Overview

overview

10

Static

static

3

181b778786...cs.exe

windows7-x64

10

181b778786...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15/05/2024, 18:55

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    181b77878679f64e7030a4dc01ca7270_NeikiAnalytics.exe

  • Size

    45KB

  • MD5

    181b77878679f64e7030a4dc01ca7270

  • SHA1

    8c3b098f7d98f5c170a661d16e721827e4a4a95c

  • SHA256

    6e53b9f2815729e1ca27c32fc92dc60301e35c02ea74c7c89bcbca01bc4314eb

  • SHA512

    c1a92a45683444b779d4ac8e60b2463e95276101848facdada0dd9dbbf6f3ba8e12055e2da1fc3ae05e92efbca12e44102690077f9c27781e7be076f73da3066

  • SSDEEP

    768:2mFQj8rM9whcqet8WfYUtT92S21XFXRnnePxCXNvF7DFK+5nED:8AwEmBj3EXHn4x+9aD

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 20 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 20 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\181b77878679f64e7030a4dc01ca7270_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\181b77878679f64e7030a4dc01ca7270_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2032
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2444
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:772
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1636
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2000
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:560
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2700
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2164
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2976
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:900
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1280
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2752
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2948
  • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:2076

Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Event Triggered Execution

        1
        T1546

        Change Default File Association

        1
        T1546.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Event Triggered Execution

        1
        T1546

        Change Default File Association

        1
        T1546.001

        Defense Evasion

        Hide Artifacts

        2
        T1564

        Hidden Files and Directories

        2
        T1564.001

        Modify Registry

        7
        T1112

        Credential Access

        Discovery

        Peripheral Device Discovery

        1
        T1120

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Inhibit System Recovery

        1
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
          Filesize

          240KB

          MD5

          a0e8024c31fc125b4208c1388833f8dc

          SHA1

          e829c9cb72bd6b3c6bedc0e3b886c9fbe6e84bc8

          SHA256

          3ad9d0fabb8744a76eddcf97c190bf8aeb68de6f1d23f87899bebecad88a451c

          SHA512

          87ea571be01336a531a95a464ce3c006ee6e788f4ccfd1e02724cffe15583652efd894dc8f3bc9b2757b3bb5b811161ce4d5771fc5fa7de93ba36bddb3f0dc64

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf
          Filesize

          1KB

          MD5

          48dd6cae43ce26b992c35799fcd76898

          SHA1

          8e600544df0250da7d634599ce6ee50da11c0355

          SHA256

          7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

          SHA512

          c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

          Download Submit

        • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
          Filesize

          45KB

          MD5

          7805852e7ac8b41f5d71959e6190556f

          SHA1

          523cab3ad8541a186da1a52a557509030c2f3739

          SHA256

          08f02ca4c8a124ac14ea563b5ba8dc537cdda13c8d7bfdd11556c1d6dccd01cf

          SHA512

          9b89c6f8285f393e0042973c35e53b434288f51bacd7834ab9b8f927423758fbef5645bbb82a8e2214076c21318a02aef31e12ec1d10be1e436d9ea1561f097d

          Download Submit

        • C:\Users\Admin\AppData\Local\winlogon.exe
          Filesize

          45KB

          MD5

          181b77878679f64e7030a4dc01ca7270

          SHA1

          8c3b098f7d98f5c170a661d16e721827e4a4a95c

          SHA256

          6e53b9f2815729e1ca27c32fc92dc60301e35c02ea74c7c89bcbca01bc4314eb

          SHA512

          c1a92a45683444b779d4ac8e60b2463e95276101848facdada0dd9dbbf6f3ba8e12055e2da1fc3ae05e92efbca12e44102690077f9c27781e7be076f73da3066

          Download Submit

        • C:\Windows\xk.exe
          Filesize

          45KB

          MD5

          3fa886270bc3aeca17496f0c3af357ff

          SHA1

          8e10e27e9d6eb3b931dce733d37924268daf0f13

          SHA256

          c0c5fc820030fe9dbf6d89e5e106a73646bf2d059fd98d4d3b490eebee7e3465

          SHA512

          9e248c3fd62382d1a471f052936c28999bef193c2a4d5f6fc69d4ff507e1605fd8a1c5f396b26e1f779b67daa72c4161c2863d424a18370c3311647a2ba808fe

          Download Submit

        • C:\Windows\xk.exe
          Filesize

          45KB

          MD5

          09121039fc29e4ed03dce3659b2604a6

          SHA1

          3d680a0124335c5fca50ff3135f0bbad12a28cb4

          SHA256

          955db1fc712f34b5ce8a97fc33cc407acb2177f4d27c8ae1ff11f22802497a0b

          SHA512

          63ad1847cb49dedaaf53d610d7c7fef413836173f6967c8d1831a19006a84824d8b6aeb3152e0b9ed7c4d75e62e73c07102f45e33f881ef893f9fb13d02dd599

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
          Filesize

          45KB

          MD5

          1dadbf9f158ecc3845be6c9808badd64

          SHA1

          d434587768b56bb6037c1a18dd661dffe0d9bfdc

          SHA256

          cabe281cd38c2b4a3f9f55006f320829df7c2f075b76765b8a123fa3159a0c29

          SHA512

          0ff1c75a9336851c49428d24dc4ed133997a9d80453ab8b8ad54c15d38c6a0b0e69e5946cfb68779f2958627e13a6274ad6549ac3d3ef351bc50e4bf5cf6f98e

