Overview

overview

7

Static

static

3

420f9d0978...cs.exe

windows7-x64

7

420f9d0978...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 23:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe

  • Size

    170KB

  • MD5

    420f9d09781da5efa88c07bc6464c350

  • SHA1

    e484e30648fd498b28128ed8145e5164c80a1b8f

  • SHA256

    7e14114a882e13f10fc3dba19d4f70f4c804f34584fcd816e92ff54764b44fee

  • SHA512

    ed1dcced5a5db08e0037570fd27482685c3e832383cf07a5bf80bd0bd703d0a82c4f5a60198324d477a7eb0445b9f474493b074fcbbfce9dd83d27aede6c37a9

  • SSDEEP

    3072:s/JpOm5axh63laEo+pXX1pQD2UCohD8mxLCj+5cmeDye42L712xrpdJ8xLeb7Ux:sBAm5oh63laEo+pXX1pkF8mxeq5+4m7D

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 9 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 14 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 62 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Maps connected drives based on registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\ProgramData\UserRuntime\cwrss.exe
      "C:\ProgramData\UserRuntime\cwrss.exe" 1
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Maps connected drives based on registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Users\Admin\AppData\Roaming\UserRuntime\cwrss.exe
        "C:\Users\Admin\AppData\Roaming\UserRuntime\cwrss.exe" 1
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2528
    • C:\ProgramData\UserRuntime\cwrss.exe
      "C:\ProgramData\UserRuntime\cwrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Maps connected drives based on registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\ProgramData\UserRuntime\cwrss.exe
        "C:\ProgramData\UserRuntime\cwrss.exe" 1
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2704
  • C:\ProgramData\UserRuntime\cwrss.exe
    C:\ProgramData\UserRuntime\cwrss.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Enumerates connected drives
    • Maps connected drives based on registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:348
    • C:\ProgramData\UserRuntime0\cwrss.exe
      "C:\ProgramData\UserRuntime0\cwrss.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Maps connected drives based on registry
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:2152

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\UserRuntime0\efekmu\kacavahe.sys
    Filesize

    5KB

    MD5

    6f18a8372fe024f667ff085a8ab3e246

    SHA1

    81a93d7a61f46971d1ab8482cb4f22fdaad4ca18

    SHA256

    bd21e34c1e41d7e4e021f85b6b3015128772ffb12773319b93d6acf73c7f87b5

    SHA512

    5d12ab301f38553faf0e193e468656793323d784535957f225b7739c510d384065101b879caa9a5cb005ea0766ef6f49424bd2a8b2c7ffb41e085c11b7b75d14

    Download Submit

  • C:\ProgramData\UserRuntime0\efekmu\seetdinao.sys
    Filesize

    8KB

    MD5

    5df70b76f85207fd0cdf9c6904effc82

    SHA1

    c796550ae851d5cee01483ae5a52133ffe7d3f19

    SHA256

    067d8d6fb8dc38fe07da11942800867f3ab18a3248bad58be1eae1c954628c96

    SHA512

    5631a578b6bc9b76833315d5594891c45cd9fe0f334638d912056726fe14d9f6ef62129df24fe578c1161fe55e5eb5e6df179660cc8f2be3949d6956a9650f9f

    Download Submit

  • C:\ProgramData\UserRuntime0\exosnatoce.cat
    Filesize

    5KB

    MD5

    e8e830b1b80ebbcc8d8ac4127e3be313

    SHA1

    8e51e5e52465f2207f3a65ffe895cca99f1c9bbd

    SHA256

    60827d88d78aae0d35f03f1b2fc24f3cc8a63b7d6ec586ab73e7a4e198f471b7

    SHA512

    ef184414e4a4429eec64c665d87acddf4fecb2898104a5013c470ae37ef70b67f055d048740a890c3aa113a8a0dccc2d8a75fd205ec7ac03332683b2e1010518

    Download Submit

  • C:\ProgramData\UserRuntime0\isreumt.dat
    Filesize

    3KB

    MD5

    0b6ba53370ee3f15d8e993d07812383f

    SHA1

    314035c95fcb3034060e922431bc5afc83ac6aee

    SHA256

    bc254212fb9d0237f6fa4a571ac52141285380f4d4e8999b55ecc73457546a21

    SHA512

    8c945b247a231221f647dbd6444edaa71b2f6cf2762fef4feda3f637a2cd9e882063a43c1a69568c89996b5fe20c8890476a9b8bd694435dcc013b6379665114

