Analysis

  • max time kernel
    144s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 21:18

General

  • Target

    8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe

  • Size

    504KB

  • MD5

    8be482bcf68d63264a05be9609c947d0

  • SHA1

    f77f6a0bca5cc8ca6dc61b2879c0206223218d6e

  • SHA256

    aa59eb46bae7e3596d4077f90d0e761347f231483a381b12c63e81a54381eef5

  • SHA512

    482e93c2fd1fe301b2d3a74ae069be0916aae96010cc99e8ec82f7fc60a485eb25e860dd22d1039bab928d05e12785c39d9288cf64c1a07be18fc1e0f3bf0f51

  • SSDEEP

    12288:tPmTkT0+nXTv1d5Jo/H4a6ZeUOHFVS9Qg:Vmo4IXhd81rS

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:460
    • C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
        C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4600
        • C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
          "C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4088
          • C:\Windows\SysWOW64\ipconfig.exe
            "C:\Windows\system32\ipconfig.exe"
            5⤵
            • Gathers network information
            PID:1996
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 272
              6⤵
              • Program crash
              PID:716
        • C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
          "C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"
          4⤵
          • Executes dropped EXE
          • Modifies Internet Explorer settings
          • Suspicious use of WriteProcessMemory
          PID:4544
          • C:\Windows\SysWOW64\regsvr32.exe
            regsvr32.exe /u /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"
            5⤵
            • Loads dropped DLL
            PID:220
          • C:\Windows\SysWOW64\regsvr32.exe
            regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"
            5⤵
            • Loads dropped DLL
            • Installs/modifies Browser Helper Object
            • Modifies registry class
            PID:112
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1996 -ip 1996
    1⤵
      PID:4940

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

      Filesize

      504KB

      MD5

      52655b32ac350f61e86e26ded74dafcf

      SHA1

      cd0473d1b6241cf6e87369edfc7c46f34878f7d2

      SHA256

      c3a6e70a31781036b668c693f124e8b134edb7de5c3819764375b501440b1cbc

      SHA512

      c2271ef44b46924492cff6482915cb63bf0d71d770f99ff23beb7bcc86343ba73746d3a0c5438ee721541d2e48dfc17ecf21ffc6dbe19d5369e9c028806e93e6

    • C:\Users\Admin\AppData\Roaming\IE\bho.dll

      Filesize

      87KB

      MD5

      49a92a33d1775b45b3bd45f8bec24585

      SHA1

      ea404af50bbdad5cbc9f95f4068bdc30c9fceff6

      SHA256

      976540cf1b4d04d80be1f1af8ea0f050c3f03a0a8c4e339589b7bb9180fc07f5

      SHA512

      7d5c4ea5c6f950a41bff386289df88b3f6d78444d7eeaa8a426569ce7698c2dfa916ae02d321af2be839c20e53b2ba9b3bb6a1573cad3b578733b082f0dc292f

    • memory/460-3-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

    • memory/460-5-0x00000000007A0000-0x00000000007A1000-memory.dmp

      Filesize

      4KB

    • memory/460-8-0x0000000002290000-0x0000000002291000-memory.dmp

      Filesize

      4KB

    • memory/460-7-0x0000000002280000-0x0000000002281000-memory.dmp

      Filesize

      4KB

    • memory/460-6-0x0000000002220000-0x0000000002221000-memory.dmp

      Filesize

      4KB

    • memory/460-0-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

    • memory/460-13-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

    • memory/2796-9-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/2796-24-0x0000000000410000-0x00000000004D9000-memory.dmp

      Filesize

      804KB

    • memory/2796-26-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/2796-11-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/4088-169-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/4088-51-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/4544-90-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-81-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-172-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-47-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-46-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-45-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-44-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-43-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-42-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-41-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-40-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-89-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-98-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-97-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-96-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-95-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-34-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-94-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-93-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-92-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-91-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-36-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-88-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-87-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-86-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-85-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-84-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-83-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-82-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-52-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-80-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-79-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-78-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-77-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-76-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-75-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-74-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-73-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-72-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-71-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-70-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-69-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-67-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-66-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-65-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-64-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-63-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-62-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-61-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-68-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-54-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4544-37-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4600-38-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

    • memory/4600-27-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

    • memory/4600-33-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

    • memory/4600-21-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

    • memory/4600-49-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB