Overview

overview

10

Static

static

7

67ef27eaa7...cs.exe

windows7-x64

10

67ef27eaa7...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 01:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67ef27eaa7699822a686f8e37c63a1a0_NeikiAnalytics.exe

  • Size

    71KB

  • MD5

    67ef27eaa7699822a686f8e37c63a1a0

  • SHA1

    de66db9a4f3cf5b11d6dcbd81a8852404f80c81d

  • SHA256

    dc04c2065da561945a3b2986f24f0bc26ec4c750fd44fc9b4c4ffe561435f2d0

  • SHA512

    0c6307e74dad06684edcfb71c81c5a2db1b260919dcf6bba745ff416f92756b39b437d2a107ffd081f38799af86b728030ea3a0d49f71137f0d5fd80ae2068d3

  • SSDEEP

    1536:EFrmh0HgB3LKrL9AcnQFMc9zwR6i+BXvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvx:ec0HgB3LCqZMYXBZ

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67ef27eaa7699822a686f8e37c63a1a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\67ef27eaa7699822a686f8e37c63a1a0_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1176
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3696
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4832
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4612
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:532
          • C:\Windows\SysWOW64\at.exe
            at 01:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:4524
            • C:\Windows\SysWOW64\at.exe
              at 01:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:4904
              • C:\Windows\SysWOW64\at.exe
                at 01:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:1608

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          71KB

          MD5

          92a1ebcddf638e8583049f5cceb7b7c8

          SHA1

          392eda08227c66af9eecdc96ae5a0b81eac3dbbd

          SHA256

          039d8264596bd28942cb7e0e2e68d3b489597d63bb5f87b8271cca8e754bbc61

          SHA512

          da2c6c42cb293e3d46a88796e97a7f00e71e34997384e9dc10b24b304ae27ed1871ea96254a5246ea788567d4a39e9ab5ce6f9dbae08382ece5530d6bfbd81d3

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          71KB

          MD5

          1366dee0d9ffc190a188fd8bf1a1d41e

          SHA1

          4239a0caa45b517ef17d00602db53f7239a7de44

          SHA256

          20c85c0da69c78f1495ab53449fe871761e452bf65feb93c92f888918c2e7e08

          SHA512

          f5b0e563fb1b20bf7aa2f9c1333450a1bc3d00fa2941e5bb68a04db176ecb2537095ba4f747804e2f2438fe10dcf86adb39f9811c94ee86fadee01a1387d0d19

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          71KB

          MD5

          ab6e602075fe460a47808c91f208c1ed

          SHA1

          a5ec0ddc9dce178b9f53b91fa8b04ecb9ae7f831

          SHA256

          96cc0898c7c1f5ffe465f567df26d06fa83c07bc11cae3e2ffd3fb05e9766d6e

          SHA512

          4a6e61f76880c862355c497e839851a052fb4606097c64b1351ef3700f7ed6d7cbc863be84365a250ccc74b4ec5ca34237855512c77576fdb4a60567d59d540c

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          71KB

          MD5

          2991d64cfd60f98a960feb706c378db1

          SHA1

          838027e70e2bb018d1ac66a149bca90a290b80bf

          SHA256

          09cb68b725cd934bddf9bdf4ad620c70c58d3da850f44e87433b5f7847cd5e53

          SHA512

          9c04f03d54d2fd38c08ef9242aecbbeb1f63a7734a70edee34b6880cd40bb19c22cd29f02cd7457ada2e54f4b036072bc473e7d80086ef60b71f890c06bdf30e

          Download Submit

        • memory/532-34-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1176-0-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1176-39-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/3696-9-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/3696-41-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/3696-51-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4612-42-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4832-37-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download