Overview

overview

10

Static

static

3

437059b382...cs.exe

windows7-x64

10

437059b382...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 00:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    437059b382e4dea5f0bb27c988d1f040_NeikiAnalytics.exe

  • Size

    91KB

  • MD5

    437059b382e4dea5f0bb27c988d1f040

  • SHA1

    bb20aa51489dab0338c3f04db7aeee038bd2a387

  • SHA256

    727066fb55f328fb92f99d0134414d164e078d56cd25803fa5c4721c456ae683

  • SHA512

    6d6e57e911700ddb38f0bfd120d84da30624836bec92b2881edf5827af4ffbd95f25eeb3e8fd6e8a7cfe7c6129f0b62fa3688ff301e3dfe8dcc0abac14a43e9d

  • SSDEEP

    1536:zAwEmBZ04faWmtN4nic+6GUAwEmBZ04faWmtN4nic+6GU:zGms4Eton0UGms4Eton0U

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\437059b382e4dea5f0bb27c988d1f040_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\437059b382e4dea5f0bb27c988d1f040_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2460
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1036
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2556
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:328
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1576
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1492
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1516
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    d2e593b9aa6ce43a463bc98ad1eb9237

    SHA1

    f6698268b43889115999aa02bef7cc4b09f42a4e

    SHA256

    2baa00aa671337b46214b3ef8558c14dcd62d70b14c55f2674a47e305bbe27b7

    SHA512

    de4899fd7715cdd28d651e878e50b70e16db0e5ea11a0c4f5d6e808f94acc7110d0303aa8d3bcd77055cdb0defbdfba4c6aceeb5733619024b594b7c0c7f938e

    Download Submit

  • C:\Users\Admin\AppData\Local\services.exe
    Filesize

    91KB

    MD5

    437059b382e4dea5f0bb27c988d1f040

    SHA1

    bb20aa51489dab0338c3f04db7aeee038bd2a387

    SHA256

    727066fb55f328fb92f99d0134414d164e078d56cd25803fa5c4721c456ae683

    SHA512

    6d6e57e911700ddb38f0bfd120d84da30624836bec92b2881edf5827af4ffbd95f25eeb3e8fd6e8a7cfe7c6129f0b62fa3688ff301e3dfe8dcc0abac14a43e9d

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    8bb9c7fba18e692518e03c828692a7c1

    SHA1

    78972266c48f68a8b8c2b40d96a2b481aac72715

    SHA256

    39c9d66468d30c830112022cd28a76fcc20fd9d8c8ba77a9b921ed6b31ef0271

    SHA512

    67ac6d15730723b255db2404be2f4ab76581aa5fefd8f1dbe6d674c9b5c10470644b93c0d9bd3aa5ca24e91873a9cbfedae4050e63335437a75908b8ebdf4ab0

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    5c10b638d06466d4e7082e7a24a5c82d

    SHA1

    d7b40a77d37f7f628fe11917a2fea439daa881a8

    SHA256

    f5c2b6d56df85739958e5e8c594d6fc15b189162176fd1bca3d3153d6ca90367

    SHA512

    4b7d6bc655dfd8f508a01daf5d3dfcf701eac3de205862f03658d593c3dbe0024965df87f5eb77e675d9892fa6054384a0bf945a72753e24d5a4ba3e8e059eec

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    8455ac317d9c1bfc04f0dc8fa318579c

    SHA1

    7e575f96267a8d1609e64fda5e89da4d11189806

    SHA256

    38b7286702d285f0a8987e479b6b1c02b5746eec571a04ac511b351a1439e6ca

    SHA512

    b8276ec8c166e317cba84f74a4c67e7393b5f85e34a30d920a07184883fc7df44b71248477e0108a2330c9f456bb0cff8d63e90c191fe89db58a40553d64bb74

    Download Submit

  • memory/328-138-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/328-135-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1036-110-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1036-113-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1492-162-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1492-159-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1516-173-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1576-150-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2036-184-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2036-187-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2460-121-0x00000000004D0000-0x00000000004FE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2460-188-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2460-181-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2460-170-0x00000000004D0000-0x00000000004FE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2460-146-0x00000000004D0000-0x00000000004FE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2460-108-0x00000000004D0000-0x00000000004FE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2460-158-0x00000000004D0000-0x00000000004FE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2460-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2460-134-0x00000000004D0000-0x00000000004FE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2460-133-0x00000000004D0000-0x00000000004FE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2556-125-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2556-122-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download