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
          Filesize

          45KB

          MD5

          9cc29e5f2d287d05359df4e5d256e56c

          SHA1

          be2b9e28ae2a1dc7c211f8254a15486115f25d1e

          SHA256

          63ff3b75b79a3729b6d093e150ed97ef692be6c187d908f8a21c3011da001826

          SHA512

          dad065c6c779b2e624ac84d7838b01519c7b1e19f9c420c8a6de5ca37b169ee272ad228224ddfe5710a98ef3fa3fdc0de1dd0b868da7cc1055f95b5322888333

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
          Filesize

          45KB

          MD5

          fec6949c47a9ffa18edaa5531bd3b793

          SHA1

          cb1c9a8471724133f9af45583945182f1bd30f3b

          SHA256

          f74ef0fb0a83ef5e5f77c016b17595f6af92ba2f71d6a916108a386ee5531fb6

          SHA512

          c80a11c30e85adc69d6a4e8ab4a3d746426530e26009db839454020070d420199e03fb7094bb06b90cf6c134cccfa0589deb32067498701627660fbc410103cb

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
          Filesize

          45KB

          MD5

          970b343570b2a487f7ff2434688a22ec

          SHA1

          0e11dafea90a1db86da253082e939fa2f73c9b49

          SHA256

          8bca2999b5e55c714992aea805463801190198a54173129d6fb7ab51eeb45477

          SHA512

          e85f9e215beca6e48a5ef005d75f856de584e8e31b75bbe4ac8cac5dfdd3e3a3af128ccbdcda24464966345aaf41a26b2ec346ffaae0b9fa04b8f099eb423d61

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
          Filesize

          45KB

          MD5

          eca3377025e4f00995b2a2dc3a91b434

          SHA1

          8fc1165fd753365b972cedcbce84d0d635dbe26c

          SHA256

          72b7ef5897519af5c2d1eaa06643b5205f254937fc275d5aa35619bf21fe49a0

          SHA512

          0e93c9b0393ffe0c5580e7ede41167a833ebcfe1e0cb72308549c806eabfd8c1ece7874d74b6db31d376af884676666fadcc3eceb40968cef7f552219abc6697

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
          Filesize

          45KB

          MD5

          862944e0c02322b2ee93ac7ef194c572

          SHA1

          e839914cb90c4da61645d1838ffc85ca28d305b7

          SHA256

          605759563a1a1faf80543d12a35237b32347bd14ede34edd89827c225ee4fccf

          SHA512

          c2be1f39c291a12d0cc5a5e5e0afd0d0d0dcb905f2f559dd6403c709e832df7f8fb13e995dd11034c26de7c194970bedf816e02b4b4e7455aff0a613c67c4f5f

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
          Filesize

          45KB

          MD5

          b1dd2a7a07271c4d6d7e9029baddbfe2

          SHA1

          42404b60cbee65489dcfd506b22fce0b9f357e81

          SHA256

          b7501782bb4e53060da689ca2f973d40306b092866b3ab5568e8318573da956d

          SHA512

          9f4706f7c014a154a12a66a21ee32a2672e931d81b48ad4988efacbc10656eb9075b4286b3c21d11e7f980c40f7e67b1b35e89a720124f6acfaa84c0917f8eb3

          Download Submit

        • \Windows\SysWOW64\IExplorer.exe
          Filesize

          45KB

          MD5

          82a08439c616b9cf91f6b221d75d2d6d

          SHA1

          a2aaa4d26da4bb560693fb601d1effde098bf265

          SHA256

          9be1ea65deecf6f06f94eee93db163431abcdcdc882947f106e2287e7ae1055b

          SHA512

          49ee4ebe8f7469432fbd437ed52a5a4008900171f4eb57128eecee5ab2a76874a24ac33ddec99d4a8afc35f70fbb9174fa7d88f282f15ba1b517de256e9c1448

          Download Submit

        • \Windows\SysWOW64\IExplorer.exe
          Filesize

          45KB

          MD5

          a746f95461b89df6bbacc10d62797af6

          SHA1

          48caa428b7aa609bd2667a56454600e741511593

          SHA256

          cbfc931181c9887d69a6cf9f8cd34d7fce705c4a1c457436ac71e797a90cde20

          SHA512

          2beceaf92459df8a86f2942014190ffedaabe6a9cf601ad04af00e9c89ac1d14a1bb9d74347c0671697fdbba643a8767d2b6a77fd71732e85f62529676a36600

          Download Submit

        • memory/560-178-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/772-128-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/772-124-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/900-265-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1280-274-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1636-141-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1636-137-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2000-157-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2000-151-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2032-451-0x00000000004D0000-0x00000000004FE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2032-136-0x00000000004D0000-0x00000000004FE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2032-453-0x00000000004D0000-0x00000000004FE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2032-150-0x00000000004D0000-0x00000000004FE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2032-234-0x00000000004D0000-0x00000000004FE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2032-149-0x00000000004D0000-0x00000000004FE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2032-257-0x00000000004D0000-0x00000000004FE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2032-110-0x00000000004D0000-0x00000000004FE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2032-0-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2032-233-0x00000000004D0000-0x00000000004FE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2032-271-0x00000000004D0000-0x00000000004FE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2032-222-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2032-117-0x00000000004D0000-0x00000000004FE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2032-281-0x00000000004D0000-0x00000000004FE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2032-450-0x00000000004D0000-0x00000000004FE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2032-449-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2032-294-0x00000000004D0000-0x00000000004FE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2032-295-0x00000000004D0000-0x00000000004FE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2032-111-0x00000000004D0000-0x00000000004FE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2076-324-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2164-240-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2444-115-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2700-238-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2752-286-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2948-299-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2976-258-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download