Overview

overview

7

Static

static

3

5ee65e4992...cs.exe

windows7-x64

7

5ee65e4992...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 00:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.exe

  • Size

    248KB

  • MD5

    5ee65e499276e5d1a8421c67f7505180

  • SHA1

    6d878ef2b8ebd59ecd706376c1ceb18d7a9e4477

  • SHA256

    98c4769c22fd1bbadd31e701dbfbb944375d7502346bd0bf5befd172f814ffa3

  • SHA512

    5bee4759b938cf81c74bec184de2ee7141a452f93204613932a7e0a59bf07ce9fc343cf32baa2c3484d76ac8106d02ff9faa49d7e37b72ee07f365d546e5de6c

  • SSDEEP

    6144:weQ1WRHtMJrCBC0MpUYlxbwa+S3SIYtCHOEvY6:w0HtlCDpJLD+SCvtCu0Y6

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    PID:3432
    • C:\Users\Admin\AppData\Local\Temp\5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2444
      • C:\Users\Admin\AppData\Roaming\contndue\agennify.exe
        "C:\Users\Admin\AppData\Roaming\contndue"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3640
        • C:\Users\Admin\AppData\Local\Temp\~3836.tmp
          3432 254472 3640 1
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2580
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 560
        3⤵
        • Program crash
        PID:4460
  • C:\Windows\SysWOW64\findhost.exe
    C:\Windows\SysWOW64\findhost.exe -s
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:3008
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2444 -ip 2444
    1⤵
      PID:4468

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\~3836.tmp
      Filesize

      8KB

      MD5

      aac3165ece2959f39ff98334618d10d9

      SHA1

      020a191bfdc70c1fbd3bf74cd7479258bd197f51

      SHA256

      96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974

      SHA512

      9eb876812a6a13dd4b090788c2b1d9e9a2e25370598ed5c040f82e6f378edc4b78d58bc8f60d5a559ea57b1edcf3a144bfe09454a9928997173db8279d5b40cf

      Download Submit

    • C:\Users\Admin\AppData\Roaming\contndue\agennify.exe
      Filesize

      248KB

      MD5

      81703f0ca3153ad217741be084c57331

      SHA1

      54888a43d407580c8200c2364298e142a7f05081

      SHA256

      9627feb1ea1e20232c43b302892a1d58a94dcab0d00b06c18e466482b98d9885

      SHA512

      1596da7bd3c0969d58e81522c4eaee683d39f621c030738274bee13e6e50b01934881dfd111a3e29630bfcf5c1e671678bd249104c8ca8d07eaa4a7f6f727656

      Download Submit

    • memory/2444-1-0x0000000001100000-0x0000000001148000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2444-29-0x0000000000920000-0x0000000000962000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2444-0-0x0000000000920000-0x0000000000962000-memory.dmp

      Filesize

      264KB

      Download

    • memory/3008-15-0x00000000007B0000-0x00000000007F8000-memory.dmp

      Filesize

      288KB

      Download

    • memory/3008-31-0x0000000000A20000-0x0000000000A26000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3008-20-0x0000000000A20000-0x0000000000A26000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3008-19-0x0000000000DC0000-0x0000000000DC6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3008-16-0x0000000000A20000-0x0000000000A26000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3008-9-0x0000000000E20000-0x0000000000E62000-memory.dmp

      Filesize

      264KB

      Download

    • memory/3008-30-0x0000000000E20000-0x0000000000E62000-memory.dmp

      Filesize

      264KB

      Download

    • memory/3432-24-0x00000000039F0000-0x00000000039F6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3432-22-0x0000000007B60000-0x0000000007BAE000-memory.dmp

      Filesize

      312KB

      Download

    • memory/3432-21-0x0000000007B60000-0x0000000007BAE000-memory.dmp

      Filesize

      312KB

      Download

    • memory/3432-25-0x0000000007BB0000-0x0000000007BBD000-memory.dmp

      Filesize

      52KB

      Download

    • memory/3640-28-0x00000000007F0000-0x0000000000832000-memory.dmp

      Filesize

      264KB

      Download

    • memory/3640-10-0x00000000014C0000-0x0000000001508000-memory.dmp

      Filesize

      288KB

      Download

    • memory/3640-14-0x00000000018B0000-0x00000000018B6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3640-6-0x00000000007F0000-0x0000000000832000-memory.dmp

      Filesize

      264KB

      Download