Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    14/05/2024, 09:15 UTC

General

  • Target

    b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe

  • Size

    77KB

  • MD5

    b972c00bf289a05a128a74d75f723c20

  • SHA1

    38d43b1bf3f39b04a50a89776bb1b14961a6a4e4

  • SHA256

    6d9f005b96f1ce8f3c0b009b36137155fb9e0eef124ee9be9c8575692837b91e

  • SHA512

    91ec22d0c55f01dd78f5968d90ce25c96102fbf4843e60da3e39ad8ff2ba4ce59706d95e4ebf247d90a3b4ee17f589f43c1b4ac35b1bb7e17c779f68ac8e4078

  • SSDEEP

    1536:ekeK40T/mx7y9v7Z/Z2V/GSAFRfBhpVoK5:FD40Dmx7y9DZ/Z2hGVkK5

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 21 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1964
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2688
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2724
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Enumerates connected drives
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1912
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2592
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2588
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1636
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3036
      • C:\Windows\SysWOW64\userinit.exe
        C:\Windows\system32\userinit.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2284
        • C:\Windows\SysWOW64\Explorer.exe
          Explorer.exe "C:\recycled\SVCHOST.exe"
          4⤵
            PID:1660
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2228
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2220
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.doc"
        2⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:328
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:608
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
          PID:2512

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Recycled\desktop.ini

          Filesize

          65B

          MD5

          ad0b0b4416f06af436328a3c12dc491b

          SHA1

          743c7ad130780de78ccbf75aa6f84298720ad3fa

          SHA256

          23521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416

          SHA512

          884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56

        • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

          Filesize

          1KB

          MD5

          0269b6347e473980c5378044ac67aa1f

          SHA1

          c3334de50e320ad8bce8398acff95c363d039245

          SHA256

          68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

          SHA512

          e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

        • C:\begolu.txt

          Filesize

          2B

          MD5

          2b9d4fa85c8e82132bde46b143040142

          SHA1

          a02431cf7c501a5b368c91e41283419d8fa9fb03

          SHA256

          4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

          SHA512

          c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

        • F:\Recycled\SVCHOST.EXE

          Filesize

          77KB

          MD5

          e4c8bd2e0baa0afb643b654d356c8d58

          SHA1

          a266a14f0e0041bbc6087eb8401a562381f29f72

          SHA256

          54d20cfcc9d323c038bca7ebd71cb8ba365d8fd976c5d6ebb670ab28ad8e5b4b

          SHA512

          546d16eb6f1e8d4d234b044b55e2397858b5aee6b8478fe13bde96c6ad395ba15f1a2ce3ca30eaeaffac52f5d2c76391f4fdbdd2ad013d447c8c00e1d867d7a2

        • \Recycled\SPOOLSV.EXE

          Filesize

          77KB

          MD5

          ac2bc019a89fe4f0a3d23fde54d1b63f

          SHA1

          059b48338f817b6c5fa74f291595ff0653d0f479

          SHA256

          045352165bd8edfd81aa8d083fb488694558efa423a3339738c20c700af97815

          SHA512

          4703691e3c40982369b514992f95bdfd1fda74eb4adf3462c0ee37182311265762d39028d74f6c3d6cd9e91244b468f080737fba88ea937c1953e3c7fa0e9d00

        • \Recycled\SVCHOST.EXE

          Filesize

          77KB

          MD5

          4f3f7d2325fb7be3d0fd040b90e4a4b0

          SHA1

          b15e7e4dcd2fd570972c9f5c2c8de7901109352c

          SHA256

          d38c7afc1af19e34f541f3e277fa37cdecf5ccf98d4f8b3f65b9f2c1d639f65f

          SHA512

          3449765e4df42a2436e4c212ef19267d2d64a159c1633505866e6bbfb6b45b75e99193cf01461dd1015988f362b52429a55148734109ffc0c8e2ec41a24aa7a6

        • memory/328-108-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

        • memory/1636-86-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

        • memory/1636-85-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

        • memory/1912-61-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

        • memory/1912-70-0x00000000003D0000-0x00000000003EA000-memory.dmp

          Filesize

          104KB

        • memory/1964-34-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

        • memory/2220-104-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

        • memory/2228-99-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

        • memory/2440-17-0x0000000001D60000-0x0000000001D7A000-memory.dmp

          Filesize

          104KB

        • memory/2440-23-0x0000000001D60000-0x0000000001D7A000-memory.dmp

          Filesize

          104KB

        • memory/2440-106-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

        • memory/2440-0-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

        • memory/2440-105-0x0000000004760000-0x0000000004770000-memory.dmp

          Filesize

          64KB

        • memory/2588-77-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

        • memory/2588-81-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

        • memory/2592-72-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

        • memory/2592-74-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

        • memory/2660-42-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

        • memory/2660-53-0x0000000001C00000-0x0000000001C1A000-memory.dmp

          Filesize

          104KB

        • memory/2668-41-0x00000000003E0000-0x00000000003FA000-memory.dmp

          Filesize

          104KB

        • memory/2668-24-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

        • memory/2724-58-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

        • memory/2724-52-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

        • memory/3036-92-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.