Analysis

  • max time kernel
    130s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 00:49

General

  • Target

    65b2489f0fb28cdefb8e5d26d7888700_NeikiAnalytics.exe

  • Size

    45KB

  • MD5

    65b2489f0fb28cdefb8e5d26d7888700

  • SHA1

    9c0e97b6a1f77c452a3b5b8f9d98d2a62fe351a4

  • SHA256

    dc80a29776a3b2c4319b7ec2ebc6443c6dde1472bd93159ca74e08486567af43

  • SHA512

    13e9fd94bdaa0fafaf7c618fe921e1764f56d4dab49b0123f85d7be6f2c7601a4e66678d93f3c3c0f5ed06a127e7cbea6ee547fc1cd0b248e5915bd9c1b98a2e

  • SSDEEP

    768:2mFQj8rM9whcqet8WfYUtT92S21XFXRnnePxCXNvF7DFK+5nED:8AwEmBj3EXHn4x+9aD

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65b2489f0fb28cdefb8e5d26d7888700_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\65b2489f0fb28cdefb8e5d26d7888700_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2660
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2012
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:676
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:6000
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:5604
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3032
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2068
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:5624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

    Filesize

    45KB

    MD5

    227d6240a15747ad967b7e9157e14c45

    SHA1

    4e18b1813104fc10ef3028eee544cf36ed26ef95

    SHA256

    7f3714a6466278547ebf30d6f40820a4ee74309a1630593da4d7cadf5f10a0f8

    SHA512

    28dd53ae84d6b8d62fdb383fdd3cf13d26b99c35c00002de7b166308886eded65677cf820f8b0290cbfcf5f6abdf2bbaf6eb277075c2529bf792fe621f418d89

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

    Filesize

    45KB

    MD5

    0f649cda4757c258f624bdd818ba017b

    SHA1

    847074aff58b22d7c8db653923faa091fc7afbc9

    SHA256

    b082ed569d13de82de64b36a748bcbe75c7785dcb3d7bf5c608a4372026cb3dc

    SHA512

    c43703b487a39b188888e99e76e636ee9b92efd0ed4e1a7ec400cfabe01c748f02b49263d62f2c06829bbdadf2d6c20442017a03ba3882ee6b908efda67ab50c

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

    Filesize

    45KB

    MD5

    9d9a424e8b115410025a67b8ac64a854

    SHA1

    6ea4330b1fd7c68ac626eaafcc2d2eb256ef5cc1

    SHA256

    92fbb57c8391eb4b47a9ebc1ee3c3594dea505892856066b709d27ef58a59c58

    SHA512

    d3262ee85a8e542160585fa6f4e891ca9b21ef0ddcf41f7e2b307ec7a8aa6ae31bcad392f20d7c300523a671ed622b65dd8caff66f41c51802c2e788078b7fb5

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

    Filesize

    45KB

    MD5

    13e53e6d24fcd470f787c2a56c6ed588

    SHA1

    0ff6abec8adc5c92396c7553918759e6ef16eb66

    SHA256

    f02110beb517a0006bf3c4f72610fbb6852a45699e02e1f3b303cd19c4ee699d

    SHA512

    0bca347bfa46950c9a9014ecb4ab092bf50207dc9aaab3accbdaf511af3cf470e3dd3ff067b95422a355c6fe155496c5b2e49cbd9339f46e568ea1fbb4fb7cd2

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    45KB

    MD5

    125861d74773010f275d40036e3c964b

    SHA1

    589f31f351f5fad01ee1a03984b565fc70b4e48e

    SHA256

    da8d9f604dc55a58f18c3da7515f10fdb4584fd3960d04adf2204185eb3c45cc

    SHA512

    1ab743aead1a3fd3ade8fbd5b0ab029ffdd8d0b9e3f631635d7910b149d9f479460327aa50e6a86a78c030cce01f2505d31d66f5e4df417a4d9ab098c65d501a

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    45KB

    MD5

    65b2489f0fb28cdefb8e5d26d7888700

    SHA1

    9c0e97b6a1f77c452a3b5b8f9d98d2a62fe351a4

    SHA256

    dc80a29776a3b2c4319b7ec2ebc6443c6dde1472bd93159ca74e08486567af43

    SHA512

    13e9fd94bdaa0fafaf7c618fe921e1764f56d4dab49b0123f85d7be6f2c7601a4e66678d93f3c3c0f5ed06a127e7cbea6ee547fc1cd0b248e5915bd9c1b98a2e

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    45KB

    MD5

    f2272ec348163a5e1fbaa0beada4e2a4

    SHA1

    0ad981082c67c6617474ec9aa2cf1bf8c4ecc19d

    SHA256

    81c6e24a00347fc11ad9410c0f7408f99d2fd68381f7df7ae1713422c10bdae8

    SHA512

    cace785634b9594bbe71910d385c43252ff8349ab41bb61af7a7fb63c8400b73b045e6c837d6fe652441b2f5924e7af2f0cf7755b289b9aa7aafbff42165e91f

  • C:\Windows\xk.exe

    Filesize

    45KB

    MD5

    c3bdd65d48c1a5ac0acbe8d9572d298b

    SHA1

    257c1aa867f2ba5789cf66c100b7722382f6992e

    SHA256

    81a1d9bf6745167b1e9042db00c9533b525c1da5dc2ed2ded39279882f1a8e27

    SHA512

    cd75207388f2d1a498523f44e53f51bf72e47c525c4d6608d5508f7fdb1b483105f8c473ec27d43c927fa74f6debc5301c34c267dc038b0ebd47af09d60cb8b0

  • memory/676-118-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2012-113-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2012-108-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2068-144-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2660-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2660-153-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/3032-138-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/5604-132-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/5624-151-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/6000-127-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB