Overview

overview

10

Static

static

3

1f3843f88c...cs.exe

windows7-x64

10

1f3843f88c...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/05/2024, 05:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1f3843f88caa7a73474063978aae0f70_NeikiAnalytics.exe

  • Size

    97KB

  • MD5

    1f3843f88caa7a73474063978aae0f70

  • SHA1

    1d3196a876bb5879d9f3dea8f01c03680f2affda

  • SHA256

    760b9382dd3a8add74ea80fe8f1157c59399e9521a19decd6b6c2589e2889c12

  • SHA512

    b317da44f39eb292489c6c9e53f539fe1a547096c3ec03a59a8c252d6978cebb74711b66ef265ef9d31fa9775bb8fde4ea870db3081a52abc27159880213691d

  • SSDEEP

    1536:4a3+ddygX7y9v7Z+NoykJHBOAFRfBjG3YdoI4:J8dfX7y9DZ+N7eB+tI4

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 29 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f3843f88caa7a73474063978aae0f70_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1f3843f88caa7a73474063978aae0f70_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3456
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:624
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4968
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2444
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1408
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4452
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:5072
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3300
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1112
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2408
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:232
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2456
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1f3843f88caa7a73474063978aae0f70_NeikiAnalytics.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recycled\SPOOLSV.EXE
    Filesize

    97KB

    MD5

    b043e7f49158395ae8adb8c97c25cf0b

    SHA1

    ff8b119470ee39b51dbe7531228ad3887886b98e

    SHA256

    2003d905e101f71f95747a722d195deaedef28e5f1786f13777d6f99046c8793

    SHA512

    9e3ff28cafac5b2d78029c59c22da115e2ca4f8678e080cdfc52a14c9c2923d241affeea83a01d39cae41b9e31e0b761c63f94be59b1a63f88b1f8806981958c

    Download Submit

  • C:\Recycled\SVCHOST.EXE
    Filesize

    97KB

    MD5

    d0ab932693fa1940d107236482a14fc9

    SHA1

    0e2d5cc556f89346313c215d31f33f2441ccee46

    SHA256

    7e368261bf2cbd3942f6990d0b60187252ce546c60f0547bc95aabc9e16f1f1e

    SHA512

    58fe279724dabdfa87ce5d7c52261af78766127bb6e12dd92d5aef4203aa467bfddacd5af44499613f7d776b3b75841ce18accaf2dfef4058ea4421c8974ed09

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
    Filesize

    2KB

    MD5

    1a1dce35d60d2c70ca8894954fd5d384

    SHA1

    58547dd65d506c892290755010d0232da34ee000

    SHA256

    2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

    SHA512

    4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCD8CA6.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit

  • C:\Windows\Fonts\ Explorer.exe
    Filesize

    97KB

    MD5

    ee9557c403b731913726f377e2e1d27b

    SHA1

    0d30dfa76e78dcf19fe29e41027c3dfdad4190f6

    SHA256

    6390a457cc3c128a7f8eabb36fe9a09278bb40b7522c857d81f661ec8957636f

    SHA512

    b88262e32f99f048b5424a4d42d6d4823ad3ac6ad0045e640e22dacc17ebd4188c4831b17f7e7bd893fea95ff8201a2a58f875974dff14a0921e5d12ba8b07df

    Download Submit

  • C:\Windows\Fonts\ Explorer.exe
    Filesize

    97KB

    MD5

    6c83c6a9983e25f66458b7816f2209c9

    SHA1

    631e24f675caaeb24baab1d406ae3d17bebdfaa1

    SHA256

    3973f02d909b787527ed2df457e578dfcaa68ac655e43254d40708a09fe72134

    SHA512

    5e80f214e643330cd88f1153c6706a9130bce7058f2b2d5f7d3e1fe2a3f4d8ec26eba6764b85ee2dd48e03e3bf40270bb4b612945610d34db726423d1e6e013d

    Download Submit

  • C:\Windows\Fonts\ Explorer.exe
    Filesize

    97KB

    MD5

    25cada8aaf0545e9e54b7a2dd8758d86

    SHA1

    f129f8a60a012fd4f8f66ad191d9264619f8e3c6

    SHA256

    6c2ff351700225bfaffd83356c95e304cbfa2de0ec2116b1a5f1b8928e3ce62b

    SHA512

    d1267513be5ba35b65cf7749541ff7489bce93fd0a39473773300cfb820f9aea26ebd078192fb71222c9491843d085e79072a384d947bdde59b47871b1917651

    Download Submit

  • C:\begolu.txt
    Filesize

    2B

    MD5

    2b9d4fa85c8e82132bde46b143040142

    SHA1

    a02431cf7c501a5b368c91e41283419d8fa9fb03

    SHA256

    4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

    SHA512

    c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

    Download Submit

  • F:\Recycled\SVCHOST.EXE
    Filesize

    97KB

    MD5

    28d86ea377058470815655d2a81e70a0

    SHA1

    2b40152bc573689877588d89b8ea958052cf9061

    SHA256

    62b2ae9586dc62a355d35bd2118c9cb2987fad99d68183ea797245d961af04bd

    SHA512

    085fd760f49847c36d40dfc1c813749daa8f9605d13bfc87b350e4d019a4577e4a26fc11bff91cc62ddd6451ac582109e7855de9a12e30d848eb4d12de7371e9

    Download Submit

  • memory/232-83-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/232-79-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/624-31-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/624-28-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1112-69-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1112-71-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1240-87-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1240-0-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1408-48-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1508-88-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1508-92-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1508-94-0x00007FF8708E0000-0x00007FF8708F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1508-93-0x00007FF8708E0000-0x00007FF8708F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1508-90-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1508-89-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1508-91-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2408-75-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2444-45-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2456-84-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2456-85-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3300-67-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3456-18-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4452-52-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4968-34-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/5072-63-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download