Overview

overview

7

Static

static

3

673460cb01...cs.exe

windows7-x64

7

673460cb01...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    12/05/2024, 04:00

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    673460cb019bf118be3aa48638bc9e80_NeikiAnalytics.exe

  • Size

    84KB

  • MD5

    673460cb019bf118be3aa48638bc9e80

  • SHA1

    0fa38e4d9161d3bc7515c95ad36bb341b4b4008c

  • SHA256

    43d44636eb3b4b9d6e6f5869c9fe95f427448200a7d491307618339ad9948711

  • SHA512

    2c8d7837255e9d97a7e4ce26da73e96599da9f2e3f851aa99b7d01019ac3b8323c6c0a4236307e036a59101fd9bc1280e316032f4c1dac3e835b6b85005baca6

  • SSDEEP

    1536:1clIGFNMi+hJUneHoGTvvv4V9hqdhbtgS:+RMi+fUnCTvvv4V9hEhbCS

Score
7/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\673460cb019bf118be3aa48638bc9e80_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\673460cb019bf118be3aa48638bc9e80_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Users\Admin\AppData\Local\Temp\673460cb019bf118be3aa48638bc9e80_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\673460cb019bf118be3aa48638bc9e80_NeikiAnalytics.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1608
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EIYWF.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1264
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Audio Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\lsass.exe" /f
          4⤵
          • Adds Run key to start application
          PID:772
      • C:\Users\Admin\AppData\Roaming\system\lsass.exe
        "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1420
        • C:\Users\Admin\AppData\Roaming\system\lsass.exe
          "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2684
        • C:\Users\Admin\AppData\Roaming\system\lsass.exe
          "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2624
          • C:\Users\Admin\AppData\Roaming\system\lsass.exe
            "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
            5⤵
            • Executes dropped EXE
            • Modifies system certificate store
            PID:2616

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          a51723b25824c762b51f2678be846b97

          SHA1

          445a0c766ec13a48162123e62c7f945448382448

          SHA256

          765bc9543a68a744bb211e79cf5f8a21359efaecef32dd1667c813452bf6147d

          SHA512

          0313943e162023a52a19237113dea19a3370ff772b98f5fc14923059c2137845ad4064eb11c0e76070339d12c1fb55f84b96aa6ad790adbc3aa2df37cf158e09

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\EIYWF.bat
          Filesize

          146B

          MD5

          c8cba0a9d4d5600b5f53c4c0681d1115

          SHA1

          0e5348e210ca70b2b0ffdc3ff7e6f611716df80c

          SHA256

          ca2b63f6d7bf17480415ae93e115bf9f9699335e84e62719eefdbcc5a78bd2e1

          SHA512

          a2ad6eb5ae2f6d57ca15363ac2f0c57ca3580474e94b9c010750948814cf4d5ffa0c3e7ef44634a3593da23f56011703ff220a3d7780f6f01785bf3b6676ced0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\TarE316.tmp
          Filesize

          177KB

          MD5

          435a9ac180383f9fa094131b173a2f7b

          SHA1

          76944ea657a9db94f9a4bef38f88c46ed4166983

          SHA256

          67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

          SHA512

          1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

          Download Submit

        • \Users\Admin\AppData\Roaming\system\lsass.exe
          Filesize

          84KB

          MD5

          4b264b356fc1518c56909909d7b8c51a

          SHA1

          0f0c4cf4d2e7e1f7c08f9a3dfed84ca024339c83

          SHA256

          01847490a916e479f4be1809b77243b5a6d12e024b80c7aca8cc850325bd5c1a

          SHA512

          5c11168bd2c16cc58b7940a7dc7186851103685ff57ded3daee933ea8e57d21e0d22337206d9a045d7b69ce2871b0d01735586668a18dbe68d97e21838cc8176

          Download Submit

        • memory/1608-282-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/1608-395-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/1608-178-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/1608-187-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/1608-180-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/1608-176-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/1640-58-0x00000000005B0000-0x00000000005B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1640-2-0x00000000003B0000-0x00000000003B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1640-143-0x0000000001B90000-0x0000000001B91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1640-38-0x00000000003E0000-0x00000000003E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1640-149-0x0000000001BD0000-0x0000000001BD1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1640-154-0x0000000001C30000-0x0000000001C31000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1640-186-0x0000000002560000-0x0000000002561000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1640-151-0x0000000001C20000-0x0000000001C21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1640-145-0x0000000001BA0000-0x0000000001BA1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1640-146-0x0000000001BB0000-0x0000000001BB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1640-147-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1640-4-0x00000000003B0000-0x00000000003B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1640-14-0x00000000003C0000-0x00000000003C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1640-68-0x00000000005C0000-0x00000000005C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1640-26-0x00000000003D0000-0x00000000003D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2624-407-0x0000000000400000-0x0000000000403000-memory.dmp

          Filesize

          12KB

          Download

        • memory/2624-392-0x0000000000400000-0x0000000000403000-memory.dmp

          Filesize

          12KB

          Download

        • memory/2684-391-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/2684-561-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download