Overview

overview

7

Static

static

3

673460cb01...cs.exe

windows7-x64

7

673460cb01...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/05/2024, 04:00

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    673460cb019bf118be3aa48638bc9e80_NeikiAnalytics.exe

  • Size

    84KB

  • MD5

    673460cb019bf118be3aa48638bc9e80

  • SHA1

    0fa38e4d9161d3bc7515c95ad36bb341b4b4008c

  • SHA256

    43d44636eb3b4b9d6e6f5869c9fe95f427448200a7d491307618339ad9948711

  • SHA512

    2c8d7837255e9d97a7e4ce26da73e96599da9f2e3f851aa99b7d01019ac3b8323c6c0a4236307e036a59101fd9bc1280e316032f4c1dac3e835b6b85005baca6

  • SSDEEP

    1536:1clIGFNMi+hJUneHoGTvvv4V9hqdhbtgS:+RMi+fUnCTvvv4V9hEhbCS

Score
7/10
persistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\673460cb019bf118be3aa48638bc9e80_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\673460cb019bf118be3aa48638bc9e80_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Users\Admin\AppData\Local\Temp\673460cb019bf118be3aa48638bc9e80_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\673460cb019bf118be3aa48638bc9e80_NeikiAnalytics.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3544
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AVTRV.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3100
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Audio Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\lsass.exe" /f
          4⤵
          • Adds Run key to start application
          PID:2952
      • C:\Users\Admin\AppData\Roaming\system\lsass.exe
        "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2056
        • C:\Users\Admin\AppData\Roaming\system\lsass.exe
          "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1524
        • C:\Users\Admin\AppData\Roaming\system\lsass.exe
          "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3716
          • C:\Users\Admin\AppData\Roaming\system\lsass.exe
            "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            PID:1820

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\cxz.exe
          Filesize

          294B

          MD5

          1bbf5baae6056279e2cc23fbaf3eb3b3

          SHA1

          0c3f809762e62da5b8cbe9a8df6c43ed600ab42b

          SHA256

          278d7736fb655bff9e61f7246c1fdc962653f264508666ec7d5ed7af2f1af57e

          SHA512

          8345819ee9ddde611d60122ab93f1c5d722057c8a647149bc30a8756db685920e5b47d57536ad20732fb846f0e99bfb435257404e0a7245ee9dc357609c678c3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\AVTRV.txt
          Filesize

          146B

          MD5

          c8cba0a9d4d5600b5f53c4c0681d1115

          SHA1

          0e5348e210ca70b2b0ffdc3ff7e6f611716df80c

          SHA256

          ca2b63f6d7bf17480415ae93e115bf9f9699335e84e62719eefdbcc5a78bd2e1

          SHA512

          a2ad6eb5ae2f6d57ca15363ac2f0c57ca3580474e94b9c010750948814cf4d5ffa0c3e7ef44634a3593da23f56011703ff220a3d7780f6f01785bf3b6676ced0

          Download Submit

        • C:\Users\Admin\AppData\Roaming\system\lsass.exe
          Filesize

          84KB

          MD5

          8418df54a99adaf00017620d73bbe922

          SHA1

          318190bcfafba5cf9b65c0037d69eb36f4b9aa0c

          SHA256

          5a2202e4ab3e3a5679af54264b578131f9aab6b120c8f7553bad513464b6bcde

          SHA512

          ae7c8158b668d268fcb084e71dae223024ac45de114bd18436fd54e04a8fd74c0e89d695d8ee1e30654c24c3e7c53d35fde3cb84e81ca2060deb77352fdbfbdb

          Download Submit

        • memory/1524-91-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/1524-56-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/1820-89-0x0000000000400000-0x0000000000404000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1820-67-0x0000000000400000-0x0000000000404000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1820-62-0x0000000000400000-0x0000000000404000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2056-55-0x0000000000400000-0x0000000000415000-memory.dmp

          Filesize

          84KB

          Download

        • memory/3544-61-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/3544-2-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/3544-16-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/3544-42-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/3544-15-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/3716-57-0x0000000000400000-0x0000000000403000-memory.dmp

          Filesize

          12KB

          Download

        • memory/3716-64-0x0000000000400000-0x0000000000403000-memory.dmp

          Filesize

          12KB

          Download

        • memory/3716-58-0x0000000000400000-0x0000000000403000-memory.dmp

          Filesize

          12KB

          Download

        • memory/3716-51-0x0000000000400000-0x0000000000403000-memory.dmp

          Filesize

          12KB

          Download

        • memory/3716-47-0x0000000000400000-0x0000000000403000-memory.dmp

          Filesize

          12KB

          Download

        • memory/4708-9-0x0000000002190000-0x0000000002191000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4708-8-0x0000000002150000-0x0000000002151000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4708-10-0x00000000021B0000-0x00000000021B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4708-11-0x00000000021D0000-0x00000000021D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4708-13-0x0000000002A50000-0x0000000002A51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4708-7-0x0000000002140000-0x0000000002141000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4708-4-0x0000000002100000-0x0000000002101000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4708-5-0x0000000002110000-0x0000000002111000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4708-6-0x0000000002120000-0x0000000002121000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4708-14-0x0000000002A60000-0x0000000002A61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4708-12-0x0000000002A40000-0x0000000002A41000-memory.dmp

          Filesize

          4KB

          Download