Overview

overview

7

Static

static

3

150f04288d...cs.exe

windows7-x64

7

150f04288d...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 02:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    150f04288d1d414cfe4e22d25caf2900_NeikiAnalytics.exe

  • Size

    1.4MB

  • MD5

    150f04288d1d414cfe4e22d25caf2900

  • SHA1

    46a253467d55f3b01dd1446850052ffbd14e0525

  • SHA256

    04bd061757ba138db1a94fdd6089c1b293aabe5e6f73f7247a993bca8d43ca5b

  • SHA512

    4a4c53c479f95d0fd0486e188c573065f647caebca51cd5180b17468ff4540ba7137428a55a6fe131263173909fca84bd513b8393e2bed99b9ae6d174ddef0f0

  • SSDEEP

    12288:N0ena0IW6XXkKQ5xc6AybfI5u+UBxMzNRgGj6JbOE33nX5YLkkpvkYuhKw/NF8u0:Nf69QIgbSu+UYxR/jrEnnX5NYruhKG2p

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\150f04288d1d414cfe4e22d25caf2900_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\150f04288d1d414cfe4e22d25caf2900_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Checks processor information in registry
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3508
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\SWFLASH6.OCX
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies registry class
      PID:4140

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\untitled3_skin.swf
    Filesize

    15KB

    MD5

    81ada85b320f256e7ecbde2e54cdc98e

    SHA1

    8bab2bf513437035bc6b35ef0f3e3a5c3423658b

    SHA256

    a8400cf3a4f35aa5adee272b1c0d9c256e0d9a5ddf26f88ac29af42404b4e059

    SHA512

    94f816fbc9f3e03bcbe45fdc6ea07a81396ecfc8577865ab39bcb878a1c335aa69c405ccc4b9936249c7ef03d5a435ad57265ad9196bd1bd1b46639b1ebdadc9

    Download Submit

  • C:\Windows\SysWOW64\SWFLASH6.OCX
    Filesize

    1.4MB

    MD5

    1699c5ecb451ed0790fe7e0066ee6fa5

    SHA1

    5143395192cddfb6247b66e4bb492d93e681787f

    SHA256

    60867910994ad3f2b9bdad853b0ae8c7afd90de9fc7bf5a58e9ad004105b0e6a

    SHA512

    a0e8b8d8a6e40938fa6d2faac264de9e188ccbcfcfce65558e5e4b724ae5e184f95b8adbe13cd5da8c0ed2d9342a1526b546b6334c7feceaaf1b6600c9a50d62

    Download Submit

  • memory/3508-1-0x0000000000406000-0x0000000000407000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3508-0-0x0000000002410000-0x0000000002411000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3508-2-0x0000000000400000-0x0000000000694000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/3508-18-0x0000000000400000-0x0000000000694000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/3508-21-0x0000000000400000-0x0000000000694000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/3508-25-0x0000000000400000-0x0000000000694000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/3508-27-0x0000000002410000-0x0000000002411000-memory.dmp

    Filesize

    4KB

    Download