Overview

overview

7

Static

static

3

391e059619...cs.exe

windows7-x64

7

391e059619...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 20:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe

  • Size

    1.2MB

  • MD5

    391e059619df1772ffe560f8e23dbbe0

  • SHA1

    7b1df6152dfce7747d3603efe717991539ec0a62

  • SHA256

    0d3ad3b5bbc07307c098fc9a651a0848714dad8f317c9d2ff5092295b3006fc8

  • SHA512

    ce09e590308b484c086ae62f7af743fe4427fa856f81ed6a65c7c652c67c7feb8d80eb5ee8952029e2d278c68d58f5ef1c7c6538113ec58f83b822a20547d46e

  • SSDEEP

    24576:fXTff2BiQOY3lvbELqO7mi7JmEuibeX57XIU9wwXfNdm:fXzfSIk1+7JmEuib87p9wGdm

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 12 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Users\Admin\AppData\Local\Temp\VSD19C8.tmp\DotNetFXCustom\dotnetchk.exe
      "C:\Users\Admin\AppData\Local\Temp\VSD19C8.tmp\DotNetFXCustom\dotnetchk.exe"
      2⤵
      • Executes dropped EXE
      PID:2980
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\setup.msi"
      2⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1736
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 89AA17C0DFCEA79F52E7007646A1DD03 C
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI1C47.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259398868 1 Elsinore.ScreenConnect.InstallerActions!Elsinore.ScreenConnect.ClientInstallerActions.FixupServiceArguments
        3⤵
        • Loads dropped DLL
        PID:2504
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:2128
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000584" "00000000000003E8"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2808

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f7638fd.rbs
      Filesize

      8KB

      MD5

      d950502c7474bc3ca1ba5ca527d0c58a

      SHA1

      087d6acb5f604a34ea57770cadeca758caf48f98

      SHA256

      54189230b06bbf1b891c6557e909d7c205b68a809fda3fbe93c6e4a66dcc2531

      SHA512

      3b49c7fffa16b488ba0c053649fd3e0d9948f2652dfa54c12ca1d4e4e64e9011be93af7e790e37714e59a1b8b8f3d4596498f6abdb8c26048ec733fdf172d190

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI1C47.tmp
      Filesize

      279KB

      MD5

      6d5f46d5ae78e61ea290b6c300def625

      SHA1

      3ae79c014bc2066a9f7966d6764825c2dab24b51

      SHA256

      a4c316a8d25936de049356c0a36f9d04feed977eca19a13b9908dc1e697aa0f8

      SHA512

      efc8a0dfbf590c23463b82c8ffc7b295d77bccd16750e3db7ef5b2c8c8acd6ea45839abd131672b3f75198dd68e539ee30bdea1bdc54d5296f27f89acdda374f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\setup.msi
      Filesize

      766KB

      MD5

      a6f2eb667909f70a151b597de548dc57

      SHA1

      a3a55305966ec586249cf2dfcf1ae0bed98f6b61

      SHA256

      e3a980b0f0639008d8a5a060caa3b619f3408e9dd7a3182c788b21e3cfc02d3f

      SHA512

      f8bb35175460e398797ac9b05089fe8130d028bb1fc65a1201b63b8cd0105a2a0ed2c991f7381f7ff1ee060106e89697db54fedb4dcac648df95a3302cafb6d3

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MSI1C47.tmp-\Elsinore.ScreenConnect.Core.dll
      Filesize

      194KB

      MD5

      27eb6b7a79a41c8eb611e3d492f09acb

      SHA1

      ac0234cc29183a58e36ea4271074fbe3eb935744

      SHA256

      327dcc7c94c4df1822700982c40318ead01ac48fa07170221d468bf78c5189b0

      SHA512

      35aa8861a6fd66a74a408f558b78a5b52e7b4a963c44a945260f63f4c5aece0b0446dea890cf1c01ca10600da3d4c36c224700130ecb64b5d0298396e051902a

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MSI1C47.tmp-\Elsinore.ScreenConnect.InstallerActions.dll
      Filesize

      19KB

      MD5

      fcb234ac467125d61196946526883161

      SHA1

      b5e919ae7fdd23a40360f3d2895fd95fd7d6047d

      SHA256

      ce1c13343377bc52ba06f20a9b8eb5d8334aa96a25db9c3dc33d8b928bfe2397

      SHA512

      e9524c35126fe8abd3b65ddca415bc2453aa2362761e082e6df819b4efb4dbae4ec61c822a94fd401867cabca6f4ace9c1c07c3c0137ece808d65ca51dc505ef

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MSI1C47.tmp-\Microsoft.Deployment.WindowsInstaller.dll
      Filesize

      176KB

      MD5

      1e5a0962f20e91ca18bc150266e6f49e

      SHA1

      e71caab3b88b2913178ca2ae549a00455679cd4e

      SHA256

      fa74ae4d5e62a1cc7cfeaa55d84fe9bddab06651b6744fb4469074e79317da99

      SHA512

      09021a2183536d07d915e413bd70fbd47f6afcf9fa9b8deb886f473c7b3dc3ee3e042c126f644be70f42f491692fab0a25b49ef88099caf272eec75c5bd2fc1f

      Download Submit

    • \Users\Admin\AppData\Local\Temp\VSD19C8.tmp\DotNetFXCustom\dotnetchk.exe
      Filesize

      85KB

      MD5

      4992d98e6772a5fd7256c4c7fe978a11

      SHA1

      6cf70905908b59553e1b92e057c3e7c13bd7b6a4

      SHA256

      5494efb1859e625eff5c2b51a66058fd7ffe1aa619594f62900a0bef392012d0

      SHA512

      8afdda6a49a4c61c62e329f3d15dc31c98327fd720e654972b14f98112b79d293648cad0dd08b3d12e48e020dd21fe40f9fc0a6c78014e1434a1703f40f6f4d8

      Download Submit

    • memory/2504-31-0x0000000001E40000-0x0000000001E70000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2504-35-0x0000000001ED0000-0x0000000001EDC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2504-39-0x0000000001FD0000-0x0000000002008000-memory.dmp

      Filesize

      224KB

      Download