Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 01:24

General

  • Target

    6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe

  • Size

    8.5MB

  • MD5

    6c9399a87e0672b66fa26a39fcddaad0

  • SHA1

    3e6c7d6330948aec97e7f2e62b776d84c0ccee09

  • SHA256

    e8ba0fe4c967dce850222941594ee24a54497b6c5faa745ba5a923c5870783b3

  • SHA512

    6c17741b6f055f0a42e45bcded53edd8f6b548e61549bbe97cb0dfc2d1188329644f55143d519f38a6dff630bf7836a7f2e7e82463b66b502a28e8ee5679d512

  • SSDEEP

    196608:eIVCzv5nF2CoAKQ5/X5bEN2tm5pOuU3TcLWGO7djZkrC5RQe:eIVCT5UJAKQNX5bENYm5IV3TcLWGO7t/

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2464
    • \??\c:\users\admin\appdata\local\temp\6c9399a87e0672b66fa26a39fcddaad0_neikianalytics.exe 
      c:\users\admin\appdata\local\temp\6c9399a87e0672b66fa26a39fcddaad0_neikianalytics.exe 
      2⤵
      • Executes dropped EXE
      PID:2076
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2744
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2916
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2600
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2392
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:2612
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:26 /f
              6⤵
              • Creates scheduled task(s)
              PID:2416
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:27 /f
              6⤵
              • Creates scheduled task(s)
              PID:2296
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:28 /f
              6⤵
              • Creates scheduled task(s)
              PID:568
        • C:\Windows\Explorer.exe
          C:\Windows\Explorer.exe
          4⤵
            PID:2552

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\6c9399a87e0672b66fa26a39fcddaad0_neikianalytics.exe 

      Filesize

      8.3MB

      MD5

      96c68607df3fca21a1c3e8686c5eb9c5

      SHA1

      902cc5c653810df5f4a484e1b4b8ea7e9b45d763

      SHA256

      b72bba5e11d761104bb218359180739f443881bcea06e55f860556e60705399e

      SHA512

      4fd7fbef26edcea97c380f31169986521f677f81c92ae6e2a3fd304a9c3fc2b325d9e203bdf793ecec9c5a1ed96a4b59dbc847b948a7774250651b93f90ae321

    • C:\Windows\Resources\Themes\explorer.exe

      Filesize

      135KB

      MD5

      d8e886cab42dfd2fc393478f96ab7a8b

      SHA1

      2340d8e6ecfa21984e4552874a3164096e15e9e8

      SHA256

      d15c9cc0cac339d305b26da55bbd2f2d81436a0c77053ac7da11fdc33d124b79

      SHA512

      e01b575f784c0b319c1fb72d00c9475ee73f876ef3342d2ef99c0be0eea1087c7146db91b74840c07ec4040554771f40a1e2192f0863834fd4da6c5b25a64c51

    • \Windows\Resources\Themes\icsys.icn.exe

      Filesize

      135KB

      MD5

      4d8b41532f724399cbad05db215f5d3a

      SHA1

      1c2d10cb047f123b21bd11e7259dbd0d99370708

      SHA256

      87f289b0dc81884e72950d9eb8ea729f44389b2d5d7d6f7c810d61a64098204c

      SHA512

      c80e4861d58f572363c9bfbac1044e439917439a907bd80958e88485a94e81046c751a5ae2c9d8aeeb664d263c943c42d542602cd26326339fe68e241d63db5d

    • \Windows\Resources\spoolsv.exe

      Filesize

      135KB

      MD5

      dec49a24703cc3cc9a9dc910b3329f31

      SHA1

      cf8d12b9e64b0c0c701a304ecaadc07a17bfce68

      SHA256

      ae7adbadc72796cf8ddf4743ddb09d08bc291c5e60ee6b916a246226adbd8334

      SHA512

      8d49b92c7b0710443b7fecb93cfd6f1ec40d7c41f4b833e4a434d30013b5e1e8f4331731a78ec4e4b0e05f33fd7acf643d50e29015716fe17f0c99cb2a9c1ddf

    • \Windows\Resources\svchost.exe

      Filesize

      135KB

      MD5

      9dec09c889f83f795f51ee9e8ae1bc5e

      SHA1

      2ecfb4b8b27962019cba4178f1e76e2ddc514ba6

      SHA256

      18eb1f5db33afd75ad50809796ba7c6731f70d987b74d6c986b27f96edf77040

      SHA512

      d9c3309a9de6f550cb76f048b6d0254b9d0c6284805c67caab69515bd95587b40c631c1497918f22a1fc1722f32457f2198c09e5659467fe713f0481b293007c

    • memory/2464-10-0x00000000005B0000-0x00000000005CF000-memory.dmp

      Filesize

      124KB

    • memory/2464-58-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2464-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2600-45-0x00000000002D0000-0x00000000002EF000-memory.dmp

      Filesize

      124KB

    • memory/2600-56-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2612-55-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2744-57-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2744-21-0x00000000002E0000-0x00000000002FF000-memory.dmp

      Filesize

      124KB

    • memory/2916-26-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB