Overview

overview

10

Static

static

7

39329604b9...cs.exe

windows7-x64

10

39329604b9...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 20:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39329604b9db818efdf834ce589b21b0_NeikiAnalytics.exe

  • Size

    352KB

  • MD5

    39329604b9db818efdf834ce589b21b0

  • SHA1

    13a2fd80bd19614dffe33df5c6c625db588eb581

  • SHA256

    4e72f4d7c6eb682d3ba703300f4362be1cd9aaca637aedff75ef2276b754e2ef

  • SHA512

    b73c1c6b1491c0f0f70b48d7ace070473c444c3db5e22f9915a9f8e5c4b4511efbe81d3faac3595b85cc5efc764e8c3c4f73150bbfa54d774f9bc49281d24bb9

  • SSDEEP

    6144:vIGEnprZkRs38t54c6rzNdfXIGEnprZkRs38t54c6rzNdf/:vxEnAR934zxEnAR934L

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 8 IoCs
  • Modifies system executable filetype association 2 TTPs 62 IoCs
    persistence
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 24 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 42 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
    stealer
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39329604b9db818efdf834ce589b21b0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\39329604b9db818efdf834ce589b21b0_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Windows\WlNLOGON.EXE
      C:\Windows\WlNLOGON.EXE
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2512
    • C:\Windows\SysWOW64\Shell.exe
      C:\Windows\system32\Shell.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2060
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2648
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2820
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    352KB

    MD5

    1518bfa2860286b4f61138a6116587ce

    SHA1

    d522c420652a69d4fe6fdbf6cebfdf315047b944

    SHA256

    efa6bed962aaf2680ec73baca096c8121169ed0729048d2ed1c1e3287118a30f

    SHA512

    a049f4a9f7df005a0980df5f5bc894d8211efc01712eda6a0d960483a91fed9305f7ded5c13f9afd4de3864acbd197ccff37ab4f5cac92537e075c9b7c07086b

    Download Submit

  • C:\Users\Admin\AppData\Local\services.exe
    Filesize

    352KB

    MD5

    39329604b9db818efdf834ce589b21b0

    SHA1

    13a2fd80bd19614dffe33df5c6c625db588eb581

    SHA256

    4e72f4d7c6eb682d3ba703300f4362be1cd9aaca637aedff75ef2276b754e2ef

    SHA512

    b73c1c6b1491c0f0f70b48d7ace070473c444c3db5e22f9915a9f8e5c4b4511efbe81d3faac3595b85cc5efc764e8c3c4f73150bbfa54d774f9bc49281d24bb9

    Download Submit

  • C:\Windows\MSVBVM60.DLL
    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

    Download Submit

  • C:\Windows\SysWOW64\OEMINFO.ini
    Filesize

    462B

    MD5

    45d327d7d806625d696945dea064d7a2

    SHA1

    81a36b2a66c8dcce870a82409c6f772cc06addf0

    SHA256

    e022ef7261dfe3e79b78e4bff605ae3f0480cd54d80b7c3358bd9091a0f0f04a

    SHA512

    8b78bb4fa2c05d509cf171525b0ba7bf735a8890854f0ef16b29c9456ff547ccd86423068f61c21b8f35a0797ee44f9a8697861c34f133c6c26dfcf99e8f849c

    Download Submit

  • C:\Windows\SysWOW64\OEMLOGO.BMP
    Filesize

    40KB

    MD5

    4de286f5923036648db750d58ba496e8

    SHA1

    0252d5d6c7a3b7dfa71fca4b30a53522fd7c6f67

    SHA256

    eb79555170611879e79b4cdba59bdf679e63df9d7927d01354e5cf859274c58c

    SHA512

    069daaa01a04add11a9e5fc0988b5d42e6ad50011fa148df41ffb3a905ffc170ab65ba66f4ad921306503d8792dd192c173c532232fc7ef146c09aa76ddf548f

    Download Submit

  • C:\Windows\WlNLOGON.EXE
    Filesize

    352KB

    MD5

    61b4f6d57ef97155f497c71c3c5910d6

    SHA1

    a90af92c7b4452d2e9bc81d7e413c1a5d290a238

    SHA256

    b3d94738a7e151646573f9cdbd957e395b0248028491af6b5c05085025ee8b8c

    SHA512

    c73cbe6efcccf8e08c9ae7ad2bc50a3bc3503398596baafac9a8652022cb98b1f7b249ae88823466706db9ea0dacf1322a718f0ba3cd4850d7ceff5b309a1d53

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    352KB

    MD5

    ec3b195f1081635e6db03d432b2a8495

    SHA1

    b3383a35495560a3e0a5946abe047f7ec5b05720

    SHA256

    7d9d6fd898065e414c2d7814a5e5365b42ae7d5ffb583b7d520b57f8c9bb0322

    SHA512

    590a3b7a3c00112dd1f3713df2392d10ec62070593c3c7e75d1f7ebb31f96538b6cd4d97bdce9bf9b045327fe3090b8a4c988654276178cb7919b74f3e468e70

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    352KB

    MD5

    f56fd0e7264196cca394526364e9effc

    SHA1

    d847331ce93629481ed0fd611af903c4bdcaf8b1

    SHA256

    c6c0c3b992682e285aa4176e64dd7d9544ae94b5809c2cdef3b16c261f61a64f

    SHA512

    0d31259163a0a3dd71bcf88a75a88a59a5edde6a0c6803545078a3f2fdccd97b176df6a8a01c4f8e2fe9bee3e0ed5ca1e043a0eb147fbf2f550b594856a53b92

    Download Submit

  • \Windows\SysWOW64\shell.exe
    Filesize

    352KB

    MD5

    b19b24c5faa214b89d5ebf23a09e0ec8

    SHA1

    76d4db777faeccb53662b31d88a1312f9e2f78f6

    SHA256

    6a3f46a8d4f701f8177f0459f33dfcc6c68aa11899aebd051469705479782416

    SHA512

    e9be7fb20f6de9c4ce389352492c1f9714fc06175d6aa0f17272b62fd5ae64f0b37e979e8777d246994160f0dc48c9f7e3b2428a9924570bede3be83eab7bb69

    Download Submit

  • memory/2012-137-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2012-184-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2060-155-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2356-0-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2356-135-0x0000000003590000-0x000000000363A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2356-105-0x0000000003590000-0x000000000363A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2356-152-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2356-126-0x0000000003590000-0x000000000363A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2356-94-0x0000000003590000-0x000000000363A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2356-95-0x0000000003590000-0x000000000363A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2356-115-0x0000000003590000-0x000000000363A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2512-150-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2512-149-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2648-116-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2648-165-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2820-178-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download