Overview

overview

10

Static

static

3

a849b0ee76...cs.exe

windows7-x64

10

a849b0ee76...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 04:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a849b0ee7661118155c23cf19dea8600_NeikiAnalytics.exe

  • Size

    47KB

  • MD5

    a849b0ee7661118155c23cf19dea8600

  • SHA1

    64222f398495d66e336443b35e465c0b18938565

  • SHA256

    3c95777d2fca237439e206daa00e4667840c6ddfa04ce4962dfa27a89f838ff5

  • SHA512

    14788e814df38ced3e620907b98b3ae7b0bd7bc7be70160b7d75ec19aa941acf0731ff2cff0392b408c10c7eb29a6a36b4c52c3d50f2afc2f79170bac7db44a2

  • SSDEEP

    768:jIUWEPjngBnD/nrpPlOs6tSTMHhORSkVZWRfdeYmPRI:jsAnGj9PkLST+WSkVZWHcPRI

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Drivers directory 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Sets file execution options in registry 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:436
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1360
        • C:\Users\Admin\AppData\Local\Temp\a849b0ee7661118155c23cf19dea8600_NeikiAnalytics.exe
          "C:\Users\Admin\AppData\Local\Temp\a849b0ee7661118155c23cf19dea8600_NeikiAnalytics.exe"
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:2924
          • C:\Windows\SysWOW64\rmass.exe
            "C:\Windows\SysWOW64\rmass.exe"
            3⤵
            • Windows security bypass
            • Drops file in Drivers directory
            • Modifies Installed Components in the registry
            • Sets file execution options in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2972
            • C:\Windows\SysWOW64\rmass.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2020

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Defense Evasion

      Impair Defenses

      2
      T1562

      Disable or Modify Tools

      2
      T1562.001

      Modify Registry

      5
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\RECOVER32.DLL
        Filesize

        5KB

        MD5

        2b2c28a7a01f9584fe220ef84003427f

        SHA1

        5fc023df0b5064045eb8de7f2dbe26f07f6fec70

        SHA256

        9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb

        SHA512

        39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

        Download Submit
      • C:\Windows\SysWOW64\ahuy.exe
        Filesize

        47KB

        MD5

        3eb5320d4a2567d8039565eaab8770ae

        SHA1

        74484f408b5ca4368c335597cf86ac6e75a5ba0a

        SHA256

        8e52cbddd282414fc0ce81ed8213f8489c4e2fe3147430bb068b1f0ab13aa509

        SHA512

        f13bf421352b8a24412cc4b75cb37c19476ade3bfaed4c0e12e186cf6653396d29c513e5a199f46b9d9f75da8a774a85e27725fb851027f106d69556f9557d9c

        Download Submit
      • C:\Windows\SysWOW64\ntdbg.exe
        Filesize

        48KB

        MD5

        6f1396b479d01ecd71034bcdaea9624e

        SHA1

        b859bf1cce7983e9e34d951f0d10cf3e29a391e3

        SHA256

        570156bd648e312a7a41ed62f2fe5960618f1160aeefe328971fd06bb286d3fd

        SHA512

        16e2ec7657e466abe935e1637d88352fa90835aefc3c321429a4405f60d0754cfba3258102da4303ffc1987a5bfdabe95a645571bc0f3d8cd0e79a5ca34aee86

        Download Submit
      • C:\Windows\System32\drivers\etc\hosts
        Filesize

        1KB

        MD5

        b10b13206b0f2cf3968050072f6979bf

        SHA1

        699db21ba9cecf3f13ac3d76e22cfa41aa94da80

        SHA256

        0eef3217095cb97b695c434e74d6314bf9e869a013d6e9c88e58c34576a276b4

        SHA512

        d33bfd931be6676539507a69101d99fa4c5ef36b12422bd11f063b9b6a47b7444f6c4ad5f35e044714fdb872e96cd9fddf049e8329af1219483887f6ac5f4a5d

        Download Submit
      • \Windows\SysWOW64\rmass.exe
        Filesize

        45KB

        MD5

        615b7bd47e1b1d454bba370944be333d

        SHA1

        c3c26107230676fb223d1978ace63b1a4361129d

        SHA256

        a343e6dd117443912880d38742f0f980ff7177fb3b99b118bcc751704f131cf7

        SHA512

        71ec9a1ee48777281c3f3ea7ed26d95fc048b2254f9fed644154ac11a01e0b33b0e334192b6c01a8fe4b6d453af6e9403a40bf930394c8bf590e602d13ff3a66

        Download Submit
      • memory/2020-54-0x0000000000400000-0x000000000040E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/2924-7-0x0000000000400000-0x0000000000403000-memory.dmp
        Filesize

        12KB

        Download
      • memory/2972-53-0x0000000000400000-0x000000000040E000-memory.dmp
        Filesize

        56KB

        Download