            "C:\Windows\system32\encadeb.exe"
            3⤵
            • Windows security bypass
            • Modifies Installed Components in the registry
            • Sets file execution options in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3008
            • C:\Windows\SysWOW64\encadeb.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:1644

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\SysWOW64\icgukeaf-efum.exe
              Filesize

              72KB

              MD5

              9cc89f9740497a44fd9426efc1a3d7fb

              SHA1

              abcc7d7854bdf3f2201cf88ea18f3f327b5c0669

              SHA256

              30db54f9852b0d3ca4c2b437b660c0d55d9e99948035cac762de873ea054f3a6

              SHA512

              e2c2610bfcfce4af31d8962ac5641b6900049bd43f6949e9483e76faa2c90dbc1de5782a92fb8e5b6e52fc17f812def496f51d69fb2eb7a4803de02b2e126eb4

              Download Submit

            • C:\Windows\SysWOW64\ixtofoat-oudor.exe
              Filesize

              73KB

              MD5

              ea6e4e7bb35bbbedebeb8253a4f774c1

              SHA1

              770371eabf178373aa9848f3ffe2051dbcc2b59a

              SHA256

              37a832c0e2a470482dde133d757719b150404f7246a545d851f9ca4971df813f

              SHA512

              5e3861d7766521906570f435f64b9fe82fd28d15327969dede71a2f97fe6f27afee6944717d22588bb01b6ccb95f509d38ed25530784d445c9c86459ef9973f1

              Download Submit

            • C:\Windows\SysWOW64\uhsoorex-adac.dll
              Filesize

              5KB

              MD5

              f37b21c00fd81bd93c89ce741a88f183

              SHA1

              b2796500597c68e2f5638e1101b46eaf32676c1c

              SHA256

              76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

              SHA512

              252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

              Download Submit

            • \Windows\SysWOW64\encadeb.exe
              Filesize

              70KB

              MD5

              026281498999d944f7a72ec151c2fd50

              SHA1

              8d329d232804af77e093379d987d187db3224ba0

              SHA256

              68b13f28eb7c157beced1f6f8c8ad6b1fa2b669c1b97e9635ed0472b08ba0801

              SHA512

              1d9da23a582410ccf95ca650e908b4d1b8fd68ff555cac8179c912032e81b6cbaa1fd7c76790e5e3b0230a6afbd741ac7e4eddc0b5c648f431f44894abb51070

              Download Submit

            • memory/1644-56-0x0000000000400000-0x0000000000414000-memory.dmp

              Filesize

              80KB

              Download

            • memory/3008-55-0x0000000000400000-0x0000000000414000-memory.dmp

              Filesize

              80KB

              Download

            • memory/3016-9-0x0000000000400000-0x0000000000414000-memory.dmp

              Filesize

              80KB

              Download