    Download Submit

  • C:\ProgramData\UserRuntime0\ovpeiteci\biviga.drv
    Filesize

    6KB

    MD5

    4f510d097259d222e495d190ca06f579

    SHA1

    ac40f386c36d3ca90e1aa1e1930074d563bad5f2

    SHA256

    672b42b06048331e5c46434f1763f53c90de13140a8f25575b44ffbaec74db9d

    SHA512

    4d71c692727a78748beb4fafee9b89386648edf99f6de948ce004dd7391671b93ef7945a9d891f3461675d16a3774eac1e8a75ad492684051db79c2c3ae8d41f

    Download Submit

  • C:\ProgramData\UserRuntime0\ovpeiteci\erotle.bin
    Filesize

    1KB

    MD5

    fcc09bd8f15d34a896514a052bb25754

    SHA1

    affb99203ad50581f970ba77217c2af969c60e4d

    SHA256

    f215651591e9ff2e253db2a69160b2cc5905d3881917a1f9a946248c133120cc

    SHA512

    7c97ec3f0c02ff18262ba2ce9b7b0fd8efed16d1302392b61093f437ded2205f60625682e43f56e47afaca25cace6e0b0f2bb03ad0d12ed4e6d33e99f66a2b46

    Download Submit

  • C:\ProgramData\UserRuntime0\ovpeiteci\otasa.dat
    Filesize

    5KB

    MD5

    3c658cf66d5a242480f0e74510166e8e

    SHA1

    3493e433fa910ed1ff098f52eb6b6828cc5f09f5

    SHA256

    0c9761bf01cbecf8bf504121cf2428efd2081dee6c6ccf78a37bf0b39f9e0910

    SHA512

    c651efc1e18b0ad4d40a67f821a54997afbe6572112fe143becbd8504df61cb529e8eb1e33fc2938f1df8f8786c458951d61768dc678c3346c299ca0caeef6cf

    Download Submit

  • C:\ProgramData\UserRuntime0\ovpeiteci\wir.dat
    Filesize

    9KB

    MD5

    dc0c42b205eca060419d36e4ee999712

    SHA1

    fb0ca2ae005328632969c4fe471f34346ce3decd

    SHA256

    4812a949293a758b6d98d4bd801fb50ffc99952100d105a7084ba2f5e63cd30c

    SHA512

    3f5eeb3e35fea308e96584adffcbc1326f19249348db20557c4514cf7da099483bd99e459c13ff10f07812320fd9c2f2ef60f4434d3554469ff281db3b14f800

    Download Submit

  • C:\ProgramData\UserRuntime0\oxur\guosacveqi.bin
    Filesize

    1KB

    MD5

    eadee44e05f414d03944c6c0c7fd25f3

    SHA1

    b5fde399062668b2394a2fc570d9126a19044f09

    SHA256

    a58e646b5eac48c6b394661965b8517051ee3c3c605548d42b34a2e51a35bd27

    SHA512

    2021ee20938be55b4da16331e89edc3a5cc0bdb9d32cda0a8c6904829ecdc1add67f2830d834dd666d74bff05c39a920bec5c2cb6158e623b1751fbb5bdc7579

    Download Submit

  • \ProgramData\UserRuntime\cwrss.exe
    Filesize

    170KB

    MD5

    cd1af848c30a7cde45f58efe6f0d8996

    SHA1

    88a176e33be49187e109e389e064290fe8d3908a

    SHA256

    a4b8acb75235b2fdb50ef876eeaa28f6db23536075aeaf235842beb3cf1edf9f

    SHA512

    743224ac3e4155083e3801dd6c15df869ffc97ee1448fae0e1fa35d5c2a1c488d5070567e1a80ce679d2662da7357dcc4dfe69604e1bc1981e000fb4fc852709

    Download Submit

  • \Users\Admin\AppData\Roaming\UserRuntime\cwrss.exe
    Filesize

    170KB

    MD5

    7c9294ec5bda10217eb2428a2cb7cd10

    SHA1

    14d72a5eb63e967c435aa0bf35c6d190350f275a

    SHA256

    b7da7170ca057aa3be883c1879fa20bfe5d7c243b5c5dc67910c1f1edd4ff332

    SHA512

    7f008c3e878ce1b40428de6ccf239341d0517d6832c6c78e72700ed7999cf566dd993b6c996aa00239b4099accc55bb08e39d70d2fe696ebdfa45f5816be6f0b

    Download Submit