Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
21-05-2024 20:51
General
-
Target
0cebffcc508b9c908596fe6233d0b410_NeikiAnalytics.exe
-
Size
72KB
-
MD5
0cebffcc508b9c908596fe6233d0b410
-
SHA1
ecbcf8bcca3e54ecde58a1ac6b19e2e15b1fb113
-
SHA256
c60f3790018d9dcb3433df7a2928977853635d440a3ba1284873607a1faf8d0d
-
SHA512
fa80a4729c1b2de9e63e969659d0eeac75efe554579e5a234260824b9a29a7a0d7cfbcad6d0542322ea6426b88c01fc99524b13f44abbc7cc36c6b596931f692
-
SSDEEP
768:x/nGhX+OZMUpVzJKsMIWqH3N7GLCMa7kmewpUn/LwSUBPkvgjzkQyTDbAFd2Pm5i:xYX+EMU/zobY39qoowSUBPkzQyzAsGTk
Malware Config
Signatures
-
Windows security bypass 2 TTPs 4 IoCs
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
-
Sets file execution options in registry 2 TTPs 3 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Windows security modification 2 TTPs 4 IoCs
-
Modifies WinLogon 2 TTPs 5 IoCs
-
Drops file in System32 directory 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\0cebffcc508b9c908596fe6233d0b410_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0cebffcc508b9c908596fe6233d0b410_NeikiAnalytics.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\oftupet.exe"C:\Windows\SysWOW64\oftupet.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\oftupet.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\apdibeam-ouced.dllFilesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
C:\Windows\SysWOW64\evbupes.exeFilesize
72KB
MD53be42477f23bd7ecd9a8b747ab41ca1f
SHA1f7cd8e527eee4768b89b7d65d7c7be34f6427292
SHA2562728bf89f4d20bee014beff52a7320aefb3f1f5f382ddb7eafa750b3a29086da
SHA512c864d940b063c682fe87bdb0e157e0c16b644ec8bbad9a5b77256b91509430d12a57a85414688918a3366a143f179e83aff95bbf738d0cd31a5ec5b959172401
-
C:\Windows\SysWOW64\imnoosef-amix.exeFilesize
73KB
MD536511d4708f9a12995c44693c75bf792
SHA10df2162fe0b2ff6bb0c8fd44d96a8d4656f8aa54
SHA25610209ebbe0d80d670fcef2f8f57871f6491b24f48c23855bd664ba52517f3a30
SHA5129d51a0df5dc9ca3489a0d847154d8534b3fbb0c006d0310d2083923a8ba526319c3de66eb868478c26bb3d47d17f7ead8aa37f8fbb19b51a5c4551ec138791f1
-
\Windows\SysWOW64\oftupet.exeFilesize
70KB
MD506290472ac7ccc39587d5bcb838e9ac0
SHA14fbeb3e697babe081d9a6f661ad0c213bc006990
SHA2567fe813ef10c5d8fc61f5153f5dd0b28022f697991427636c81e10d11e19f2032
SHA5124228f94a61611314e0a5e537b2d020b70101c67ae373e35ce4ab2f1a523090dee65a2da467d97f4c0d3dd72dd764250287af59905f9b6e9eed56040b5201f6e4
-
memory/1892-50-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2292-7-0x0000000000400000-0x0000000000403000-memory.dmpFilesize
12KB
-
memory/2540-51-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB