Overview

overview

7

Static

static

3

5702def7a9...cs.exe

windows7-x64

7

5702def7a9...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/05/2024, 23:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5702def7a9c446eb849d96593919eb60_NeikiAnalytics.exe

  • Size

    379KB

  • MD5

    5702def7a9c446eb849d96593919eb60

  • SHA1

    0664f4fe9fcd6694f7ef08db5d808f13e481ccff

  • SHA256

    a1db0875197c5e7f9a82e06a501dcc3601fe896db6b60b32f2879fb62d37871f

  • SHA512

    db431d65d12439910363bda311cc0880e5efeeb2f253d04c0b94555580b6c69fb615bc9ca5cf2a902b1009153e8b63845cba7ef89448ef3476d71a3a30f5a27b

  • SSDEEP

    6144:XLZ/JdWKonbQAGBCTmpUi65QHtppS07Ga9u:1/JybQLBCTmpI5eN7j9u

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks for any installed AV software in registry 1 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 5 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5702def7a9c446eb849d96593919eb60_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\5702def7a9c446eb849d96593919eb60_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:224
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5498.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4820
      • C:\Users\Admin\AppData\Local\Temp\5702def7a9c446eb849d96593919eb60_NeikiAnalytics.exe
        "C:\Users\Admin\AppData\Local\Temp\5702def7a9c446eb849d96593919eb60_NeikiAnalytics.exe"
        3⤵
        • Executes dropped EXE
        • Checks for any installed AV software in registry
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:2688
    • C:\Windows\Logo1_.exe
      C:\Windows\Logo1_.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3120
      • C:\Windows\SysWOW64\net.exe
        net stop "Kingsoft AntiVirus Service"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:896
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
          4⤵
            PID:4424

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\7-Zip\7zG.exe
      Filesize

      750KB

      MD5

      f6d969f9be3a87bcd2d2467adb433e83

      SHA1

      cb932fdb2d8b1deace177efd15f1db80db6b8b35

      SHA256

      857980b0d07deef9175ccc079ebef1b9a715e23817494e6030fa9f072e0c1430

      SHA512

      f13dfce342cf4f12fce9f3c81de8dfbc81717a9cb2225d14369e1ae949195edccb1ddb8bc3fee027f859f1df2421e46684d03dce8c312475cab5bf9619fae119

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a5498.bat
      Filesize

      620B

      MD5

      b2589037df9da7d55db84dff28189684

      SHA1

      5370c76a1ce50b2009f68ca9b287c8e1bf477d72

      SHA256

      b7a2d06743d1a597b77843c52d2f24730e92c6dd134b7ed9d2144fc6b1d32dd0

      SHA512

      5fc85600407c4bd76451fbf7e1f67a69fc90dad66f2c315087c0080094349796110636cb8ecfccbe7bccd876e2deacd635c0da4d203bccf3846767a9e19f5747

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\5702def7a9c446eb849d96593919eb60_NeikiAnalytics.exe.exe
      Filesize

      313KB

      MD5

      7a8a90ffb24d64c19f5b6be5b36ead97

      SHA1

      4e66f0e0d0a54bae622590513fdcb76d9f4d4f52

      SHA256

      39d6f7e0f2af78c84a2101126626246c20907defd388677edcfe32a64a156fa1

      SHA512

      67fa32b0044e5580745eb954a4c8274bbfc974e736999a98509dcdcdb1b88ad4065b913f1afac712c761c27f50db03da289a53f4e39e616065868a68a3c9a878

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      66KB

      MD5

      550503a142f3798c6c8b1d0b83895c4f

      SHA1

      58ea3b77e0f8f27e81f2d94d99e91e061045956e

      SHA256

      73b8921942d0155f78cf51488f0f4f88af66c853d57c23263f3e4fdf7bfcc58e

      SHA512

      ef14a1640d8fcaf977def32c8d618013bca1c76527313542c88f78bbd2de67843f0624e2fa0e1283c897a074a7bedb91bc6d891616a86f50f56811022bd405da

      Download Submit

    • memory/224-6-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/3120-12-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/3120-13-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/3120-15-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/3120-17-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/3120-141-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/3120-207-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/3120-220-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download