Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/05/2024, 10:23

General

  • Target

    b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe

  • Size

    135KB

  • MD5

    b2649969cea620ec40e625af91a7c100

  • SHA1

    d4808aeebd7c08c14ecdbf28bd509d1f1cf0aeef

  • SHA256

    2c9cdf610d7ca1a0fe5012ce4d1e892bfc75060965473a5997fb9b5943cfffad

  • SHA512

    60fe3a879623bce6e2647698f31c59e606218e74199f7f0298fd989287d91bc1052b82d4021d7b0c9da63e9f343546946350a01652b0073cca80fefa47e21884

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVE16tZi:UVqoCl/YgjxEufVU0TbTyDDalni

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4560
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2972
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2312
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5020
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4204

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\Resources\Themes\explorer.exe

          Filesize

          135KB

          MD5

          612e47efefe6db86d4b82bf03e19930f

          SHA1

          b11c950ba397e210da5be4ea0cb85e82d42d2630

          SHA256

          bce25edfbbcf87be7fc5d4ac328813c4da1cb047d397aafcb977aac0d9e1bb84

          SHA512

          fca821422b0f2c57f016d8e820b991b5eaba7eaab65764f69192b81b96192d87414b4008820b612f366d149a899cc3f82466f67f200dfed1cce9443c9a1c11d9

        • C:\Windows\Resources\spoolsv.exe

          Filesize

          135KB

          MD5

          f1cb45b782cf772160e3b587218e45c6

          SHA1

          993df975ac87e34ade127fb67a99c1c4b09b4260

          SHA256

          bbe5a0e2dedb062ac5f27ca369d5c96788f21e322724d087d0a0f459c182b6a4

          SHA512

          348dd4dde6e954ff88a44627ef6559f980e4b7e2a0e15d6c727265fd7a993b9f6c8b9329530c92db2d92e01f04d6a47b0ec7ccc741aa1e799f00d48e4401e851

        • C:\Windows\Resources\svchost.exe

          Filesize

          135KB

          MD5

          1c41f22562d70dd8f36d98fe858a2815

          SHA1

          f5885e65babae369ba8442c4c4e648b106656ca1

          SHA256

          809202f5e4e9f9166bbc813f54edb3a0c08f61daa75c97efd49d7b710194e18d

          SHA512

          81d878c9baf6059587b8b83d500cc3a1d73b2a956eeb61c2eb34328a4bdb358f34ce3cf64e2cc1a0bbfeee5f0f595e64dbf1c1492910717c0799999ef6d5b506

        • memory/2312-34-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/4204-29-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/4204-33-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/4560-0-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/4560-35-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB