Overview

overview

10

Static

static

3

d545043cc4...cs.exe

windows7-x64

10

d545043cc4...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    17/05/2024, 07:55 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d545043cc4054587a1b0cb7f443b13d0_NeikiAnalytics.exe

  • Size

    71KB

  • MD5

    d545043cc4054587a1b0cb7f443b13d0

  • SHA1

    debd02b06f5933693e388c5a510f55b3e9793517

  • SHA256

    ea876154771a59e32120d2e8b992a0c8867f6e8549c18f9346829aa026991a2d

  • SHA512

    a1abed5f5a9ea8c4ea48b32084b911731d09c014c22deee32f9784f2d7f2f761c1b7e1e799a527bffc4a51ce312107b8130e3d7a167d3b42a369623b6c1343ef

  • SSDEEP

    1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8slp:Olg35GTslA5t3/w8w

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Sets file execution options in registry 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:436
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1152
        • C:\Users\Admin\AppData\Local\Temp\d545043cc4054587a1b0cb7f443b13d0_NeikiAnalytics.exe
          "C:\Users\Admin\AppData\Local\Temp\d545043cc4054587a1b0cb7f443b13d0_NeikiAnalytics.exe"
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1636
          • C:\Windows\SysWOW64\uxhaxam-edor.exe
            "C:\Windows\system32\uxhaxam-edor.exe"
            3⤵
            • Windows security bypass
            • Modifies Installed Components in the registry
            • Sets file execution options in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2972
            • C:\Windows\SysWOW64\uxhaxam-edor.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2648

      Network

      • flag-us
        DNS
        myghjkluemkmcq.st
        uxhaxam-edor.exe
        Remote address:
        8.8.8.8:53
        Request
        myghjkluemkmcq.st
        IN A
        Response
      • flag-us
        DNS
        myghjkluemkmcq.st
        uxhaxam-edor.exe
        Remote address:
        8.8.8.8:53
        Request
        myghjkluemkmcq.st
        IN A
        Response
      No results found
      • 8.8.8.8:53
        myghjkluemkmcq.st
        dns
        uxhaxam-edor.exe
        63 B
         129 B
         1
        1

        DNS Request

        myghjkluemkmcq.st

      • 8.8.8.8:53
        myghjkluemkmcq.st
        dns
        uxhaxam-edor.exe
        63 B
         129 B
         1
        1

        DNS Request

        myghjkluemkmcq.st

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\eahtoacoap.exe
        Filesize

        74KB

        MD5

        6b3689a9c9413f01937500ca11ef7085

        SHA1

        25e503eb7c90ee2874fa59ba38d8c5f89f7e5708

        SHA256

        df540c4a8e122945773c47a269696a43cd10e0b7b78efc2735991238c62101a9

        SHA512

        528b1d9290bd7d18968c05a67ae204cc04099d1098f8e825fa0b48d3b5cf8ecfcc125274d7848b4f94e18c83d6d238648c955557857453fbf81cac1fb06cf2cf

        Download Submit

      • C:\Windows\SysWOW64\encohoam-odex.dll
        Filesize

        5KB

        MD5

        f37b21c00fd81bd93c89ce741a88f183

        SHA1

        b2796500597c68e2f5638e1101b46eaf32676c1c

        SHA256

        76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

        SHA512

        252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

        Download Submit

      • C:\Windows\SysWOW64\ulmihoob-udid.exe
        Filesize

        73KB

        MD5

        74c2b7af25651ecb2b40da92613294ac

        SHA1

        6ca1f9488b504c694509f0b3c19772501ab5dbb3

        SHA256

        778d6bb3acaacd86b354d9550667fe83658f65c1b95deb408b9096d2cf02c1d3

        SHA512

        6a1cd8b6b8605ec4b2af856f81f0472dd507e3cdb68990221027df832100024cc0be43262e2b50420201348ca257e2488ccb1c6edd095eb502c0982f4fa6a1de

        Download Submit

      • \Windows\SysWOW64\uxhaxam-edor.exe
        Filesize

        71KB

        MD5

        d545043cc4054587a1b0cb7f443b13d0

        SHA1

        debd02b06f5933693e388c5a510f55b3e9793517

        SHA256

        ea876154771a59e32120d2e8b992a0c8867f6e8549c18f9346829aa026991a2d

        SHA512

        a1abed5f5a9ea8c4ea48b32084b911731d09c014c22deee32f9784f2d7f2f761c1b7e1e799a527bffc4a51ce312107b8130e3d7a167d3b42a369623b6c1343ef

        Download Submit

      • memory/1636-10-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2648-56-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2972-55-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.