Overview

overview

10

Static

static

3

9cbdc8a167...cs.exe

windows7-x64

10

9cbdc8a167...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/05/2024, 22:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9cbdc8a1671cdf70d5b0feb2370f1d40_NeikiAnalytics.exe

  • Size

    97KB

  • MD5

    9cbdc8a1671cdf70d5b0feb2370f1d40

  • SHA1

    7798e12b4814cb52a0077ee1e532913951af74f0

  • SHA256

    4160d4d66776f7383750b59ee8409ae5461921a6359378cbf992c21d46e7e802

  • SHA512

    5ade2606be58512e16e55d44e8532112baf1ff2b20c6777e423980269435bfbf45df86450ebe7d8113385f0e723baba001bd27738bdbf686df39e5c2c1c46c85

  • SSDEEP

    1536:4a3+ddygX7y9v7Z+NoykJHBOAFRfBjG3YdoIn:J8dfX7y9DZ+N7eB+tIn

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 29 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9cbdc8a1671cdf70d5b0feb2370f1d40_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9cbdc8a1671cdf70d5b0feb2370f1d40_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4564
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3280
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3412
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1988
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:3512
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2816
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4860
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4220
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4068
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3928
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3720
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4820
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3380
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9cbdc8a1671cdf70d5b0feb2370f1d40_NeikiAnalytics.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recycled\SPOOLSV.EXE
    Filesize

    97KB

    MD5

    1d35e000bcf177d9a5be0b78bf697eb2

    SHA1

    bc4616cbc5302389fe3cbfd05dae45d1dfc9634e

    SHA256

    06d3cf69145441816df7040a29c03bddd10635522dec9715e4a36bc61b5afe79

    SHA512

    239a4fcfac2c363e4513e52e9d269529f258d638bed938198b6d63839a7bce5016b1cb0966664db7b4f56c04985cfea835f9dee0d162f4838b8aab61f9eaf99d

    Download Submit

  • C:\Recycled\SVCHOST.EXE
    Filesize

    97KB

    MD5

    ca3877dd9618b32269ee75d699b8b3a8

    SHA1

    1061747c7ebca05d366cdcbd27fb04d333e63c3e

    SHA256

    4b39d373221cd77425dc9d2397f3ceb7a0a0ff03c2b8ce9f6d571bac8a250733

    SHA512

    62914272fb4d8753df3d4a13ab8d45c330fe53abf3f2caaf1b746648e797859467ff0a9e2c456462a0214b51ae5c21f2faab62bbe713a27e04fed0a339ec2c49

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
    Filesize

    2KB

    MD5

    1a1dce35d60d2c70ca8894954fd5d384

    SHA1

    58547dd65d506c892290755010d0232da34ee000

    SHA256

    2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

    SHA512

    4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCD7DD7.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit

  • C:\Windows\Fonts\ Explorer.exe
    Filesize

    97KB

    MD5

    e83faa8c48db666284f4884c5e0a61ae

    SHA1

    16df0f910cab188f1da6dc9c51ecaf0a30ff33a8

    SHA256

    60a956219809317602269c55f45300d96cc79f41dfe4df2a88e243b781cc7178

    SHA512

    055d3a5d0deb968c10826a7a24fc5c75901cd9870801dcb621baa94df48dea51a0d2f51706a1382e507c559ec8f01a2679fc2d5cf076b97128c111103c2646e5

    Download Submit

  • C:\Windows\Fonts\ Explorer.exe
    Filesize

    97KB

    MD5

    6013bcf3105931e895854fc2119ad621

    SHA1

    1f3da6db45d595a957fca6e7cbab82815e38330f

    SHA256

    c77e8ca33d58992b94c92819144d56e2dbf255943d28a09cf05fffe6652c45e4

    SHA512

    cc39d384df834a92eb29d83deead0ebf166875f1d264adab7262eb9fd4f8cbffff03c02053e25dc8ca45f086b94fccfdb234e9b3cb519263c1449d1058eea7f4

    Download Submit

  • C:\Windows\Fonts\ Explorer.exe
    Filesize

    97KB

    MD5

    b46cd836c3b0bf5cbe7945ac13f42a85

    SHA1

    6f220de556a1e0c245a95f5f9dee3e1b4bd4e7e2

    SHA256

    f91ade90afdec58973f611a25c463a3a340a4f7ef587e4777b4ebe617215138b

    SHA512

    98fd68cb09a9c4a530199f9d960fc093f7f21a13aff3572c84ca33b08106ecf77d289318024c25f7f330dbbaf7c7680327db4abe35f77fb91cf35ad3f5a70c99

    Download Submit

  • C:\begolu.txt
    Filesize

    2B

    MD5

    2b9d4fa85c8e82132bde46b143040142

    SHA1

    a02431cf7c501a5b368c91e41283419d8fa9fb03

    SHA256

    4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

    SHA512

    c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

    Download Submit

  • F:\Recycled\SVCHOST.EXE
    Filesize

    97KB

    MD5

    3889d2d9c586e2788a0c0c41ae4c7bca

    SHA1

    12fc7569d3111c52bd9e10e73dd62e92032befef

    SHA256

    cac50a18dbbd16a16c667c5219bd117345a25e2839b987678386f82f54e1a577

    SHA512

    f0320e3f1ecb91feca5185f1c736699ed5fdeacd7c6beb1a779f3cc8960ae57d92990f43c1be3491214f2482c1f416f2d2c7d9189abbe4c077578c516911416e

    Download Submit

  • memory/1988-35-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2816-49-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3280-18-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3380-84-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3412-30-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3412-27-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3512-45-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3720-75-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3720-73-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3928-70-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4068-67-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4220-63-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4564-86-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4564-0-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4772-87-0x00007FF82DAB0000-0x00007FF82DAC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4772-89-0x00007FF82DAB0000-0x00007FF82DAC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4772-88-0x00007FF82DAB0000-0x00007FF82DAC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4772-90-0x00007FF82DAB0000-0x00007FF82DAC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4772-91-0x00007FF82DAB0000-0x00007FF82DAC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4772-92-0x00007FF82B300000-0x00007FF82B310000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4772-93-0x00007FF82B300000-0x00007FF82B310000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4820-77-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4820-81-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4860-51-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download