Overview

overview

10

Static

static

3

a69c9a69bb...cs.exe

windows7-x64

10

a69c9a69bb...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 04:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a69c9a69bbe789a53a77e8d56f6925c0_NeikiAnalytics.exe

  • Size

    53KB

  • MD5

    a69c9a69bbe789a53a77e8d56f6925c0

  • SHA1

    0ee591f2e862794fa7fe3bdbd6fc6c3b24174213

  • SHA256

    35ba2e4be66c765a79b4bc31d60b486619c26cd9fae3ded00c7aa1d1de664837

  • SHA512

    740dc82e9e5b35f2e42f4bee30f6ce20fbddb9d923d61dfb2bec76d38b9127abd53e37ab48c0da05fb22710362340f900f8f5e35c9ddc7cfdfa52cda25d83a7c

  • SSDEEP

    1536:vNVg8r8QOBcYhv7Kp3StjEMjmLM3ztDJWZsXy4JzxPM0:KBcYhvJJjmLM3zRJWZsXy4J9

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a69c9a69bbe789a53a77e8d56f6925c0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\a69c9a69bbe789a53a77e8d56f6925c0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Users\Admin\reiofe.exe
      "C:\Users\Admin\reiofe.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2592

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\reiofe.exe
    Filesize

    53KB

    MD5

    e5970a580429a094bff00bd71efb7b7a

    SHA1

    9ce4ba98751da1124486eed04e3e17746dbc338c

    SHA256

    a574ab9c36a96b5043a903f984dbb67193fb82b40336503aa16910b41425bac5

    SHA512

    2b2097e4c8da88c2fa81ea371ca53d373f61ed0c55102b0ecc7a9e46255638c1b9534aa50a39f327ffe43753ec6f7c81f4fd1e50a8736ae243ace7830d4bb780

    Download Submit
  • memory/2344-0-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2344-15-0x0000000003720000-0x0000000003732000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2344-14-0x0000000003720000-0x0000000003732000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2592-16-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download