3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe
Size

76KB
MD5

2ab58296b3710a838e7efe71fc1eb720
SHA1

073e29a2b66435357650ca1d76ae3065f5358575
SHA256

3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796
SHA512

9b2d2716033a77c4a2c9f5f91d5db76182fc4282744610ee3751307fe057c83d863209b9ad7ba9052a756582397208ca4227d9ec87166f281f6a41cdb08be281
SSDEEP

1536:abSshapMJgKJUuxGmfJPtOgqm1s/XZSWcHW:K25KJFjfJPtOgqm2/XZXP

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2700	winlgon.exe

Loads dropped DLL 9 IoCs

pid	Process
2856	3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe
2856	3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlgon.exe = "c:\\users\\admin\\appdata\\local\\temp\\winlgon.exe"	3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlgon.exe = "c:\\users\\admin\\appdata\\local\\temp\\winlgon.exe"	3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2556	2700	WerFault.exe	28
2848	2856	WerFault.exe	27

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2856	3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe
2700	winlgon.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2700	2856	3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe	28
PID 2856 wrote to memory of 2700	2856	3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe	28
PID 2856 wrote to memory of 2700	2856	3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe	28
PID 2856 wrote to memory of 2700	2856	3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe	28
PID 2700 wrote to memory of 2556	2700	winlgon.exe	29
PID 2700 wrote to memory of 2556	2700	winlgon.exe	29
PID 2700 wrote to memory of 2556	2700	winlgon.exe	29
PID 2700 wrote to memory of 2556	2700	winlgon.exe	29
PID 2856 wrote to memory of 2848	2856	3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe	30
PID 2856 wrote to memory of 2848	2856	3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe	30
PID 2856 wrote to memory of 2848	2856	3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe	30
PID 2856 wrote to memory of 2848	2856	3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe	30

C:\Users\Admin\AppData\Local\Temp\3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856
- \??\c:\users\admin\appdata\local\temp\winlgon.exe
  c:\users\admin\appdata\local\temp\winlgon.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 256
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 204
  2⤵
  - Program crash
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\winlgon.exe

Filesize
77KB

MD5
e36a76f14b3c44d965e095995259a541

SHA1
00d4e5b468dd774875d79e1c3e9efaf449e90935

SHA256
51a52dc27faf46632935db9de572878409a2a3306ad820e371e21b2c055bdc2c

SHA512
7036e689c2097544d01d10d45191a986ccb98cef204760f02369ef573c7b951d9553a7478a7c61032ddaee0eeabdee8355e6a23c68626f2eed00f42e5e480394

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads