Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15/05/2024, 06:36 UTC

General

  • Target

    989fd0fecf41082be0bc25212a75df60_NeikiAnalytics.exe

  • Size

    70KB

  • MD5

    989fd0fecf41082be0bc25212a75df60

  • SHA1

    6b8acab7534d300aa556924727b60a01fcfe6040

  • SHA256

    09bcd9ecea937d2453fec8a467ab0b661de87c201f88a90e03b765db262a054d

  • SHA512

    994068fa1f3de8ad9d471b54cf26b0bcfecca32ad5954d72a8ef826690ba467f543de084aca7cc0d9072ce50fd1079a7049a1b414a83ad7caaeda6be59941e78

  • SSDEEP

    1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8D:Olg35GTslA5t3/w8D

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Sets file execution options in registry 2 TTPs 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 4 IoCs
  • Modifies WinLogon 2 TTPs 5 IoCs
  • Drops file in System32 directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:432
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1200
        • C:\Users\Admin\AppData\Local\Temp\989fd0fecf41082be0bc25212a75df60_NeikiAnalytics.exe
          "C:\Users\Admin\AppData\Local\Temp\989fd0fecf41082be0bc25212a75df60_NeikiAnalytics.exe"
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2264
          • C:\Windows\SysWOW64\ougfoateat-eamoot.exe
            "C:\Windows\system32\ougfoateat-eamoot.exe"
            3⤵
            • Windows security bypass
            • Modifies Installed Components in the registry
            • Sets file execution options in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2200
            • C:\Windows\SysWOW64\ougfoateat-eamoot.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2616

      Network

      • flag-us
        DNS
        gewdbb.nu
        ougfoateat-eamoot.exe
        Remote address:
        8.8.8.8:53
        Request
        gewdbb.nu
        IN A
        Response
      • flag-us
        DNS
        gewdbb.nu
        ougfoateat-eamoot.exe
        Remote address:
        8.8.8.8:53
        Request
        gewdbb.nu
        IN A
        Response
      No results found
      • 8.8.8.8:53
        gewdbb.nu
        dns
        ougfoateat-eamoot.exe
        55 B
        125 B
        1
        1

        DNS Request

        gewdbb.nu

      • 8.8.8.8:53
        gewdbb.nu
        dns
        ougfoateat-eamoot.exe
        55 B
        125 B
        1
        1

        DNS Request

        gewdbb.nu

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\edfegear.exe

        Filesize

        74KB

        MD5

        863a04f83a9758d1b14a40e184411197

        SHA1

        613304999d20f82a83e67b47c22482d9e628dd06

        SHA256

        1908d8d42eefd37aae75078c842583eac104303c83f4a540a1bd90f5f95fe59f

        SHA512

        5424183d9ea7ea57b367785cfa374b5aecb837727aefbc3ea4dfa93d4fd328a31e86aa26a6ffbb461dc08ff2558cc4e2a20999a59c2800cb96cbfb39277725e6

      • C:\Windows\SysWOW64\ilxenoak.dll

        Filesize

        5KB

        MD5

        f37b21c00fd81bd93c89ce741a88f183

        SHA1

        b2796500597c68e2f5638e1101b46eaf32676c1c

        SHA256

        76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

        SHA512

        252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

      • C:\Windows\SysWOW64\ubgoapik-ouxom.exe

        Filesize

        73KB

        MD5

        e7d52e2a928ebbacb7eeabffc33ab978

        SHA1

        4be7c9cd8ecde611e288ab13fb30826f782ef2e1

        SHA256

        26cc512b724477a9b999f5014a030a08a5087cad74ad59f0f973de43bda77bf5

        SHA512

        135102b6b922ca52f62646c97d2a09c0ca65eb1f6582e6fd2ed69158944942477c0a97f389b1de6c6156b48b45b66470a45e3942aa30d519a273e675b990bf6d

      • \Windows\SysWOW64\ougfoateat-eamoot.exe

        Filesize

        70KB

        MD5

        989fd0fecf41082be0bc25212a75df60

        SHA1

        6b8acab7534d300aa556924727b60a01fcfe6040

        SHA256

        09bcd9ecea937d2453fec8a467ab0b661de87c201f88a90e03b765db262a054d

        SHA512

        994068fa1f3de8ad9d471b54cf26b0bcfecca32ad5954d72a8ef826690ba467f543de084aca7cc0d9072ce50fd1079a7049a1b414a83ad7caaeda6be59941e78

      • memory/2200-55-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/2264-10-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/2616-56-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.