Analysis

  • max time kernel
    150s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/05/2024, 06:53

General

  • Target

    1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe

  • Size

    135KB

  • MD5

    5cbab93cd47c2f95ac9fd8045514f039

  • SHA1

    b0926376cf2fae189476d8dfd76281dcbca87c76

  • SHA256

    1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504

  • SHA512

    7ac0932721ced4a7205eac499632a6200128c897f1ede91f9140bd6828fa68f1b78e12f0aa6f29b6ac9b8fc0b417a3c36773e7d30986e9e7b040d02d748f742c

  • SSDEEP

    1536:4fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVBcjjjjjjjjjjjjZ:4VqoCl/YgjxEufVU0TbTyDDal7g

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1484
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2412
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1780
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2264
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe

    Filesize

    135KB

    MD5

    c181cfc67871edc5fbe801e647cb579c

    SHA1

    215d6cbca7c418a8e4da029069ea63bb9fde3bfd

    SHA256

    ddc50124cec3f4e57372b5eecf22260d9fd0d8d3ed4b32a554dae096ddc75131

    SHA512

    ca308140de93a7e0303be76427368f7bad873f59ff83bb4d49c0731a78fa194ee93d38bbbf0a4fc8983acf5b7714edb86f3ea4b4cb80cb0ee130e61d16c4f2aa

  • C:\Windows\Resources\spoolsv.exe

    Filesize

    135KB

    MD5

    39a0293230a619d02a2fd90bf6fdb342

    SHA1

    972c20c519d046dec594b7159e349ae2e0e68993

    SHA256

    3c699d82425ab951a0ac5993c7dc71aa723debb3f84e9e220d9466d572286f73

    SHA512

    47cf81d66034be80a2d1fbb281338076b8b471ef1a93efff823f25428be420f36f542906b843333dace1fb1a6a00d8e2c78dba2b80d41653724f6504b3067fda

  • C:\Windows\Resources\svchost.exe

    Filesize

    135KB

    MD5

    d29a63ae37e5765bba8c12ae79d03f22

    SHA1

    a49df5d31fc9b4335166ba37cedef5bb3505ade6

    SHA256

    0aa59772183f4fb8c4ca8491d05e829a162bd05807c7e5961d0d0bea227d6f5e

    SHA512

    9bec6a073c15b035754bbd7a4324d37474b6e65d1b86e96ad65829e089d1323a3db21996b1a4e8436dd4a5e265499c208f052d6ec51cf008af527d46684c96fc

  • memory/1484-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/1484-35-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/1780-34-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2412-8-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4800-33-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB