Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
16-05-2024 23:31
General
-
Target
584c9246bf4a48a3bfd8a7cc00d39210_NeikiAnalytics.exe
-
Size
292KB
-
MD5
584c9246bf4a48a3bfd8a7cc00d39210
-
SHA1
9b481d8adfd4a49a42e827611c41d6160e9425ca
-
SHA256
6ea364d4193eb31370cb40e91f9d33e9bd433b6dc222517967a1ec3fdbc1056e
-
SHA512
5bbd4b37f4f6ed337517c17101a894d6a67837eb9637361a208be17272cea67abe2d889a271db624962e47ade36c145a73a18297204b7dd290a54fd004bfe2f8
-
SSDEEP
6144:KY+32WWluqvHpVmXWEjFJRWci+WUd201UU5EYCTvaBjuu:pnWwvHpVmXpjJIUd2iUusvalb
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 6 IoCs
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 1 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 42 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\584c9246bf4a48a3bfd8a7cc00d39210_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\584c9246bf4a48a3bfd8a7cc00d39210_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\HMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"C:\Windows\HMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\HMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"C:\Windows\HMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\HMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"C:\Windows\HMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\HMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"C:\Windows\HMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\lsass.exe"C:\Windows\lsass.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
292KB
MD5b3a67e567def77b5e97af64bf04d5af8
SHA1efe5dc5e000e52019235dd3a84a7927c74852c6d
SHA256c612e8e5a1d949121559ea63b237e11f918b899d149badf759ee0ebf4370a91b
SHA5125d266488738e82971d2aa122f8832b904e685f2c1f39a9c477d74489a874e05137bad19d909c1758d19b2393b5e90841d5bcedff599305ded6e9053cb6b3a233
-
Filesize
292KB
MD56636034fae9697629f92cd52657979fe
SHA1abb3479a742ae83b946c73136a45f18f08bc6352
SHA256d7b5ad0aad2522bdf02ffced1dd06975f6fc747222a0681a1d1750989bfe5072
SHA512cd66e2eb58ed6f85bf0ce8ed83ddac399b9c0e1aacf8970863405d75bc8f5a72a66a2e95a2da81165ff7959ace25415af01215c314baf9f7bbde896f5f5b3922
-
Filesize
292KB
MD5148517c2262329a67c28b3ce21995987
SHA1b7f21bc0d3a952c389ab3e2c1e749602ecada9b2
SHA256b8855f737ff32874de4f9f39fabc691feae75155a88c3ed82b81def703637bb5
SHA512b827709bd1f61626a42360c8019f5b416edcaf523b4bea2953e65a0d0b237c6f0d5417316eb8350d29482aee00274c16c4b3df2c20c3ee5301eb8ff301ddaafa
-
Filesize
292KB
MD50bed9a0d39fbd1940f81fbd789f72b80
SHA172d24ddaf3ce7b877897d51c401dbc28bc46559e
SHA25637a627077db460127cb48f7b43cbf74410fba1c8465f8b8e3179547fe1ac53fc
SHA5127a8da1615b4b6aa6bd314407a0b6fc698b089b763881a307ba2f2c663bd5009edebb87a0d466147125e2b91d116888b8189b7231639313d12ca9fe790a942e5c
-
Filesize
292KB
MD570446f1a5344d4d2aec691747d1cf376
SHA17b74c6e36e9652a59067fe1de0c0b7092df697fb
SHA2569d497e6466d8ae0b7ae711c1dc52b100799a48b363b646b69191bb8aa05ea6aa
SHA512b961d9b87da749488edd4d0a9aaf0a823fec6dbcbc8910e7472fe4855eab8b0578fffa549c0bae42313008bae63b0773a7fd5a9a5111ee0a54b04be79f1795d8
