Overview

overview

10

Static

static

3

d9f2623381...cs.exe

windows7-x64

10

d9f2623381...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    16/05/2024, 10:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9f26233813192cdafcf3b9e2af6e320_NeikiAnalytics.exe

  • Size

    69KB

  • MD5

    d9f26233813192cdafcf3b9e2af6e320

  • SHA1

    c1af96de28c5d38c9036b31ce3e5c1b42f1c0b51

  • SHA256

    b2dd4bc5d621b2cd000cd0573266a308daa26b63db0314037f455adf77dd4b8f

  • SHA512

    31014474b07645438479fa77dd8a54fc686960f70a7dd151fc3df182be563a112eed38be98622b0ed6e5f876d0a197104d809acb24cc096691e136a969ca6d23

  • SSDEEP

    1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw89f:Olg35GTslA5t3/w89f

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Sets file execution options in registry 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:432
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1184
        • C:\Users\Admin\AppData\Local\Temp\d9f26233813192cdafcf3b9e2af6e320_NeikiAnalytics.exe
          "C:\Users\Admin\AppData\Local\Temp\d9f26233813192cdafcf3b9e2af6e320_NeikiAnalytics.exe"
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2740
          • C:\Windows\SysWOW64\ukdecoot.exe
            "C:\Windows\system32\ukdecoot.exe"
            3⤵
            • Windows security bypass
            • Modifies Installed Components in the registry
            • Sets file execution options in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1680
            • C:\Windows\SysWOW64\ukdecoot.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:3000

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\icvaboh-eadum.dll
        Filesize

        5KB

        MD5

        f37b21c00fd81bd93c89ce741a88f183

        SHA1

        b2796500597c68e2f5638e1101b46eaf32676c1c

        SHA256

        76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

        SHA512

        252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

        Download Submit

      • C:\Windows\SysWOW64\ilmoatan.exe
        Filesize

        71KB

        MD5

        1208b9bac7a762f3b973f599d1aaf72b

        SHA1

        ee7497ec8d5e3362509448f753472750a5318d7e

        SHA256

        06b7f512d44c603377a8fc3456f9e7e81bc8f1b1937b8989ed60652954b28c4b

        SHA512

        b9ac9784d2b4afe7bb9ea3afbc82b171d7c1d44cb6c5e7e0d030544018e8c812b45a7766830e7791914b59ff4cb3cd3a1181eaf741cbf9feb5f9fc53ee775ca8

        Download Submit

      • C:\Windows\SysWOW64\nkuxep-uded.exe
        Filesize

        72KB

        MD5

        b42a564720e449078bba70a68b677218

        SHA1

        4f3be6996e203ab33028c54fd10f0b186f8098b5

        SHA256

        ead39fdebb1e440bb003da562ca324fe9eed4488baf057da658b9d19306ef398

        SHA512

        4626d1974138870303ef6b366c8e9a9c20ba5c39fb5aa34655f5995a61696e9d9f3cd7195f025f4951c5821db139b664d23140d78964b32703b87e3534d05ad8

        Download Submit

      • \Windows\SysWOW64\ukdecoot.exe
        Filesize

        69KB

        MD5

        d9f26233813192cdafcf3b9e2af6e320

        SHA1

        c1af96de28c5d38c9036b31ce3e5c1b42f1c0b51

        SHA256

        b2dd4bc5d621b2cd000cd0573266a308daa26b63db0314037f455adf77dd4b8f

        SHA512

        31014474b07645438479fa77dd8a54fc686960f70a7dd151fc3df182be563a112eed38be98622b0ed6e5f876d0a197104d809acb24cc096691e136a969ca6d23

        Download Submit

      • memory/1680-55-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2740-9-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/3000-56-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download