Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 03:24

General

  • Target

    154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe

  • Size

    4.8MB

  • MD5

    154fdd8d7a5ead17e65368304bef4670

  • SHA1

    599d2f53163ea8aa76f48dffb34691f44a0c4608

  • SHA256

    9adde015996141199f100d4601cc5be9765997170b9fcbb95a23e4b474a6ac30

  • SHA512

    f88c55f9a4b98a46c15b25726f583c050f04dcd20ae9efb3589f82957f0360f3503130491c336480fdb32ef3d4507debe8881ca8e3a71b5376cdd49bd4290c9a

  • SSDEEP

    98304:g2mDMmD2mDe2mDMmD2mDc2mDMmD2mDe2mDMmD2mDc2mDMmD2mDX:g2mDMmD2mDe2mDMmD2mDc2mDMmD2mDeW

Score
10/10

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Adds Run key to start application
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3764
    • C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      2⤵
      • Modifies registry key
      PID:1424
    • C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Users\Admin\AppData\Local\Temp\avscan.exe
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4520
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
        3⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1740
        • C:\windows\hosts.exe
          C:\windows\hosts.exe
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2972
          • C:\Users\Admin\AppData\Local\Temp\avscan.exe
            C:\Users\Admin\AppData\Local\Temp\avscan.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2916
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
            5⤵
            • Checks computer location settings
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:4812
            • C:\windows\hosts.exe
              C:\windows\hosts.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:464
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
              6⤵
              • Adds policy Run key to start application
              PID:856
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:3828
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:1232
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:5004
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:4208
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
          4⤵
          • Adds policy Run key to start application
          PID:3352
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:5068
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:1568
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:3332
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:852
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3204
      • C:\windows\hosts.exe
        C:\windows\hosts.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2896
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        3⤵
        • Adds policy Run key to start application
        PID:852
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4468

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\avscan.exe

      Filesize

      4.8MB

      MD5

      8b953f66ab362687357edf5e86702f77

      SHA1

      959fd0d38d7ab4493792a9cc3fb264dfed085b0d

      SHA256

      e12a11854766c495fac8f8f0c424ee5d46289ac9305ed8079f932b117b161d93

      SHA512

      ae8e7f78f81b8025d2ac2dd7b2961a5ceb4828cd1c589e580c3600a84641a0f1509fb24d454a312b38fe1d351769b43fdfa7d01dad396ff0aea0adc1331dcfc3

    • C:\Windows\W_X_C.vbs

      Filesize

      195B

      MD5

      338224f444afbfff81c0b0b4d06cd8b3

      SHA1

      ccf8d9ec111de1ab6ae57d1f1f0d7e35e1709632

      SHA256

      42c83a3faf58327b65a99b1720783d354ce6d8d413ae4acfbb2a55bb43aed4ea

      SHA512

      ce79dc5d82cf23ac2e95e3f8f4dd49b0f6fb2691aa2dfbd8ea8e200e9b934094029f10a1336b4537fb0a1afa81013b070d0653cf0b1429a3137aa66050068d17

    • C:\Windows\hosts.exe

      Filesize

      4.8MB

      MD5

      91af6d5d25d7ef266332da411fde6f5f

      SHA1

      0623943d0739def9bde804a5be5c685b3b3ec087

      SHA256

      9eced061d52a1300dc3cc99ebdbea181344adaea015402a4c76bcd96f6dd5449

      SHA512

      e8c39dd42c978aa99e6a6dd398642bacc212de159e49a9e4046bd156079a0a93bcedd44309b535d97094cfc25767533a7dd24b52b59d9acd65548fc08cf29c6f

    • \??\c:\windows\W_X_C.bat

      Filesize

      336B

      MD5

      4db9f8b6175722b62ececeeeba1ce307

      SHA1

      3b3ba8414706e72a6fa19e884a97b87609e11e47

      SHA256

      d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

      SHA512

      1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b