-
Filesize
292KB
MD52782ccc3cf60a28a6ec3a68670234bfb
SHA16170ccbc8d4b33e3397722e0bee28b1c613cbd38
SHA25680f59adc2d47a0c3a7529e99ab04c798b9a3d1e3c8e9ca5fda6df114844aa200
SHA5121508c12cf70d03b5ffa05ba331185e197cd34650a6e5914c2af4ef6e439bcec34d0cc494bbe974c560c963aef251c33b20b0f7be00383b61c43d2507f833dc0a
-
Filesize
292KB
MD57e16cdb5572fa80992badc9e9755bca4
SHA19c4d6ee4c481a4d2d675847cf6c0b1dc89b025bf
SHA256957463c50bfc17662dfd055c7daa6c0b4db9b9ba59644d1b39bd0ce9b1797c4d
SHA5122d8ef02e2c9e714bf935601b3f97b04908afb14eea0f1aa351fdc267cc2d63cd0e6753c3339fe38ded4c8484df182ebfb9309d6da12ceb3ca98d0dacc81b2242
-
Filesize
292KB
MD587be54ec9b296bfbb7c7668b4d8cf8ca
SHA1d47a0a4d6c6a00bc3fe3c34d661e2ab9e4bab148
SHA256ba5f75a98b0b9ac22e8fa27e7c72cf143cbdae1775bc622c98c95731aa734592
SHA5120a8bfdbb4a8b19ef6b62b1dea0d4f85191ad9c8ba6d857bc912eb2378b9c42a0aeb90464101be524b3d5d78e503a413f369318e09b11428849fb705e3a862756
-
Filesize
292KB
MD522fd3168937342b2b4b09ca85bb6cafa
SHA18dead3ee37ffaff33386b3c8745fc1a21f6233f7
SHA2565d20350c9081ee04cc331c75fd596dbab07819f4eeaa931c5fc74559f929ffcc
SHA5124f6dfde9f4e4febce83596c0372ea64792c9415ffdefa5f70bd4cab4305e0f784c31c4e05533a8742d65f54a23c16606ccb2e73ec3e997f1328b4c72fb8278ca
-
Filesize
292KB
MD55cb38f87ddc9f844c29d405fcc482cbf
SHA11d1592074e7ba2dcdcae1338bb6114642916c91d
SHA256c0af5cbd505aa439fa001f57ffad176764d7418e8e122791a708ffc444304c1c
SHA512b419964fd1174f9cc876830a74c83b6437c5c448c973f6255911e2f14ad57469a39c374020eb5654864b54f6f56829395002172d5ba6c7b94899c41f393bfa25
-
Filesize
292KB
MD5f8e15d4528d180165253a0753ff4ccd2
SHA12bfa31bba55c4adf5c6db4563128cef0ffa15426
SHA256f7f5670dd11244c7fe8bd0e8b8a31fcadaf4b102e0c3b6af8f9ac065acb30a51
SHA5129e9a787ba4efbc6b46691a222690b67524ff60cbbc1de391ed12ec6cc4f87dad637d0ff63da473905c5dd4967d50362a9d32d2f8089159163e61c0606d08cbcf
-
Filesize
292KB
MD5b828b50aa568210b3d6184eaac4a0cde
SHA18bc9072f9dc16fc17cecd7603731dc255a115cca
SHA2561767d0f14740e1156ccf1d7d8097ecdce9cc365f9bbb801cf93bcc8e5fc791b8
SHA5126a6357f2f6e7a8b0ba997793eacc84d0c088209ad7d934e7e1ab96f523c001a68dfc9b378f4a9ac5a735b69489f12da6799e87e959aeafca8517d23f81300d1b
-
Filesize
127B
MD5e97f64dfffe10660d03b905276f591b9
SHA121ad094ada386f08bab236ce5c10c4cc3f84d724
SHA2565058938d135a21c363d53a97e7a1399118c3e357cb42fad54f175407851e806c
SHA5120a6c26d8d1becb9f1f0b688386228f5a6b7dbe09bbdb07dd8cb7534872d9eedf209653c8414b2b227f10cb77d1444b67f4117aba716c1400bc4a9c773b3cdb67
-
Filesize
141B
MD587ef1262719152e67a649394cd4a3347
SHA16c37b6fd891ed198a396064d9779139b57dfcfc3
SHA256c78396c59d04dcfc59e7cad3ff1769c209d1b02147621065fef908479e3d4ecd
SHA512c75299a8ed84ceeebcebce3a20586dc43dbabd87d2715fc44168b4376fed04577f023cf2899535a6216ed68ef4502e77dda1c5545dc20befa9f127af65e8c737
-
Filesize
292KB
MD52c4a8512e4fda66f5b064564220ef4f6
SHA117bef9aa387edc0fa03fdea3a867a4dc0351df17
SHA25600173f9e8b01e3d961c8b46c8a474cdce9e302fe3e7a37f9a120ed35a3130859
