Overview

overview

7

Static

static

3

dba7d3ee0b...cs.exe

windows7-x64

7

dba7d3ee0b...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-05-2024 08:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dba7d3ee0bd1a853fcc3d98e4d2b87f0_NeikiAnalytics.exe

  • Size

    464KB

  • MD5

    dba7d3ee0bd1a853fcc3d98e4d2b87f0

  • SHA1

    30e36a2225cc342acfe7b3416ff1dd3953a086a4

  • SHA256

    55118b79053d6c408f5a6024350abfcd42ccb347a657f0ca0ffa9f427d3ac5fb

  • SHA512

    abc84aa509eb758a6ee12b5ca9e8dc8314a5884841aec0edbace510b3ab0f3aafe0fe0ecfd1b832ea72443bc1add8aa63d73144df2b72d548768ed6ff24e1941

  • SSDEEP

    12288:JAlc87eqqV5e+wBV6O+ds61BdMdofho0jcOZX:JASqqHeVBxKFTfh5cO9

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1192
    • C:\Users\Admin\AppData\Local\Temp\dba7d3ee0bd1a853fcc3d98e4d2b87f0_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\dba7d3ee0bd1a853fcc3d98e4d2b87f0_NeikiAnalytics.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2164
      • C:\Users\Admin\AppData\Roaming\ctfmhost\DpiSfWrp.exe
        "C:\Users\Admin\AppData\Roaming\ctfmhost"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Users\Admin\AppData\Local\Temp\~14D8.tmp
          1192 475144 2844 1
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2612
  • C:\Windows\SysWOW64\dxdidctr.exe
    C:\Windows\SysWOW64\dxdidctr.exe -s
    1⤵
    • Executes dropped EXE
    PID:2512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\~14D8.tmp
    Filesize

    8KB

    MD5

    86dc243576cf5c7445451af37631eea9

    SHA1

    99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

    SHA256

    25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

    SHA512

    c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

    Download Submit

  • \Users\Admin\AppData\Roaming\ctfmhost\DpiSfWrp.exe
    Filesize

    464KB

    MD5

    5c3172a73f3f4daa506fea7d598e86df

    SHA1

    56dcf3b95e7f362a66dc9c4dddd0a3c9282928e1

    SHA256

    27bcbf8c232e3fc8d52134980e0aad1427227a4cfeebc44181d70d49bfc41170

    SHA512

    807bccaff49e4d20384d18c5470566f913a8ef8ecb4f1d233a6822299e27705afb059aaf71dfd9a9f6e0594e1eef75b269c383c8721b66c0359e410c65d15cde

    Download Submit

  • memory/1192-27-0x0000000002610000-0x0000000002616000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1192-21-0x0000000004010000-0x0000000004094000-memory.dmp

    Filesize

    528KB

    Download

  • memory/1192-28-0x0000000002DB0000-0x0000000002DBD000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1192-24-0x0000000004010000-0x0000000004094000-memory.dmp

    Filesize

    528KB

    Download

  • memory/1192-20-0x0000000004010000-0x0000000004094000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2164-0-0x0000000000400000-0x000000000047A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2164-9-0x00000000084C0000-0x000000000853A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2164-1-0x00000000004F0000-0x000000000056D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/2164-11-0x00000000084C0000-0x000000000853A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2512-33-0x00000000004F0000-0x000000000056D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/2512-34-0x0000000000400000-0x000000000047A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2844-19-0x00000000002D0000-0x00000000002D5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2844-26-0x0000000000400000-0x000000000047A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2844-16-0x0000000000220000-0x000000000029D000-memory.dmp

    Filesize

    500KB

    Download