Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
23-05-2024 09:03
General
-
Target
e3097784e859204168742bae3aeaeef0_NeikiAnalytics.exe
-
Size
70KB
-
MD5
e3097784e859204168742bae3aeaeef0
-
SHA1
43e909f5c34d288f4e40992e8c0599a61b2e0678
-
SHA256
4dacd8b160b43ac9f49dc88e75b2edb6f60006001ddfcaf23e48190281ba3351
-
SHA512
9610538cc5c11a5ac7140ef42a0ffee3903fafc7583aa395f44ae30cabce5c3a99f42a1c373b9c76cf15f14833966b7b5bee854eb5b266fe156fc4a456f61df5
-
SSDEEP
1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8slN:Olg35GTslA5t3/w8q
Malware Config
Signatures
-
Windows security bypass 2 TTPs 4 IoCs
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
-
Sets file execution options in registry 2 TTPs 3 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Windows security modification 2 TTPs 4 IoCs
-
Modifies WinLogon 2 TTPs 5 IoCs
-
Drops file in System32 directory 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\e3097784e859204168742bae3aeaeef0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e3097784e859204168742bae3aeaeef0_NeikiAnalytics.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\eankinuf.exe"C:\Windows\system32\eankinuf.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\eankinuf.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\olbukuc-ofid.exeFilesize
73KB
MD5dc13dfeb9a265dc09d672debf6e70a9f
SHA1313c686f9908987838271c578afc7d66a61896de
SHA256579639c18a9897dcd2ba8aa24170b1c2b1efe69a1cbb49df9b08e30e84c96a28
SHA512f65acb980c80c671479fe20a543720ecf3ee43510053e7b65b53da99c6ff5e157ded70dd48b7a50a891443e4c25a4aa24df1a1054affe39caa25efd870a6d725
-
C:\Windows\SysWOW64\orxoatob-atoab.exeFilesize
72KB
MD523dd3ad1f11c0b9642b392f11660d234
SHA1a43718b0abae52d6a761c5a4c890fc7fea454930
SHA256641175d2227944425ce24e6b4a388b1c8dba396d68f338d87337242932bf1421
SHA512b881c99c93f80c0b77f008d402cd6bb532ab31dbea71d324092117703463f43cb07340e47111cf2048645364b323ccd68fcd338bf610fb2f3085c4a5e52b5e85
-
C:\Windows\SysWOW64\ovfixop-useab.dllFilesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
\Windows\SysWOW64\eankinuf.exeFilesize
70KB
MD5e3097784e859204168742bae3aeaeef0
SHA143e909f5c34d288f4e40992e8c0599a61b2e0678
SHA2564dacd8b160b43ac9f49dc88e75b2edb6f60006001ddfcaf23e48190281ba3351
SHA5129610538cc5c11a5ac7140ef42a0ffee3903fafc7583aa395f44ae30cabce5c3a99f42a1c373b9c76cf15f14833966b7b5bee854eb5b266fe156fc4a456f61df5
-
memory/1688-10-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2168-56-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2636-55-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB