Overview

overview

10

Static

static

3

62471f8897...cs.exe

windows7-x64

10

62471f8897...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 00:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    62471f8897908d4a96bafd17b1fff310_NeikiAnalytics.exe

  • Size

    91KB

  • MD5

    62471f8897908d4a96bafd17b1fff310

  • SHA1

    6744d8d50390d6b295e19abc72e1f53db87268a0

  • SHA256

    f53e279d82dc377fecdd1583b6c467c3e5061c5672643660b43177929d722b7f

  • SHA512

    bb14fe42812225b5f039b10fc1527b96067ce51bd6517a9037be21943c5690bce68161c8392a414551ca941103a1a35eddff8e52aa30c5a35f25077abae61bd3

  • SSDEEP

    1536:FAwEmBGz1lNNqDaG0Poxhlzm6AwEmBGz1lNNqDaG0PoxhlzmR:FGmUXNQDaG0A86GmUXNQDaG0A8R

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\62471f8897908d4a96bafd17b1fff310_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\62471f8897908d4a96bafd17b1fff310_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4052
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1748
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:5044
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1488
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3368
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4568
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4928
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    4ac238d86d195e7bfe299a5670e4d305

    SHA1

    3dee8118480d19d740f1a1156f9ae88767230eeb

    SHA256

    a4318d4573c3128686aabdb9a2a119afb0f7d0b2559f0885b15ac714771b1334

    SHA512

    0a7c27dae5fb477de763b79aadf3b7e1d4a1395a766c3c993ce545ec7ee585b3d73c567c152db39213ad6eb7174ab7457b32e8191a6957a914e59ff23feb91d0

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    ae5086914e885596fb328690343f041a

    SHA1

    d6f98a23e2bab492c3aa4dce8953b0efad7aa422

    SHA256

    01774f6a9f58ab2feb18a89df307cba4d3db7ef94c1e95e63e2fb1fc99cbbd4a

    SHA512

    e3d173cdfbb8a6d7081c89b99f3b37c801d0c62eb7b2cdb5a02f2020171a6e494ee98dc9525ee6632c4f548b1d71646b15c5732d6373f8cf4361acce4f024d5c

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    1577460bc866a44b6e874c2fe7bb8673

    SHA1

    591fe08a8bdb20ac44a032689060d177a7d22a58

    SHA256

    7b9eccc124f526d50042eef2a4937a83bd2e24540440d82586634788a4b25906

    SHA512

    83cadc9d772cee0a30dabf8d24bdcf8f387fc381790f9f72a0bfdcbd0a7e3ee9f98575eaaa06d63cd636c027d9ff525cf5edbaa881c80680736c23543a7cfaf8

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    bbb5ab1b79cb1628cdc515deb46424f0

    SHA1

    5ca284a5148625950b6b42dcb7e7fc7c5297d57c

    SHA256

    0da7f7b6a37f7c88ea6f7ba6c32417897a379329293fa6a6a0acb0845e57ea2a

    SHA512

    5114cf7f9ce0432ed28218343656a8ce48a90858caf5b6188c50fccde09b5f42407ada6cb1e74ca3684d588d68bc548d923f2c2474bc40a68abb15650976fd48

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    d3681f881ee1f1c003e5fa3b4ba11817

    SHA1

    8951ac26debde95c98c64c2b447fef07ac6ebcfa

    SHA256

    155c5e5caf92d0082ef84b46882d9f8a4bf3a37b1832c97b64ea3531c1630781

    SHA512

    5cdac4c9ab22bafcff5f329a49a34bdcacb5fbf1714d3d777830adedee94306a928c6ef30509d7142d88f2df88d498420f75d803fe17de37c71bccd6dac12b9b

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    91KB

    MD5

    62471f8897908d4a96bafd17b1fff310

    SHA1

    6744d8d50390d6b295e19abc72e1f53db87268a0

    SHA256

    f53e279d82dc377fecdd1583b6c467c3e5061c5672643660b43177929d722b7f

    SHA512

    bb14fe42812225b5f039b10fc1527b96067ce51bd6517a9037be21943c5690bce68161c8392a414551ca941103a1a35eddff8e52aa30c5a35f25077abae61bd3

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    e4a603d1ee71ebd597e1a9876295a69e

    SHA1

    324c08790d3cc17f18ada7ddca3a76782026210d

    SHA256

    12734c48d485374eda029280dc9d8f46ad684d61ec777aa34956e3a6812795aa

    SHA512

    34e6365b07fc70dbb3de39cddacaff0d556df77a8499cd495608d5d68e25003b8ed1302ba49afd914028b1ae2c5c8f1dc6f62a535168a9c24203db71cf4cbf74

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    4887a6993edf48882c8623dcf254eb3e

    SHA1

    e0397bd9f6761c8cb890b7487435f847be605b19

    SHA256

    2f0f534396683963ae3ae0b7fe2b18efa091dcb1aa17792fcec496679ea7cbb9

    SHA512

    ddc1f7c1124763780e091f9d660f4008dfb8224773d53bb07f111b706d9e9602f3a88f63e5ea5283d98768429e4027e8f2c7562919eef5c03b8cdf6fdf7ed4cd

    Download Submit

  • memory/1488-127-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1748-111-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3216-154-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3368-129-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3368-135-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4052-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4052-155-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4568-139-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4928-147-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/5044-120-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/5044-114-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download