Overview

overview

10

Static

static

3

719bea0f7b...cs.exe

windows7-x64

10

719bea0f7b...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 01:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    719bea0f7b927ed6dc1e0040b1d358b0_NeikiAnalytics.exe

  • Size

    91KB

  • MD5

    719bea0f7b927ed6dc1e0040b1d358b0

  • SHA1

    88b64a29556f66e75dcd47d129819a05584f3418

  • SHA256

    ee337ca89999e8f945c95e99f064ea4998518dc54a47d3fa299f310ab1813238

  • SHA512

    d7375e7807c106bf3f33b742ee141222b23b9d776427c6b984d99865de5e64cc27aa177702fdebdf1c8b63b887f3e97dba681ad7c907c8cb26d353ddc0a21dd4

  • SSDEEP

    768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3Imuo3gRYjXbUeHORIC4ZR:uT3OA3+KQsxfS41T3OA3+KQsxfS4N

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\719bea0f7b927ed6dc1e0040b1d358b0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\719bea0f7b927ed6dc1e0040b1d358b0_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2292
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2576
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1588
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1672
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1612
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1600
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:640
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    f818c6ebca0e51026d6860af728bc6e1

    SHA1

    fc1c71c4cfdb7105be9191c4de13073a400b3044

    SHA256

    66da54b49df2a959dad3e6274a15c67393d5ed2fd2e39302fbbd1bb927812111

    SHA512

    beb4863e2d6ba1a8a6d2ea3a1a8fd9b0bc9a1e1dd9865b1c8cd0b8def25d45ce5c9ecd4bc7eac0c57eebe456f9ecc842b46fc078637353930e420381ba15179e

    Download Submit

  • C:\Users\Admin\AppData\Local\services.exe
    Filesize

    91KB

    MD5

    719bea0f7b927ed6dc1e0040b1d358b0

    SHA1

    88b64a29556f66e75dcd47d129819a05584f3418

    SHA256

    ee337ca89999e8f945c95e99f064ea4998518dc54a47d3fa299f310ab1813238

    SHA512

    d7375e7807c106bf3f33b742ee141222b23b9d776427c6b984d99865de5e64cc27aa177702fdebdf1c8b63b887f3e97dba681ad7c907c8cb26d353ddc0a21dd4

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    3fc75e257e199baac87dc72e5ae50e47

    SHA1

    c9158b4485bfcf37033bb34cc9605af67bb07e13

    SHA256

    4170d5cb349d1dfae6645fe8b7f7d19bb9e28b2b6a86fa184f881f823f7ab3c3

    SHA512

    2843cd75faf7bf6df2c0cf61e3b86ada1a8762fc1e5772abdb15c296e746407462cfa128fc9c0d0984a106d7109586c11087bbad2f10be21a563433824fe2b7c

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    942a260f63f64be55592928e9e44d0d4

    SHA1

    c474b26afccce5d611936d1e3d3b3c9ada53ec18

    SHA256

    a52f63f6dede34463a7e240fa8a3e99d8ac05971d22361e0f473f52c57872f1f

    SHA512

    a6b721e0b2e72e3ca646fd01e13bf49c4b6781d45a42c9d4a715e9c67c5c1cf566e208b405cc37e55f4b3dcde88cf50bb50088e0e0f3c706b5aa055e245b9710

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    de2f81f034e49fc87d6624295a79be87

    SHA1

    2bc722ce6b9c703f6428a71227175828389b08eb

    SHA256

    06d81ef45517c540bebe42dcb75320caa67cc641abe66df273ee9f2ae5561948

    SHA512

    d68bf520cad9ccfe06e408c5c77476758d371c463ac900968786d4c93301be6ddfd233c4e5fa6dad3db8be53cef3df11ae4dfeafd9b31c2bdae76c441ed5750b

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    6a6b4950a918ee665592ec5cb68ecab6

    SHA1

    d6b7e64199922de14809c9dcba89e100af7bacae

    SHA256

    50340e653170632f5a207a113d787a52e9959c8b651f73c17fd0ac22bad59eb0

    SHA512

    179fd9da6189cc511ebd14a25cee66e5829b0e4505d85820b70bed10831c9009a434efc9c01a90c57e2e1407300b1ca6f8e961a72c6194e023481ca685bc14d0

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    b30c4b548ff545a5d0e09ed5e885ce2b

    SHA1

    dc524b05fd49bfc8d00ec75cf124744f6d899c35

    SHA256

    ba7b4fd16c61ff1cc08806bcf581fd77849605143c8def4a911f7aa05c9a08e2

    SHA512

    5beec0edee95658f171172963255a8c19539aa9ecc38e8b05a906e39713539381f309d9f7fb504884c5e96d25ca9cbfbf3d8bcacf1e90bb81e4fbdf80617061d

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    926faedeafd9ed55c75b7aee913e843b

    SHA1

    6796842b951052940cf16d9f70d57af30dc02aa4

    SHA256

    cda9dc84dbd561a838471283e523d3af0a1514c90be6f93c9f4b3af8a12aded7

    SHA512

    bf5d1c528abfbb14758f177221ce5a3e2bee62cfccdbd476a3def84fe1da1884245651545bc00ac1af32095c09bb3ae14d187722446c5f81102339dd2fadfb8b

    Download Submit

  • memory/640-196-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/640-191-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1588-131-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1588-135-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1588-137-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1600-183-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1600-177-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1600-181-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1612-176-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1612-167-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1612-163-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1672-149-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1672-151-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1672-145-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2028-204-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2028-209-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2292-3-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2292-1-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2292-154-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2292-130-0x0000000001C80000-0x0000000001CAC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2292-211-0x0000000000401000-0x0000000000427000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2292-123-0x0000000001C80000-0x0000000001CAC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2292-210-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2292-115-0x0000000001C80000-0x0000000001CAC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2292-116-0x0000000001C80000-0x0000000001CAC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2292-160-0x0000000000401000-0x0000000000427000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2292-2-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2292-0-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2292-4-0x0000000000401000-0x0000000000427000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2292-161-0x0000000001C80000-0x0000000001CAC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2292-156-0x0000000001C80000-0x0000000001CAC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2576-117-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2576-113-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2576-121-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download