Overview

overview

10

Static

static

3

719bea0f7b...cs.exe

windows7-x64

10

719bea0f7b...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 01:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    719bea0f7b927ed6dc1e0040b1d358b0_NeikiAnalytics.exe

  • Size

    91KB

  • MD5

    719bea0f7b927ed6dc1e0040b1d358b0

  • SHA1

    88b64a29556f66e75dcd47d129819a05584f3418

  • SHA256

    ee337ca89999e8f945c95e99f064ea4998518dc54a47d3fa299f310ab1813238

  • SHA512

    d7375e7807c106bf3f33b742ee141222b23b9d776427c6b984d99865de5e64cc27aa177702fdebdf1c8b63b887f3e97dba681ad7c907c8cb26d353ddc0a21dd4

  • SSDEEP

    768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3Imuo3gRYjXbUeHORIC4ZR:uT3OA3+KQsxfS41T3OA3+KQsxfS4N

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 14 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\719bea0f7b927ed6dc1e0040b1d358b0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\719bea0f7b927ed6dc1e0040b1d358b0_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4304
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:760
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1652
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4432
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:5012
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4396
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4932
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2264
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:5092
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1452
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3024
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4736
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3240
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2388
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    86f31c74619a28a0763985b522871899

    SHA1

    25721e70231e0f69c3f4c071a5ef5fc4d9a8538c

    SHA256

    f87185c82f8b5e69b03b37aa0c56e53b5baa5d5946801da909a5a2cd6c8ca843

    SHA512

    29a244d4cb53cc35a08d36743755cbdd3fb6581cec97d326925a5c967b3e9271191ae5337d35dc1ac077a20da7430dea3a1f72bc7e3852d1443a42b9cacdcdfe

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    7aead681dc313e41165d1ddddc0a32aa

    SHA1

    0788bedee8ab308d545648fe3410a83fcb4e7ac0

    SHA256

    88f061b0eca9b209ccf2d72eae8e67f29baba8fcc2d39c198fe5ed072507d26f

    SHA512

    790a36219ebdf7060e65bf759a185b995a2b52e6dd725f9e5ee832de11bf5bca5d2c4afd329a97f630c7d4950c8bfae146a9950489fb29460063102f44ab38ad

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    2de2bcd25739bba7f2e46ec22cba08f9

    SHA1

    f07db4bfcf935c8dd646acfe8a23adba85586e5d

    SHA256

    e7518695730c73a2e29478ea477ba923e169caeba1b91580e0dd05354d4d1288

    SHA512

    4ea70e13c58580cf0b0beb41bdbfc6bad6d401f58eedebeda07491048a9f92b61065d1f344a6f1d3a2672bdb19ae963c36691c4435b8eccf844d86aabae8e1af

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    ca29e531d490277d6da84db1eee32cb3

    SHA1

    9c79c82783c348bc555b889a5c2d755853ad04d4

    SHA256

    9c8791397e89a06a384e33c337d6b83da770a786b47ea64e7f93ad266d063f17

    SHA512

    8c08f9554aaf51a4b158d1ff6cfe94e39e9bc2cb6be62e234ad7366fbb6e41d6551d328f19cf3688de1644be394d3bab4f086bec6014234110e389d11b5e6b5d

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    6d76e1afde07c661187742aa6a6525af

    SHA1

    3c2a02a07a82335bd4eedda44388fe93f57350f6

    SHA256

    40748205e5d097a275b2fd74930ac14ef370d91c3865bb9185785265cd56ad2a

    SHA512

    5985a0cd9734880a913d04c00bf4ebac7aa69cdc55a26f56f1ea26148c8036096d9d6cbc7133d128fd0e474252693a6838d5685a5f2c43687797c3c18d665d02

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    ede9cffb93aca362be927683baa9a186

    SHA1

    bdce24b4a3ea5207989e55428d572327265de613

    SHA256

    fe02a8fd30df2e01cea19f26dc3805234b923cfa1f7adf7aacc1eba6d8ae76a5

    SHA512

    613ac69901cb93c7d36f09440c04567d0fb76e366f8e009667164a49b1161af33cd8496e0001c9d24559b9b99a81afacdf53a3b525952e4fcfd3e04cc3044022

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    142d9d5223f06541fb7cdd8c969f0b26

    SHA1

    5d8a6247df460ee3ab8693dbba1f23a4fa5388df

    SHA256

    3f12b0d8dc1bf37a1ee12f45facaef8be00345e96e6e1ce760b4ed8e2827834c

    SHA512

    d181b4bbaa126e34d39feaf4ada413fbb9d40a914b2b58746321754d07f7df0af5965acbac51995073a7741fe53f33d583efb6328b349b6c76c6f46fb0472601

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    43bab5acb06130fbe181a43112a7b7b7

    SHA1

    6721b9752b267e15365cbcf8aa1cda7263da549a

    SHA256

    79374ccccf105ec67b3acfa50b550b5c57469fe0cc95f64651148163433d0de8

    SHA512

    91023641ed204feb53d5d453f212690a50bdb964d97abb554f7fc66930b47044243eb4f1f511deaf5b17af7456a3d3295b0b88f466a68258f1b62a398143e43d

