Overview

overview

7

Static

static

3

0a1e2a8e98...cs.exe

windows7-x64

7

0a1e2a8e98...cs.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    16-05-2024 18:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe

  • Size

    831KB

  • MD5

    0a1e2a8e985c7b1f74845e4bb71ecfe0

  • SHA1

    1d6e833e9c345c12767481641066a7c08c3a6794

  • SHA256

    617e92659377c1b3ad840c40e63b6a9a4e3b4b4b3f59f8e4bacfaba3e56c957d

  • SHA512

    77049304f0b904cea8dd2dfde7c90a8e97fa1d7f7af665d934c6ef29b166f041eec4227e7c4f379b981bf66217c52100cf966144405755bde8bb26e33603b74a

  • SSDEEP

    6144:nwynAtMrOVRkidy9yIGWlUiwS4O8b8ITDnlznZ0NP4w:nwKfOVRo9yRYn4O8b8ITDnlC94w

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Checks processor information in registry 2 TTPs 15 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1712
    • \??\c:\program files (x86)\microsoft office\media\cagcat10\1033\cagcat10microsoft.exe
      "c:\program files (x86)\microsoft office\media\cagcat10\1033\cagcat10microsoft.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1664
    • \??\c:\program files (x86)\common files\microsoft shared\ink\en-us\systemsystem.exe
      "c:\program files (x86)\common files\microsoft shared\ink\en-us\systemsystem.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:600
    • \??\c:\program files (x86)\common files\microsoft shared\ink\es-es\sistematiptsf.exe
      "c:\program files (x86)\common files\microsoft shared\ink\es-es\sistematiptsf.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1696
    • \??\c:\program files (x86)\common files\microsoft shared\help\1046\microsoftmicrosoft.exe
      "c:\program files (x86)\common files\microsoft shared\help\1046\microsoftmicrosoft.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2304

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\RCX1DDF.tmp
    Filesize

    832KB

    MD5

    41004c921766097233197137b1b0a380

    SHA1

    2add27759455450bbc90e544b67e026fec13bb60

    SHA256

    0b897d0b226c4211a02e96afa056f84778c664d7ffc082a54cdc6c07a0d1ec9e

    SHA512

    a9793036532cb93eee575950e560a973079f4c9da7d65afc7a1a053a077b6ffd4871e03e66c517aeb2818017c504bc0abbd255b509eadb384589690904e649f7

    Download Submit

  • C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\SistemaTipTsf.exe
    Filesize

    831KB

    MD5

    0a1e2a8e985c7b1f74845e4bb71ecfe0

    SHA1

    1d6e833e9c345c12767481641066a7c08c3a6794

    SHA256

    617e92659377c1b3ad840c40e63b6a9a4e3b4b4b3f59f8e4bacfaba3e56c957d

    SHA512

    77049304f0b904cea8dd2dfde7c90a8e97fa1d7f7af665d934c6ef29b166f041eec4227e7c4f379b981bf66217c52100cf966144405755bde8bb26e33603b74a

    Download Submit

  • \Program Files (x86)\Common Files\microsoft shared\Help\1046\MicrosoftMicrosoft.exe
    Filesize

    832KB

    MD5

    2d814233f182e6da56475171e5f3e762

    SHA1

    a20def6a452bf99f7fe7b6b451eb802cf6b50b2b

    SHA256

    f4f24d2e719db5ac145f87cca3b72d165c4674c3a61851580c428bf29ee75b0e

    SHA512

    88d1615c3d2a1f01edce36698e632bb3559817cdcba39cdf08a9cad6f3a71ddfc22645db0b463e543b542026acb37edd0b793ad46e14653d041fc1a42ec00098

    Download Submit

  • \Program Files (x86)\Common Files\microsoft shared\ink\en-US\SystemSystem.exe
    Filesize

    832KB

    MD5

    cf1d967995d514fb3a446a023b3e6ada

    SHA1

    84e43b2bdbd3ec67fdd428b8007cf75c7e30780e

    SHA256

    b8804b603102f898358ab1b7fe6ea7fa9e69c3dfc78c84fcfc2eb3c6a69d1300

    SHA512

    55a1f655d11252fab7de0dcd962581cf78abfb0d259067291eb8694e104793c0e7b4ca318d80fb3c82081036a5d9e76f58f74665209a770d2921554a2ae966fb

    Download Submit