Analysis

  • max time kernel
    150s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/05/2024, 20:49

General

  • Target

    85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe

  • Size

    71KB

  • MD5

    85a2f3e1bbba2dee5f48b736b9c58110

  • SHA1

    d3689b7dab0bf9973fa339308d8e17a3d9e15a42

  • SHA256

    dfb251be37c23f16b9a73eebc3eb338926993d0dcf70578fd31c79105836d377

  • SHA512

    5c201d6800e5c816b54a9e614910c90290970ab962454fda5a36af5b6e0d582f48aaf346704270ba9e2d4c96b1e6cccec3bfb11a2ca683062486d20e4822e2b7

  • SSDEEP

    768:EXKeT2Si83nLt8tkGX8uxOHgRrW5YLKG9Y/HrSNm0kmG7xMsVAnc3yy85SBiLFMR:EFrmh0HgB3LKrL9AcnQFMc9zwR6i+B+

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3764
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4716
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1308
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5104
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3084
          • C:\Windows\SysWOW64\at.exe
            at 20:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:4360
            • C:\Windows\SysWOW64\at.exe
              at 20:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2124
              • C:\Windows\SysWOW64\at.exe
                at 20:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:3652

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe

          Filesize

          71KB

          MD5

          5d560457605d3075c7a884c3fd3435a9

          SHA1

          2d7d99e934b6104222e289c7d8d2cee8865e4359

          SHA256

          ef61af9443e5a133975a107d31eef0c1406804f77260ad711811961a864e52f2

          SHA512

          40627302134d6decd3b6ae3b3e285e3dbefc0f1600f87b9975cbaccd4fe8d5c2a65d8ebb9a5f5f2f9d2bccd36af784620799c34dda2cce0b539fb39b57c448fe

        • C:\Windows\System\explorer.exe

          Filesize

          71KB

          MD5

          0d6f825c9cb818310835d17b9ba59674

          SHA1

          87e02a53c44aed3aab31722e728c952e2d625628

          SHA256

          20305b02352cbc5be2cbd216321216cae0b55b2b0e04b1f9b438776a40abd5f1

          SHA512

          7d27f8219dacbca417ec1642eca37045a334f50e0029a1fbb1a1660dbbc3e1c8dc6ccaa323418d53041ce1d3b9b9d8acccd998df40ceb81d8c736b1e61440546

        • C:\Windows\System\spoolsv.exe

          Filesize

          71KB

          MD5

          0127605e4cadc9581ec54f0cce6981a7

          SHA1

          cad1375fd730361bfbff6bf61a32c244d3764223

          SHA256

          8057d7bad7d138fdd65b528ec72734e67fdf97db58f72efc5ddd5747139ab93f

          SHA512

          a03a5e622897c014be03c11682b8424173ea88d6ef47a1197ed9c401b5e4819d6df336c78d56c5ce65b0a3f6b5f9e4dd7f668f151e33dd9d390abdf04bf86ea9

        • C:\Windows\System\svchost.exe

          Filesize

          71KB

          MD5

          ad33c328e313054703749f5e4ee2d711

          SHA1

          44184f2db17480106807326af2209fdd1f9e8e94

          SHA256

          7f3bfe1d23471bd6fef692a3b8a785c7334f3e44d8cd1c1c70628b079666dc6c

          SHA512

          91a075a2ed74e362155d79c38922f57fc305277de798e934ee5528584a75fd47fdb3def52b1c5ad22fed5f238f2d4eb0acf255389d4c1f1dfe43bcce40686803

        • memory/1308-39-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/3084-37-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/3084-31-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/3764-0-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/3764-42-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/4716-43-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/4716-53-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/5104-25-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/5104-44-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB