Overview

overview

7

Static

static

3

1b797600bd...cs.exe

windows7-x64

7

1b797600bd...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/05/2024, 04:15

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1b797600bd2e90cc098866df3b9d5290_NeikiAnalytics.exe

  • Size

    1.3MB

  • MD5

    1b797600bd2e90cc098866df3b9d5290

  • SHA1

    ae33f1236d6011b114ba73c264ce6ea4fe7b6db4

  • SHA256

    04c05da1d0c3780c83b7468acb63916086f75dd82f9fa6b597e2acb07a1021b8

  • SHA512

    d6ad79c3bb164a7763291092bdee8e4534dd47b861888ced1bce3845ffe5e11c9429d012478f27e2948c4187631f3d8219346fdec7934fb171aa8216ef8211d0

  • SSDEEP

    24576:0/ApeDWpzxyLt1Y1o5n4s0Ab7Ixb0wiqu86LIzfWZB0vxI0:04xat1moBHcOwimtZH

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b797600bd2e90cc098866df3b9d5290_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1b797600bd2e90cc098866df3b9d5290_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3096
    • C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\285D9.exe" /f
      2⤵
      • Adds Run key to start application
      • Modifies registry key
      PID:1504
    • C:\Users\Admin\AppData\Roaming\285D9.exe
      "C:\Users\Admin\AppData\Roaming\285D9.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      PID:5048
      • C:\Users\Admin\AppData\Roaming\285D9.exe
        "C:\Users\Admin\AppData\Roaming\285D9.exe"
        3⤵
        • Executes dropped EXE
        PID:3896
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\fiore.pdf"
      2⤵
      • Checks processor information in registry
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3440
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1188
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DEBB6CC0554A7127BE480FB9076334BC --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
          4⤵
            PID:4332
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C78F82C3B11C6E3C3EB7221A0C9003EC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C78F82C3B11C6E3C3EB7221A0C9003EC --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
            4⤵
              PID:4768
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B96AC16DB52469C22C6EE575B545E408 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
              4⤵
                PID:3168
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=FE08FFD99E0B2CFDEB0BA89045689853 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=FE08FFD99E0B2CFDEB0BA89045689853 --renderer-client-id=5 --mojo-platform-channel-handle=2416 --allow-no-sandbox-job /prefetch:1
                4⤵
                  PID:1668
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8E57812162B76F0A14A9BA9686A22E67 --mojo-platform-channel-handle=2868 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                  4⤵
                    PID:5100
                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0B5FFA1F757B16CA92EC7EDA8745BC78 --mojo-platform-channel-handle=1900 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                    4⤵
                      PID:2844
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:3804

                Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                        Filesize

                        64KB

                        MD5

                        00f72d0c1e505949c228f870209bfc25

                        SHA1

                        d7a0276b87bafd275991f28312ef9cad6514f136

                        SHA256

                        fedff8fc0623955248313a32cc14039324332a7d2d36e24728364cf28757fd08

                        SHA512

                        61cc57e342bea1a434ba8330be1a71182198d4883ba1d77aca4486b5e37f87b3d46a8a7350a34f6d1410ca319e38b9fd760ae7e84c3c3cd00d37c9dca694c714

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                        Filesize

                        64KB

                        MD5

                        fadb3845eea4b1803f35a26c121a42ff

                        SHA1

                        b9471d49754296735c7baae34d3356d6bd61cb7e

                        SHA256

                        c5100cda0a295a9410f2a26757fe2528292d01a766484b422f014c7ac73c5e66

                        SHA512

                        8c93295f8d76647cba2b93ea4d093a6c1a19e80182c27fa0bbfdc568399e7bf576a1bfb8fe02635eb1ef7dca12601d3a0018e6d24e4f41b69a91c399595327e4

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\285D9.exe
                        Filesize

                        1.3MB

                        MD5

                        d1d06cf6a4d287c83fa177585dc61c18

                        SHA1

                        56ba7d1fd06335775aa1995be5004e9cb85fe952

                        SHA256

                        adae9fb778a1a9d359b5bffb739331881ee64626d89ffef4772e06cbea29b2d8

                        SHA512

                        b0db2864a3fb63628bae6053ff42c1e1e5ea48942d085742a938e23e541eff16ecf69c033ace03b791d154f35b3af789a5a127a6fa2efd04fae7c17d5910bdb3

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\fiore.pdf
                        Filesize

                        209KB

                        MD5

                        8a7db5362268dd64b9cec01fd99db7c5

                        SHA1

                        3c27053b7309527659ed0c07fa986516a14b2d3c

                        SHA256

                        8bc7bbfc60dba3928611f77d80508bbf77762657d6be35106146830b5fe5edc5

                        SHA512

                        c17d9b58e7246938e66d52d65bd6a54eaa22b932023b1dcd8a34c0b2ac82e8f91f4c5ade12f7a1857c5c36f30aeec2c650a1f9b087627725cfd3613a4f683036

                        Download Submit

                      • memory/3096-0-0x00000000007F0000-0x00000000007F1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3096-16-0x0000000000400000-0x000000000054D000-memory.dmp

                        Filesize

                        1.3MB

                        Download

                      • memory/3896-88-0x0000000000400000-0x00000000004A7000-memory.dmp

                        Filesize

                        668KB

                        Download

                      • memory/3896-90-0x0000000000400000-0x00000000004A7000-memory.dmp

                        Filesize

                        668KB

                        Download

                      • memory/3896-109-0x0000000000400000-0x00000000004A7000-memory.dmp

                        Filesize

                        668KB

                        Download

                      • memory/5048-13-0x0000000002060000-0x0000000002061000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/5048-50-0x0000000000400000-0x000000000054D000-memory.dmp

                        Filesize

                        1.3MB

                        Download

                      • memory/5048-94-0x0000000000400000-0x000000000054D000-memory.dmp

                        Filesize

                        1.3MB

                        Download