Overview

overview

10

Static

static

7

1d965887e2...cs.exe

windows7-x64

10

1d965887e2...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    21/05/2024, 07:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d965887e2033a596346a7cca9f9aa563807be0265c02d471193c7859d7bb4df_NeikiAnalytics.exe

  • Size

    352KB

  • MD5

    f9a1151475a7d5624c55de91bb7c6060

  • SHA1

    f7a6c0c5239b9503795d97e0059a5583cc57d73f

  • SHA256

    1d965887e2033a596346a7cca9f9aa563807be0265c02d471193c7859d7bb4df

  • SHA512

    b651c14b55b3a415f0c90e5be572534a3fec226be36e9b73157fa7e358601e7356720c01d2ddaa9ac6e443b660f6e9b76074f07fc5818ced2f92733a1dfd099b

  • SSDEEP

    6144:vIGEnprZkRs38t54c6rzNdf3IGEnprZkRs38t54c6rzAdfl:vxEnAR934LxEnAR934I

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 8 IoCs
  • Modifies system executable filetype association 2 TTPs 62 IoCs
    persistence
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 24 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 42 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
    stealer
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d965887e2033a596346a7cca9f9aa563807be0265c02d471193c7859d7bb4df_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1d965887e2033a596346a7cca9f9aa563807be0265c02d471193c7859d7bb4df_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Windows\WlNLOGON.EXE
      C:\Windows\WlNLOGON.EXE
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2788
    • C:\Windows\SysWOW64\Shell.exe
      C:\Windows\system32\Shell.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2536
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2356
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2564
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\services.exe
    Filesize

    352KB

    MD5

    f9a1151475a7d5624c55de91bb7c6060

    SHA1

    f7a6c0c5239b9503795d97e0059a5583cc57d73f

    SHA256

    1d965887e2033a596346a7cca9f9aa563807be0265c02d471193c7859d7bb4df

    SHA512

    b651c14b55b3a415f0c90e5be572534a3fec226be36e9b73157fa7e358601e7356720c01d2ddaa9ac6e443b660f6e9b76074f07fc5818ced2f92733a1dfd099b

    Download Submit

  • C:\Windows\Desktop.ini
    Filesize

    65B

    MD5

    990a0bd866566534e37192439277e040

    SHA1

    90abfe04350a375df3beddd411256143e606461b

    SHA256

    ee3aaf1bcc2539bdddb6f25f4d0902cd023d83d902196d1bf2fcd37a73469038

    SHA512

    e598c68ae8f1a62cbc870fb7cf2c634ba24d1f1bfa62428a23aac7c914b3a775fa06564b6e084eaf9215086da433a80e49f2cbe81ca990414df3e57716dea4b7

    Download Submit

  • C:\Windows\MSVBVM60.DLL
    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

    Download Submit

  • C:\Windows\SysWOW64\OEMINFO.ini
    Filesize

    462B

    MD5

    45d327d7d806625d696945dea064d7a2

    SHA1

    81a36b2a66c8dcce870a82409c6f772cc06addf0

    SHA256

    e022ef7261dfe3e79b78e4bff605ae3f0480cd54d80b7c3358bd9091a0f0f04a

    SHA512

    8b78bb4fa2c05d509cf171525b0ba7bf735a8890854f0ef16b29c9456ff547ccd86423068f61c21b8f35a0797ee44f9a8697861c34f133c6c26dfcf99e8f849c

    Download Submit

  • C:\Windows\SysWOW64\OEMLOGO.BMP
    Filesize

    40KB

    MD5

    4de286f5923036648db750d58ba496e8

    SHA1

    0252d5d6c7a3b7dfa71fca4b30a53522fd7c6f67

    SHA256

    eb79555170611879e79b4cdba59bdf679e63df9d7927d01354e5cf859274c58c

    SHA512

    069daaa01a04add11a9e5fc0988b5d42e6ad50011fa148df41ffb3a905ffc170ab65ba66f4ad921306503d8792dd192c173c532232fc7ef146c09aa76ddf548f

    Download Submit

  • C:\Windows\WlNLOGON.EXE
    Filesize

    352KB

    MD5

    819eb3e70aa20a783749498dd3bc4934

    SHA1

    e4329709cacfd7e40fc0819eab513c2b2a6bc801

    SHA256

    5225785b49a5fd6e00f19b4533d7c8264be3f69ee373d91cc084f4a3fc440c3f

    SHA512

    ffcf3db641e0064e40269fca72983bd7108fb307208aea4def069f0c3a521735fbd26bd248b08693bc244d982f92bbac3869d10f60dfb22cf1028eb7cb4874dc

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    352KB

    MD5

    6c52fd86b5bd8d4cc37585716801e03e

    SHA1

    8bef6a85b8ec3adeec12364dc0657c773e3317ea

    SHA256

    1d47e953b07044a9b3c49d9790b7dd1d279d69d79e77f27fd1a8a08429f0e820

    SHA512

    6418c32545aae6193fdf81671679a5ae0154027f5ebae51613a12bc5df3969f9fb6f7667282e9716ff6df4272335e934cb0764dc0ba51881b2180fdb23858639

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    352KB

    MD5

    f5497354b7f94a9f09f9078c7c66ecfc

    SHA1

    d87a504419b7c95c2d1c73d54d7d6f1dfa85bcce

    SHA256

    b9fb4d3cbcdd8040c23170b3af5f1b3e279c314feae0fd3bb2e71a93df08114b

    SHA512

    ab0d934171d7af10446bd370a2b45e7f670db558cb02a614e75715d1b76a742d9549b41029559d5347ed44da2d408a02b53a473f727dcd8d658b7a7bdfad16f9

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    352KB

    MD5

    fc0285c828f338f7cdddb291769bcf2c

    SHA1

    ca34f448d0eb6a0557021a2871feed9f478ffff3

    SHA256

    9fd6dc2424d7ec285b6c14b32ce48f21a374b0385eaa1081898a0d0871a1d5a0

    SHA512

    5cb0391db1388087630c92c5d1c3f0e1daa7e674b7e7dde6fe68668f97d831e675e4ff816effcbf9193bd0104a394c910f3cfb43cd7b1556d4102533df3598e3

    Download Submit

  • \Windows\SysWOW64\shell.exe
    Filesize

    352KB

    MD5

    3ee4ef6905c407947bd0430c2461e25d

    SHA1

    cfa7f35dd3c44124901aa5d75e4fd6f2d22734fa

    SHA256

    0e752f246ada786c447464ca4c7657230be46832fb2d5fca27581064e882679c

    SHA512

    497d8988fe25cb84ad7e955a0e4f1ea28fd36e61277699f864f6b5f74b53286c7db0b2a72daa1fb02f274b9c6def80aaeecc1037f5b01545e1de72fff999de2b

    Download Submit

  • memory/888-544-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/1244-94-0x0000000003850000-0x00000000038FA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/1244-124-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/1244-99-0x0000000003850000-0x00000000038FA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/1244-0-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/1244-537-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2356-461-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2536-150-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2564-543-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2788-133-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2788-147-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2788-146-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2788-97-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download