Overview

overview

10

Static

static

3

2c6d180627...cs.exe

windows7-x64

10

2c6d180627...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 20:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c6d180627372c3c0b52ff839ce356d0_NeikiAnalytics.exe

  • Size

    326KB

  • MD5

    2c6d180627372c3c0b52ff839ce356d0

  • SHA1

    e08ccf0b3a71dc55ab0ccd9cff0c37e125bb11e8

  • SHA256

    693344b16f58b92d4e6db5c01bb1bc93e97290a6f983665fc2d4e88272419698

  • SHA512

    3b9f8375b9eb7074c711ae76399ef9a53d453df521d18ac1e78725b925f6547db3cf85cd00c9c1f2a29a39542cca45d2901c68f990c0c10fd7ce8743381562fe

  • SSDEEP

    6144:zvEN2U+T6i5LirrllHy4HUcMQY6SbJhs7QW69hd1MMdxPe9N9uA0hu9TBJG:zENN+T5xYrllrU7QY6SbjDhu9THG

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c6d180627372c3c0b52ff839ce356d0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\2c6d180627372c3c0b52ff839ce356d0_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2456
    • \??\c:\users\admin\appdata\local\temp\2c6d180627372c3c0b52ff839ce356d0_neikianalytics.exe 
      c:\users\admin\appdata\local\temp\2c6d180627372c3c0b52ff839ce356d0_neikianalytics.exe 
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4804
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\48E0.tmp\48E1.tmp\48E2.bat c:\users\admin\appdata\local\temp\2c6d180627372c3c0b52ff839ce356d0_neikianalytics.exe "
        3⤵
          PID:320
      • C:\Users\Admin\AppData\Local\icsys.icn.exe
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        2⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3548
        • \??\c:\windows\system\explorer.exe
          c:\windows\system\explorer.exe
          3⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:888
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe SE
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1604
            • \??\c:\windows\system\svchost.exe
              c:\windows\system\svchost.exe
              5⤵
              • Modifies WinLogon for persistence
              • Modifies visiblity of hidden/system files in Explorer
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:872
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe PR
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2656
              • C:\Windows\SysWOW64\at.exe
                at 20:27 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                6⤵
                  PID:2300
                • C:\Windows\SysWOW64\at.exe
                  at 20:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                  6⤵
                    PID:3600
                  • C:\Windows\SysWOW64\at.exe
                    at 20:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                    6⤵
                      PID:2800

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\2c6d180627372c3c0b52ff839ce356d0_neikianalytics.exe 
            Filesize

            119KB

            MD5

            8a1056fc8516870fe59b26e9f2ac5ea5

            SHA1

            4b888e1b9d11e412f3d611ff0f53a1a469db98c2

            SHA256

            c7bb9de918938658d5ef03d01b4d71b97d778ca63c4a07d70fecaa75fce04665

            SHA512

            34eaebe6c2ecfab1903bb6c045f84efba61bd077ad93a42ddc204ab9168457de9694b76eb1e322a4eaee3ff303122552c944174c0d42fb2f8d11b2e0973b7cac

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\48E0.tmp\48E1.tmp\48E2.bat
            Filesize

            156B

            MD5

            0a49663c81882b5223fef72a73ad5ddb

            SHA1

            f0c5097726c1908087f0f0b1c5ebbff394002947

            SHA256

            57c9792955bab7ac601c69e8a16a1b3dec66144178b74b5d7843a04612182318

            SHA512

            b2f5964f0dd4db66296224fe901f1e4176d490796e8d3e1864608ff73d804d648443919f01718e77712741f811779ffac86fbec05e06ca0d643328477583c750

            Download Submit

          • C:\Users\Admin\AppData\Local\icsys.icn.exe
            Filesize

            206KB

            MD5

            08525cc88ac970331c5b8fa3758ef985

            SHA1

            c8482944c646456e2c19f531b82469cba2d20a56

            SHA256

            8a3804fab841d92048c21b46aa606e3f500c6a55b1862674b11db638c5fdbe1b

            SHA512

            7f2eb013edd0c1e9104ff30f11e02cc4120d03aa1154ec82bbb818aa229b1a60687f280323797ad9cd113e77af738e461dc9877635a3d0642b54bec06e3fcf59

            Download Submit

          • C:\Users\Admin\AppData\Roaming\mrsys.exe
            Filesize

            206KB

            MD5

            b15b6f9583e27c84ef39823e1946962a

            SHA1

            54a54c8f7e5fd3c5ccef2504f521c99a88db650a

            SHA256

            446cd84e10bcc613ffbc599e43e8f98309283844d678d3dd6438ad2b806c3b79

            SHA512

            40850cc3081051d4d11bb270203221ce5fba695374171cd41384e3b8c2d5f0c90a6c6c54eed544e204b7214acb33cccb48f6ee18f5807f2c4c082ce447440283

            Download Submit

          • C:\Windows\System\explorer.exe
            Filesize

            206KB

            MD5

            65387f62ebf75d7f22e542a31080d1ef

            SHA1

            5a4bae3649d9c20d446d0ce11ab24c44e7f8b9f6

            SHA256

            a75642aa3bf6f336b2447312d13c853a0cd9598848c4fce03be6c02250db6a14

            SHA512

            95c4b7dfe45960c3da95b5397f9922711873275aeeb5aeab2086cc91c9bf54d1008ae61f1029a3f2b3e66b701d712fd8b2ae54ac4c4a9554813082ee1114d9c4

            Download Submit

          • C:\Windows\System\spoolsv.exe
            Filesize

            206KB

            MD5

            60447a9918afaa3b7e9aecc0f6bbfb8d

            SHA1

            11e474b807df51bc612e71371dbed98f9be58196

            SHA256

            0dc81dacad0f8d5f8630241d414f89c1705cb5b0de1f76c86191ee8afa6d0eed

            SHA512

            3ae8f3d01922db5d7ad287551e7ea4f6b9b592996e2cfdd6103f781ac23764ce0bd6dac08dcb4eeec2cdd6943c7aec26e839b0ca48a2e9fcaccb7afe6fec7527

            Download Submit

          • C:\Windows\System\svchost.exe
            Filesize

            206KB

            MD5

            d1f6c96ab890ceae6e71e82166b40006

            SHA1

            a101e545df278486b15519f9e50af4cc6a0ca695

            SHA256

            695f4cdb3f51ccce3ceb5e8e1a38d6302fcb4118321bda9be67e2881459b0e5c

            SHA512

            6f28ed2d72b43c06e99c6e3d3dc1f53790a3f56c62a618a5118ee7b219e577ae4b090ec8039b5158ffc471d9eb88748151811cf241d94b4e45e2a72cba80ad53

            Download Submit