Overview

overview

10

Static

static

3

62471f8897...cs.exe

windows7-x64

10

62471f8897...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 00:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    62471f8897908d4a96bafd17b1fff310_NeikiAnalytics.exe

  • Size

    91KB

  • MD5

    62471f8897908d4a96bafd17b1fff310

  • SHA1

    6744d8d50390d6b295e19abc72e1f53db87268a0

  • SHA256

    f53e279d82dc377fecdd1583b6c467c3e5061c5672643660b43177929d722b7f

  • SHA512

    bb14fe42812225b5f039b10fc1527b96067ce51bd6517a9037be21943c5690bce68161c8392a414551ca941103a1a35eddff8e52aa30c5a35f25077abae61bd3

  • SSDEEP

    1536:FAwEmBGz1lNNqDaG0Poxhlzm6AwEmBGz1lNNqDaG0PoxhlzmR:FGmUXNQDaG0A86GmUXNQDaG0A8R

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\62471f8897908d4a96bafd17b1fff310_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\62471f8897908d4a96bafd17b1fff310_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2992
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2616
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2724
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1968
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2200
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2000
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:240
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    91KB

    MD5

    62471f8897908d4a96bafd17b1fff310

    SHA1

    6744d8d50390d6b295e19abc72e1f53db87268a0

    SHA256

    f53e279d82dc377fecdd1583b6c467c3e5061c5672643660b43177929d722b7f

    SHA512

    bb14fe42812225b5f039b10fc1527b96067ce51bd6517a9037be21943c5690bce68161c8392a414551ca941103a1a35eddff8e52aa30c5a35f25077abae61bd3

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    308f725fe26a0fa20d56490d32541037

    SHA1

    b6e5203caf8c1bc2ac3a28a380a51513132d47ff

    SHA256

    d8180677088d21033c8b5f4708b71e2c9839ef9e9c7996590a3f7534584d6895

    SHA512

    4cd174a6ae62766f6553cb203ac72cdba6b0bc98ee806f1bfb0d832c68bd5558104622afad5a43380f3a508f91b507817ac87b158772f48a95fba12579330466

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    7f6d1521323b115f5362d49ae4540220

    SHA1

    990ce426e639ae5efa321732c3d5c3675d4dab05

    SHA256

    536fb833e6333789a6e540745f60f789970f97049e21b7104fde9b692b2432aa

    SHA512

    541212e5220f3b8088ed692cffa32e0f1b1e63c7e94fa46a85218711fa2dedf6e15afb67a875ab37a23083ac8a394741bb5654eff82437f4d271c75fb30e73c9

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    757273e4224f5518b055712c92fa6b9c

    SHA1

    2644ed3901b27b5e1c15a54490c2e00b877da0e2

    SHA256

    d470e295bc74a0cd047fb540a774125674b3fffcb3ff5e7b7fddbf17b622ca3a

    SHA512

    948bcd904ad8e891651af99d8a32a95c9700fe97767788494d7c79bde4020604aae6a96825b6512e6484938da5c1a6ba264bc6f4d2d077d4978b1807b717c1b7

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    6783366f65da1893c2a3652205641783

    SHA1

    3ddf86109f8caeb8433b29fb2f7f2cd83ec125b8

    SHA256

    1bc9fc997bb86579b8f4b328c44a6f0c5b90d4207ead9bddc19deca080a1186c

    SHA512

    0461ffe6fcd32f007e24d24a69e0345f495bdffd158df261efaece316e050ee96b1a4bf567ac8ef139186b8982abaf14e3e061e48c9a564a5b9d68fb43561fe1

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    983cb98e5412241c49df0fc08272e16d

    SHA1

    ca489ae58af06d4370f14c05862e726e3ca37774

    SHA256

    0b768ebeeee1bbddc857ceda172bda89af30f652d563cfe6a80db37401da0564

    SHA512

    fe53b41303d7c7007b2dfaa3c0dbf548b9dc35c5f6554c6e96fab11ab2802e528051b7bf21173b2ff6b4843defa42a461fc445ded86c7ddedd9c5435e9199990

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    8a579963ad292d80db196f7de33a87d0

    SHA1

    e71ebf9f6567de33075eaf524b8c45f3d14ff1ff

    SHA256

    0c37470ef0f678870d7f26cb7874f22df39adac12882077ffbc5970990f1e0be

    SHA512

    be2fdc2575b6efaddf24696275bf61b44682491daffa0d1f03102921319385f3bec5cdad65e481ee7b08a1271c3fe3a45fa512e6db9eaa35bfd3fa4d97b4589e

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    5a731b618c8cbab65c944dcb36e63f6a

    SHA1

    a1dc38d98b343da2c2b79a380661772fdeaba047

    SHA256

    0abd44e602ec271521bb4604ada65a08914b0756d7fb03fefe21986a2f5395fc

    SHA512

    35d6bb313ec058f1784b1b36f210ae56a2da98cbb7e512ac6f016b1134827a01795b477648c26c590ae3c0f0dde94da2bc1fd58a93ef2888e0dc4208708cdbbc

    Download Submit

  • memory/240-173-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1652-184-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1968-137-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1968-134-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2000-162-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2000-159-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2200-146-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2200-152-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2616-115-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2616-112-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2724-126-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2992-169-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2992-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2992-111-0x00000000026A0000-0x00000000026CE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2992-158-0x00000000026A0000-0x00000000026CE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2992-124-0x00000000026A0000-0x00000000026CE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2992-110-0x00000000026A0000-0x00000000026CE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2992-185-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2992-145-0x00000000026A0000-0x00000000026CE000-memory.dmp

    Filesize

    184KB

    Download