Overview

overview

7

Static

static

3

5b6ac75068...cs.exe

windows7-x64

7

5b6ac75068...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 23:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5b6ac7506801860708ded99e9e853e90_NeikiAnalytics.exe

  • Size

    2.2MB

  • MD5

    5b6ac7506801860708ded99e9e853e90

  • SHA1

    a0fb60df467f30e363f50415aca4d3bdb1bc1279

  • SHA256

    c5763ac37f7e6584d7c77112bb21e5fc4f54c67240e8ab53ea3728fba7907d39

  • SHA512

    42bb8bb51fbfc326b846e6a835adcd4c5ab390b2b2f0f5c0371e910dc56506cd54fec0c20a36941580aa8368eb450c52fedeaa63022907279b7f2de6d050232e

  • SSDEEP

    49152:mW94v+AWYCIl1lwdQ/etn5HfH1hLQ/NE25OqCWViCAB:bJAWYll1lwd/npPLm+PRW

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b6ac7506801860708ded99e9e853e90_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\5b6ac7506801860708ded99e9e853e90_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\setup.msi"
      2⤵
      • Enumerates connected drives
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2344
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5C9F479946240B1443A31CCF33A452BA C
      2⤵
      • Loads dropped DLL
      PID:2656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSI1AD1.tmp
    Filesize

    6KB

    MD5

    078f637d0fe4ed0375ce4ed3a067b814

    SHA1

    00e9f95a60145ccc04095601dd49b663e987c588

    SHA256

    5e7e010023cd0373fcb4fa0fb2d7ff328a53295f6b2fdb9ff805854e6410fbcc

    SHA512

    20b531d3dcbafe9d815633b6cc20cd53ca2b8854183ff72e2f7c1fbf3ac23a3cf70a3271e55b30156de341af785a1b2411c0d76aaf08e4e2c426b8e4a551ecc5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\setup.msi
    Filesize

    167KB

    MD5

    b400ceb855c02706a0aab7fe04d88874

    SHA1

    7d94b32c3872509ab48d323f1dc6970fbb4a6ced

    SHA256

    0d0cbe96167970f698586269325e8321f91a3d2d5f2afd149f34eebbed2a36ae

    SHA512

    736295deef177f9b67826cd76eaa7ddd1e0bf403d22cff2dddcda4a0968e4889057a1500a373759c27f06456072f66f8eb4fd1e76d3c26660b4ac320b440d054

    Download Submit

  • memory/2696-0-0x0000000000400000-0x0000000000641000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2696-1-0x0000000000F80000-0x00000000011C1000-memory.dmp

    Filesize

    2.3MB

    Download