Analysis

  • max time kernel
    149s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 03:14

General

  • Target

    6231a769c9f0e1708ca758253b80ae50_NeikiAnalytics.exe

  • Size

    70KB

  • MD5

    6231a769c9f0e1708ca758253b80ae50

  • SHA1

    fca45c674a1c366cea71a7ae211363a7729f575b

  • SHA256

    ac1e856b5338aedc8c8e23b1726ba2c31e7971b3aa1931ae55c95c9c1c1a1a05

  • SHA512

    a6582d62234cb562c120b14ee1fc939d04016d2c3aecd730d07d093edb38b5f30d0acd700a64a063bf8fad79af3b8fc3907206ca66080748e2692dfd08b70089

  • SSDEEP

    1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8FgO:Olg35GTslA5t3/w85

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Sets file execution options in registry 2 TTPs 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 4 IoCs
  • Modifies WinLogon 2 TTPs 5 IoCs
  • Drops file in System32 directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:600
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3556
        • C:\Users\Admin\AppData\Local\Temp\6231a769c9f0e1708ca758253b80ae50_NeikiAnalytics.exe
          "C:\Users\Admin\AppData\Local\Temp\6231a769c9f0e1708ca758253b80ae50_NeikiAnalytics.exe"
          2⤵
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1980
          • C:\Windows\SysWOW64\eassikoab-exoas.exe
            "C:\Windows\system32\eassikoab-exoas.exe"
            3⤵
            • Windows security bypass
            • Modifies Installed Components in the registry
            • Sets file execution options in registry
            • Executes dropped EXE
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2392
            • C:\Windows\SysWOW64\eassikoab-exoas.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:3116

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\eassikoab-exoas.exe

        Filesize

        70KB

        MD5

        6231a769c9f0e1708ca758253b80ae50

        SHA1

        fca45c674a1c366cea71a7ae211363a7729f575b

        SHA256

        ac1e856b5338aedc8c8e23b1726ba2c31e7971b3aa1931ae55c95c9c1c1a1a05

        SHA512

        a6582d62234cb562c120b14ee1fc939d04016d2c3aecd730d07d093edb38b5f30d0acd700a64a063bf8fad79af3b8fc3907206ca66080748e2692dfd08b70089

      • C:\Windows\SysWOW64\emxuvood.exe

        Filesize

        72KB

        MD5

        949930756f6b30ff14f8610ca5a4823c

        SHA1

        9965f6d62918d3d222f3808294c2429b29efddf1

        SHA256

        37a2f99291e2ef7b20e537b1608782949a4b38de1d0e787d1f322c8da85fa35d

        SHA512

        96e48bd5ae562952637b13ada86bb82b21dc4dafcaf4166f1c7cb2d01c2beb5791d2be2b6b90896ec4031f71a13090493f732ff8ecd2627dc548b3be60f20c96

      • C:\Windows\SysWOW64\ofbootoof-oufooc.dll

        Filesize

        5KB

        MD5

        f37b21c00fd81bd93c89ce741a88f183

        SHA1

        b2796500597c68e2f5638e1101b46eaf32676c1c

        SHA256

        76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

        SHA512

        252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

      • C:\Windows\SysWOW64\oxsetof-bom.exe

        Filesize

        73KB

        MD5

        7e55365fdd56cc18a8dd7daeec2afaa8

        SHA1

        09c90ad376eb2bc32302eb6540bf0d83528bf147

        SHA256

        6cd6c52173e7dc9785055f6f984716fdc5a0a12adc09caf67fced644641b6bd8

        SHA512

        6301a9be2607157cd99eaf93e96d3ef15cee693d6703c9834e51695fb7258a5e80844d9a6b431d45e22aa6e628e5b601b1291ee79f8940946f04abee3c0f6b38

      • memory/1980-6-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/2392-49-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/3116-50-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB