Overview

overview

10

Static

static

3

6f2553f210...cs.exe

windows7-x64

10

6f2553f210...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 01:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe

  • Size

    72KB

  • MD5

    6f2553f210ed8f1197dce823c8fa2610

  • SHA1

    dd493659d3c6bd2c3c72425bafe500720459fc14

  • SHA256

    a1a8fd4e02e99b90ecba45fb655b97e41f18da54272a9dca8c9252c2862336db

  • SHA512

    0d6b2ece364a5685e55b1c9e656cc0bfa7a6550ae4f456016a27e78655a5ebe41f772a9380ccd287cc2589566acda5456cf13c765efde094f453d6248b61d40b

  • SSDEEP

    1536:xAyToPledgGkAlSt9yzkwUk6Nr5kEHIwA69:3hgRAlStYzkrJNFkEH99

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Sets file execution options in registry 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:612
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3440
        • C:\Users\Admin\AppData\Local\Temp\6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe
          "C:\Users\Admin\AppData\Local\Temp\6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe"
          2⤵
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:1812
          • C:\Windows\SysWOW64\osridev.exe
            "C:\Windows\SysWOW64\osridev.exe"
            3⤵
            • Windows security bypass
            • Modifies Installed Components in the registry
            • Sets file execution options in registry
            • Executes dropped EXE
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3044
            • C:\Windows\SysWOW64\osridev.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:3204

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Defense Evasion

      Impair Defenses

      2
      T1562

      Disable or Modify Tools

      2
      T1562.001

      Modify Registry

      5
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\agduream-cooc.exe
        Filesize

        72KB

        MD5

        49e77fbc5663346ec91874179f74beea

        SHA1

        47eccdebc4e92f7999302ad5bbbe165e5d1cd3ec

        SHA256

        b208c9b7406153514e82487f8730b99050aa717d24fcab3d8aa1bc1c1e24c511

        SHA512

        799832ffa0b864a109f31a0a504f610ce1664c2efc9f5be5a0f2f00a255285d943095b71e750d73dcb661b717d34a7916495c42b9b30bee13300dba956f19a49

        Download Submit
      • C:\Windows\SysWOW64\eahgotem-itac.dll
        Filesize

        5KB

        MD5

        f37b21c00fd81bd93c89ce741a88f183

        SHA1

        b2796500597c68e2f5638e1101b46eaf32676c1c

        SHA256

        76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

        SHA512

        252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

        Download Submit
      • C:\Windows\SysWOW64\eavvoatead.exe
        Filesize

        73KB

        MD5

        331de9968973958ee711471f087b02eb

        SHA1

        fee57bb3c83973984834e1dcd1ec08688b9ff0b8

        SHA256

        0b79777f0f00bd8c7f24e7a8fe752f7b299eea187c495f88e1f83a18821d3674

        SHA512

        666ed137b50ce6a411879634522e0b265e42ab3964c17a8aae46cbefb73e0a06376caf3585c3672983c59c90136e66c6c472c6cb745d6136e6fea0c9c1ffd3e4

        Download Submit
      • C:\Windows\SysWOW64\osridev.exe
        Filesize

        70KB

        MD5

        a6ecfcac40acf05f0792752f5b8ed694

        SHA1

        3bd5d0d0d5c92b8cb9f999b1a341005d04cce95c

        SHA256

        3e33dec04c9b7f01b83b1f6e8b19897b9c300db500e88cfad0a19b4ae6aedbb2

        SHA512

        79457cac4bba237cfc796202d4594f84b5e44a3684fd90866a012b79ed07dc0a96f415b696730f24c9e5191e8a39e224f3b924d44c555bfdb4c5fdd5474a4bb7

        Download Submit
      • memory/1812-2-0x0000000000400000-0x0000000000403000-memory.dmp
        Filesize

        12KB

        Download
      • memory/3044-47-0x0000000000400000-0x0000000000414000-memory.dmp
        Filesize

        80KB

        Download
      • memory/3204-48-0x0000000000400000-0x0000000000414000-memory.dmp
        Filesize

        80KB

        Download