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    1035a2a735351aae7189f00b6c9ac135

    SHA1

    d0a81162b6a5cc5c636e76a82567fc58ee62002e

    SHA256

    abf30940d0249dc7d3d269d7ff24e77d5c4e39c61672c040c294ec6f5a8d8191

    SHA512

    acf127c461cee9be95139f7698cf3dd4e5aeee66386dd9305be3b7b3261d8e3394cfe5d96c43a3ec7b27c956442859f2a5330efe9f52deed2f318798368d8b4c

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    ba526dad89ecb142aa2fbfca71d3b251

    SHA1

    b0d95d9b83436b639d630ec592441f4d6d27f380

    SHA256

    ae8778553c862b4fe37c27d8b42a3c06c0a189e3c91c638384f711aa26128d69

    SHA512

    d56732db7f3cb488f21194be9d1cbbc7040d2d7d6f926022d61268fd77e38b5def0cefdd148ca90f692fb94959a3a6b0a40a5982a7e6ba98cca985201603ae04

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    91KB

    MD5

    719bea0f7b927ed6dc1e0040b1d358b0

    SHA1

    88b64a29556f66e75dcd47d129819a05584f3418

    SHA256

    ee337ca89999e8f945c95e99f064ea4998518dc54a47d3fa299f310ab1813238

    SHA512

    d7375e7807c106bf3f33b742ee141222b23b9d776427c6b984d99865de5e64cc27aa177702fdebdf1c8b63b887f3e97dba681ad7c907c8cb26d353ddc0a21dd4

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    05b902c71e6d5a33e9b8137f91b44b95

    SHA1

    dee07f58fa6c440b87ee0caf7af960a8bc71b43a

    SHA256

    dd301f48f9bb2c1f2c0f401a2413d91c1bb4644b6aa08c3d47ec3a0de3249674

    SHA512

    51d2b744ec54de7a61dbbc0c2baef45b2832f1531ffa78fbcfd21f2ec23d1b656aa0d3635939f86dba95f9629477a5d67f99d2a11c257537769a6096ec77e0f2

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    1b2529e5ae861beec45d7f21f7c23e09

    SHA1

    9b50ac2c3ff057e67563c0df64016f2f0caf674b

    SHA256

    15f11fc5bb54f2140988e473e86f8d5d367654adea0c65c3132d09d97d4e9fd9

    SHA512

    124f20b00cf9c2b44e2391463f9ef75d70aa90d4f723fb1a4a203d064b7e0658081248a45e7518ac6fe09259f9f7544b9b9305d0c2f755c8fad5f72485a095ae

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    5e3003ffed25fd646cad19e34fbe2522

    SHA1

    1a1dd953be3fd2ee6f5298cb4af710d9262f15ee

    SHA256

    d32789c286752050cc417935aadd78b6a94c542358a4129b931c094419a62548

    SHA512

    a24ced25e5662bf88a20fe398402cced48d7cfa0839ef2273ee0387a54d6f286e0717eb715a5502a7291c20d2fccfc025c7a96042d5250c1f61791e23f78e3db

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    761b33153aa82c95be2043169d573151

    SHA1

    5ea84d3dbfbf8d78fabb5946ba7f7972acd7c448

    SHA256

    6d2d842d1bb1f2b026ab43d41e2da2a02105fadf4d8350d00a3801c00e5ab0e8

    SHA512

    d3257f09f0f38447f9dc6b92d1250408dd5250408fff9e919a4bff1fa8a89ebab80ab13021bf03255af1c4803d112b45fe6ca911b51ddb57442c932a5a43e213

    Download Submit

  • memory/760-118-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/760-115-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/760-113-0x0000000075720000-0x000000007587D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/760-112-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1452-229-0x0000000075720000-0x000000007587D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1452-233-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1652-122-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1652-123-0x0000000075720000-0x000000007587D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1652-131-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2264-169-0x0000000075720000-0x000000007587D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2264-176-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2388-261-0x0000000075720000-0x000000007587D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2388-266-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3024-241-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3024-236-0x0000000075720000-0x000000007587D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3240-258-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3240-256-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3240-252-0x0000000075720000-0x000000007587D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/4304-2-0x0000000075720000-0x000000007587D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/4304-150-0x0000000000401000-0x0000000000427000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4304-299-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4304-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/4304-3-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4304-4-0x0000000000401000-0x0000000000427000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4304-301-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4304-302-0x0000000000401000-0x0000000000427000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4304-0-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4328-269-0x0000000075720000-0x000000007587D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/4396-152-0x0000000075720000-0x000000007587D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/4396-157-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4432-136-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4432-132-0x0000000075720000-0x000000007587D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/4432-138-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4736-244-0x0000000075720000-0x000000007587D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/4736-249-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4932-166-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4932-161-0x0000000075720000-0x000000007587D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/5012-147-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/5012-142-0x0000000075720000-0x000000007587D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/5092-227-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/5092-221-0x0000000075720000-0x000000007587D000-memory.dmp

    Filesize

    1.4MB

    Download