Overview

overview

10

Static

static

3

6a7f8cb0ff...cs.exe

windows7-x64

10

6a7f8cb0ff...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 01:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6a7f8cb0ff15115cf22c26632f32be10_NeikiAnalytics.exe

  • Size

    164KB

  • MD5

    6a7f8cb0ff15115cf22c26632f32be10

  • SHA1

    ea4808db776db80201d1fb7d2d120c1a272d50e8

  • SHA256

    06df316ed73f3d0c94e2596cd4a0a199fafe4d3bdb4ef3cb1759469eb07569e7

  • SHA512

    35c53142f0e68b6eb9cf9e30216c19f2e4628139ebf6a4bc2385b79921d5193777eb674efa773a46654c981c4a54fec7c85b001ad8612f9ae2141946eb061f46

  • SSDEEP

    3072:Ax/zF/ulxEf0s+protYf3soixGNdQQVlxDZiYWuw1WKt:AxLFQcN+hoyEoi4Ndxd4uwI

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a7f8cb0ff15115cf22c26632f32be10_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\6a7f8cb0ff15115cf22c26632f32be10_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2848
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2976
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1836
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1848
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1288
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2376
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1856
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    164KB

    MD5

    6a7f8cb0ff15115cf22c26632f32be10

    SHA1

    ea4808db776db80201d1fb7d2d120c1a272d50e8

    SHA256

    06df316ed73f3d0c94e2596cd4a0a199fafe4d3bdb4ef3cb1759469eb07569e7

    SHA512

    35c53142f0e68b6eb9cf9e30216c19f2e4628139ebf6a4bc2385b79921d5193777eb674efa773a46654c981c4a54fec7c85b001ad8612f9ae2141946eb061f46

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    164KB

    MD5

    21cc1375b9889f98716a33e8e8e06ffa

    SHA1

    6ea46ceec20cba70e3c457f0ca338423ee18fd70

    SHA256

    db7f536c1a5ad32973594758ed9d71167c68459858aace37a4f92b7c907638c9

    SHA512

    ab7c01f0b93a34ad1cc36a9a9324f3e6ec1bb46f24becafcf40993c93cb9b31653454ad91cbed7c3a5c17b6ab7881e2ceaabc95144594d3779a0f472c28ab9ae

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    164KB

    MD5

    2d0687e4c33edf88df7f685e3e6f0c55

    SHA1

    c09b89af5df0fe3e82001b0e7ca8b396acb532eb

    SHA256

    71d376ece75f95a1dfe6f72115f83913c89c15df873845e12dd55a712123f7ac

    SHA512

    d7072fcd5eac29fb11f909dd44e7e6003628faaf76d71a60e938fa0815b2c01ad4b285f526bdfa27815078cc19d958093c6bd34d8b3074f6ad0f4b3d1ecbecce

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    164KB

    MD5

    124bc9960b34c7d08226c785a77099c1

    SHA1

    7134299456ac7a20889e51e1932d15b1f606f13b

    SHA256

    3858520303b6bd00dc35b25aec0dc9bfd00c17cd764e5eb7ac03c4532aba3694

    SHA512

    aa66f34c336c690136c7db09ff0c558c905afb3fd0c32a86143ea6548282b37e69614f544c5c1e18b8bacad296d436f41d53c28ac31ccd059bb6453a69491792

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    164KB

    MD5

    0fe30339e1a9bc8d6dc5d001d18786f7

    SHA1

    ddf19d04a82d492693efe87964a125b50f79d6e5

    SHA256

    9433c43df3911019ba494f412a11295cf0f02e2a425f11204993568bfb9df7af

    SHA512

    7bcb4fa2f0653c281bf996ffcc515057cca81052527c6337eb1010f50177747657c734f898e749299d2d8201350c4351f214801e7dfd962fb1f0abd07236d67d

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    164KB

    MD5

    18fc509aa65403dc9b3feea3866aec05

    SHA1

    74c740c65892e1ecb3333bcf5f8aa58c022ed4e5

    SHA256

    a6a176aaa117265fb07f80006c6a2e61af2833b7dd9b5d0eb487ceff6327c895

    SHA512

    46860a3c3ae62a58a6adb3ec40cf8e7548b28c7275ec64462aece6ab04bc9ddf0127389fb96ed04a06468caf4f5c576281cdc1502b640faabc4a7a48c14dbc09

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    164KB

    MD5

    95e9e157c76cb734f529ea19c4f57040

    SHA1

    d0a511788579cca3433e21a874e79217c6e0f783

    SHA256

    43d99bb39fa50fbb55d4876bcda99c1772a325ad232b9d93937c119065f34f11

    SHA512

    cd393c58a8e76442b2c3ef8f86fc416f1240818cd1ab4d0a47ceac0a882fa481f6dd858387428c32af4367696a39fa07df3ec8fee44b4244ffb3990b9f72a202

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    164KB

    MD5

    9defd4d64882ef4d8664e6726d1808a6

    SHA1

    2ca89f5ffba5078f1a02944300412dcf5302fde9

    SHA256

    3897a952ab7f6fc57ee7e6e05a686b03763c18d6d65ca844d5c0f9bd5af10582

    SHA512

    0e8308a0ecfc2b0876f61b3cd763130b43d935e1f0f8dc1b1e707741c3d2b83a99549b248dd6c80a1e3d4dda3c0ae18562e628c29fd5f2f1d30b625a7fd82a30

    Download Submit