Overview

overview

10

Static

static

3

437059b382...cs.exe

windows7-x64

10

437059b382...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-05-2024 00:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    437059b382e4dea5f0bb27c988d1f040_NeikiAnalytics.exe

  • Size

    91KB

  • MD5

    437059b382e4dea5f0bb27c988d1f040

  • SHA1

    bb20aa51489dab0338c3f04db7aeee038bd2a387

  • SHA256

    727066fb55f328fb92f99d0134414d164e078d56cd25803fa5c4721c456ae683

  • SHA512

    6d6e57e911700ddb38f0bfd120d84da30624836bec92b2881edf5827af4ffbd95f25eeb3e8fd6e8a7cfe7c6129f0b62fa3688ff301e3dfe8dcc0abac14a43e9d

  • SSDEEP

    1536:zAwEmBZ04faWmtN4nic+6GUAwEmBZ04faWmtN4nic+6GU:zGms4Eton0UGms4Eton0U

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\437059b382e4dea5f0bb27c988d1f040_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\437059b382e4dea5f0bb27c988d1f040_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:900
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1520
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4192
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1076
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4268
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1640
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2616
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    341d69761a7872e5b713489e430a5bf4

    SHA1

    82035c50fcf0fded460a3f69f3c4b85e37e4e408

    SHA256

    110174f473391b39b826c788a58fc92fc2d2a92aee90755d24401d303933c845

    SHA512

    5790ce7f135a52b74095bec9f902d40b782f66defcaec16987762d4a635114e35798a5a867b134d7d65a1b7a38e4c746708fccb910919d1b7aca693ad2ebebc7

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    91KB

    MD5

    437059b382e4dea5f0bb27c988d1f040

    SHA1

    bb20aa51489dab0338c3f04db7aeee038bd2a387

    SHA256

    727066fb55f328fb92f99d0134414d164e078d56cd25803fa5c4721c456ae683

    SHA512

    6d6e57e911700ddb38f0bfd120d84da30624836bec92b2881edf5827af4ffbd95f25eeb3e8fd6e8a7cfe7c6129f0b62fa3688ff301e3dfe8dcc0abac14a43e9d

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    425f864650ce8da95b372d8caf88e2f5

    SHA1

    12b9f268d45aa719a2d4e82fc0eb7335b92acf45

    SHA256

    ff62d8e5af4f3f9cc9a64ed928b50f74a483dee3c612ecda84dea4fe4fed18e5

    SHA512

    094403512d2bd4db58d02e96dee27b8f01f00ca3f4092517c3c1c69a08a36a198130ceadb94305e677e8e1f02f3bb3d77f19038f6ec429800ef6cef352d82163

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    46f9f1243c75f30c550be2d04f2abe24

    SHA1

    c89925ce81a6a33c191fba88d076865fe8d1e59f

    SHA256

    574e973106c0e5e5e1fa9f2676d8a8c09344b6e0017c55bfa0ac57961b8a467d

    SHA512

    5d9f65cf091cc5fb132f7364264d1fa3542bf1c6b5b62be330f906c0f02615e589c071ddbebde6b0e59c6984b2234dc92647c9e98639e8146740b91d7f76afd4

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    ebdc12f2781858aa8cb96f1b5fc8a812

    SHA1

    34faff2bc4ba7eaafe57ad885fbfbc09d934816e

    SHA256

    c664f71d1839a50a01463299cc9b1fc9da3bdfc92f468cb3d54aa7640ecb898f

    SHA512

    f5fb975d897e31356cedfc95bf6f05c71bb6c2628e1770f33a7fbaaa7e5d388ce1acfbf2816ab5f84b776402eec3c0c7705106e5ec45b0b85589ca3b4cf7b197

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    3422714035198ba7387b32f8e13b9ade

    SHA1

    70ebc128b0d9ef908503de3e7e2e99cd3dd03335

    SHA256

    df555c11e6a6ad8edc780bce99b8e91ad13ada9a5bb583cab5f63e4d3f94123a

    SHA512

    6f416213ae6a46f5e8b671abb5b720d3b81df3d195760405a68e80e3b7a6008acb32eecdc2613590feeeb8bd55946b317cf5447d441a13634a3d6fbf076c149a

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    e3a77f0c8f2d89e69dee36a13736f8a4

    SHA1

    29ff993ff7e562101e5887104e57cd4ce0d31a68

    SHA256

    ca6e813bd3aa415a0ec699696dc56f642cf494e45a1d4cbe8078e6d04c389943

    SHA512

    40bab3a4d11e7805631bc95f9feebd60c90434ecf00c201741aea733177d72014821c6beba21722f0a94e2c161d72e31096a99722235605753ae7208590b1ef1

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    2dfef8b2093da8f6a1251948193a6067

    SHA1

    3218da4df5784c8c91e8b322c1245ca2cc88937d

    SHA256

    2398dcd4bc8254a7aa75a6a5dac8463940bf534153210aa1fe0514871c8a47c5

    SHA512

    6b5f0583a9d1afd616b8242f8b35fe1bdd1cebf6cc39a5e17755f1b6bcabd095217ccadb9696a3854782fa8d8d8e26bc3760f14ebe6e58fb99aa372248af9aa7

    Download Submit

  • memory/900-154-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/900-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1076-123-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1076-126-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1520-112-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1520-108-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1640-139-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2616-146-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3828-153-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4192-119-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4192-116-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4268-133-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4268-130-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download