SHA5122fcf75b6a3fa0d0fc187db51aa3061111d92648a33e74318a61eea46cad42150b07e26046a1be7560f8e7d108bed0b4c0c83f4d034f0dbd13b7d651bea64ace1
-
Filesize
292KB
MD58b5ee4ea3fe2a4911081b466e6ff9e4a
SHA1602a711f22e32d83150af86e97b24ad641e5f9c5
SHA2563d5bb77ec90a8c9f734bba6409af6ec653de6e8358453d7ada6251e0eac839d8
SHA51292998b03ee5ddd6e03ec06cee0dcdaff5038a7492eee437f4b672a5eab1c1af348f158702212eaf7d10f0a4f41b9d7610567d47c7a68222b47ab42d3ee04c0a3
-
Filesize
361KB
MD53901a79afc3ed429cd22c85474ed7ef7
SHA1e93632ee1d9aad007dd3eac5a7298e81aa8c42f3
SHA256b79cf2c7b87a0210f25c39c3ae1ea72df7b46a11575fdde8fea5f626790d581a
SHA512797dd0e992262de121e3361a046ccc29b3b25cc75a2d4f97b0c633ae8ff7227d571d7504d9bb64d6791f97f1f89062c43d7b0e34f9271c95b8592b5e68247af2
-
Filesize
361KB
MD51e1e0ba48fa72dc5e7b482afd9d3a7e0
SHA12a930121ef6839a0905d253ddeae565b45a95782
SHA25694ca13a7007fb2c1db881f79c436a1b392e7a41ff8e126f5d3b4f32cfe2183c9
SHA51270e0886004a164817cad5829d588fda560527579842d4fed654a2bfbe2999e473aebd8f67ac733362c107c5c40245cbf58906e7934e6138e43ce630c850fcc7d
-
Filesize
361KB
MD5da277f942f662c7cc42f98c5f6203ad3
SHA11f7c7f5b09b2b7ea73c85e74ed4e09ecb72727e4
SHA256c277b2e10adab2360bd59d4ee4b53cc63ce545605226a43453422293a3277b1b
SHA512da91c15fb47f782ee9338b4ea8fca1553af29b3849d82330c31d68b764b235107170c6c32573b4afe6adddc07d963c808a92f8d6f1bb7a5ec113183cf639a6e6
-
Filesize
292KB
MD58df2f13d74aac3048b5acbec83e9aac8
SHA13d4a110c6751711e6a0df12cfb12b4170a3c8e62
SHA2565d733150685973fbeefc2183ad752499d5dffd8696ab372fb1c33e0f8f746281
SHA512406592d99960d792ab2fdb01b2a735ebad80e782045e089c67cef7042e2cc0000ddbc6e3e1d088cb38849e539cdf287f6b514d4786e2bed14e6c01e423999405
-
Filesize
65KB
MD5c55534452c57efa04f4109310f71ccca
SHA1b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61
SHA2564cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc
SHA512ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a
-
Filesize
8KB
MD50e528d000aad58b255c1cf8fd0bb1089
SHA12445d2cc0921aea9ae53b8920d048d6537940ec6
SHA256c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae
SHA51289ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116
-
Filesize
1.4MB
MD5c79ec3a7a2675b90e0c9af40f8d1cab8
SHA1ec1d7cd4b3b2ecee295e178d4b0bc6afe16b4deb
SHA256104fcb338da8345db51670d5f8f60c4041ea2ab55ea48c18d408866afddfd5d9
SHA512dded4fa9b47f4e1e31639c3c5f20474cc94b634ed757ccc2da449619a2fa63dc8a5c59160279ec1458ac6160123f061f798f5a97798cbecb5df78873aa8be736
-
Filesize
1.4MB
MD5faccb368f1c32d9466d95f537be6983d
SHA14d34d1bf813a86bf952a6aab00cd79853bf6f109
SHA256c91e9718a7ddf97a0a3006751af147415b1cc97e037d908d9d883b3942187a1a
SHA5128f4a76f4ca840f833774b1cd7dfd7b96e992d7ac33c9f5750656ffaa9f74b6c3cfe876d09d2c2bb7fb4c04b47e9dde8d3fff9fdb3aea8e948d52d3f7a2b00b37
-
Filesize
1.4MB
MD5121c6d3c64d63e8bcefaf599acfd9ed5
SHA197273b1d544a2ba345eb118de55431fe25e03ee0
SHA25627b91e8f5888115fcabcc721905935555dee46f5c8e1bff2a2f6ee7b8dd74009
SHA512d1b0d63d08ee04f37999a86a6f0cd7e151d3bd74432c3052668d9c0ee8f0d0d681e74fe58beca534e1166f58b7fe578fa7105f37b0f8d707e46615337315b362
-
Filesize
468KB
-
Filesize
468KB