Overview

overview

10

Static

static

3

d0b867f7ff...cs.exe

windows7-x64

10

d0b867f7ff...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 20:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0b867f7ff562d8058f7dabe36345980_NeikiAnalytics.exe

  • Size

    45KB

  • MD5

    d0b867f7ff562d8058f7dabe36345980

  • SHA1

    56f4e743a55d78930316c6e795a1c1460a1eab92

  • SHA256

    583f6348e0a91895619683d8df5e19ca186abee24ac4c2daa314004510769db2

  • SHA512

    c132194987e94294fe153f618b794017a9f30a6d5a51f09b7777f1306e84f4e3da15a6d0a593b55e54cbbb2e38b7589d65c657f277bf59ca688ad267694235e4

  • SSDEEP

    768:WAUJmQCcmLCXQq6fsKiJYsIkjJVzqsVG5kuGVAQvBucNh:RUNHFKQbIkHvGkAOn

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Drivers directory 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Sets file execution options in registry 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:428
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1192
        • C:\Users\Admin\AppData\Local\Temp\d0b867f7ff562d8058f7dabe36345980_NeikiAnalytics.exe
          "C:\Users\Admin\AppData\Local\Temp\d0b867f7ff562d8058f7dabe36345980_NeikiAnalytics.exe"
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2744
          • C:\Windows\SysWOW64\rmass.exe
            "C:\Windows\system32\rmass.exe"
            3⤵
            • Windows security bypass
            • Drops file in Drivers directory
            • Modifies Installed Components in the registry
            • Sets file execution options in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2736
            • C:\Windows\SysWOW64\rmass.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2908

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\RECOVER32.DLL
        Filesize

        5KB

        MD5

        2b2c28a7a01f9584fe220ef84003427f

        SHA1

        5fc023df0b5064045eb8de7f2dbe26f07f6fec70

        SHA256

        9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb

        SHA512

        39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

        Download Submit

      • C:\Windows\SysWOW64\ahuy.exe
        Filesize

        47KB

        MD5

        9454e7f55ae028caf3a1b8a83d067571

        SHA1

        14e0d23ba3a1b8eacc8b9ef083424a53d76f22a4

        SHA256

        6d1d09c9fdae2bd58e648a6977f8061ceb10b0a714fc2bdd5718f2007dab6142

        SHA512

        d5ce2a76514a03c20f0eaaad24b3c29e3a8406750c40f1f8dfc3f7b09cab5ec2df9697d7bae751bb77a62245dd61a1e97e77c5951ec81eb5f34d790681f68bd4

        Download Submit

      • C:\Windows\SysWOW64\ntdbg.exe
        Filesize

        48KB

        MD5

        de7060d5673a99277fc73ba861e0eefc

        SHA1

        cf4b2cef1af97bc5c87ba3eaf13b172c90ba38f1

        SHA256

        60d4afe2ed2d1c371ae7d0411673d9ac025a9dbe2eea5b60b242220183865797

        SHA512

        98251b52a0d83265117d41d16c60dcad6db1627c5497c3321f3a3cdec4ef26cf2326872412484bbf5e9376fc5157900dbfc398a31794053f07cc6ac0bd7d2a23

        Download Submit

      • C:\Windows\System32\drivers\etc\hosts
        Filesize

        1KB

        MD5

        b10b13206b0f2cf3968050072f6979bf

        SHA1

        699db21ba9cecf3f13ac3d76e22cfa41aa94da80

        SHA256

        0eef3217095cb97b695c434e74d6314bf9e869a013d6e9c88e58c34576a276b4

        SHA512

        d33bfd931be6676539507a69101d99fa4c5ef36b12422bd11f063b9b6a47b7444f6c4ad5f35e044714fdb872e96cd9fddf049e8329af1219483887f6ac5f4a5d

        Download Submit

      • \Windows\SysWOW64\rmass.exe
        Filesize

        45KB

        MD5

        d0b867f7ff562d8058f7dabe36345980

        SHA1

        56f4e743a55d78930316c6e795a1c1460a1eab92

        SHA256

        583f6348e0a91895619683d8df5e19ca186abee24ac4c2daa314004510769db2

        SHA512

        c132194987e94294fe153f618b794017a9f30a6d5a51f09b7777f1306e84f4e3da15a6d0a593b55e54cbbb2e38b7589d65c657f277bf59ca688ad267694235e4

        Download Submit

      • memory/2736-52-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2744-9-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2908-53-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

        Download