Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 04:33
Static task
static1
Behavioral task
behavioral1
Sample
a849b0ee7661118155c23cf19dea8600_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a849b0ee7661118155c23cf19dea8600_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
a849b0ee7661118155c23cf19dea8600_NeikiAnalytics.exe
-
Size
47KB
-
MD5
a849b0ee7661118155c23cf19dea8600
-
SHA1
64222f398495d66e336443b35e465c0b18938565
-
SHA256
3c95777d2fca237439e206daa00e4667840c6ddfa04ce4962dfa27a89f838ff5
-
SHA512
14788e814df38ced3e620907b98b3ae7b0bd7bc7be70160b7d75ec19aa941acf0731ff2cff0392b408c10c7eb29a6a36b4c52c3d50f2afc2f79170bac7db44a2
-
SSDEEP
768:jIUWEPjngBnD/nrpPlOs6tSTMHhORSkVZWRfdeYmPRI:jsAnGj9PkLST+WSkVZWHcPRI
Malware Config
Signatures
-
Processes:
rmass.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" rmass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" rmass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" rmass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" rmass.exe -
Drops file in Drivers directory 1 IoCs
Processes:
rmass.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts rmass.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
rmass.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53434647-4252-4254-5343-464742524254} rmass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53434647-4252-4254-5343-464742524254}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" rmass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53434647-4252-4254-5343-464742524254}\IsInstalled = "1" rmass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53434647-4252-4254-5343-464742524254}\StubPath = "C:\\Windows\\system32\\ahuy.exe" rmass.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
Processes:
rmass.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" rmass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ntdbg.exe" rmass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe rmass.exe -
Executes dropped EXE 2 IoCs
Processes:
rmass.exermass.exepid process 2972 rmass.exe 2020 rmass.exe -
Loads dropped DLL 3 IoCs
Processes:
a849b0ee7661118155c23cf19dea8600_NeikiAnalytics.exermass.exepid process 2924 a849b0ee7661118155c23cf19dea8600_NeikiAnalytics.exe 2924 a849b0ee7661118155c23cf19dea8600_NeikiAnalytics.exe 2972 rmass.exe -
Processes:
rmass.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" rmass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" rmass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" rmass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" rmass.exe -
Modifies WinLogon 2 TTPs 5 IoCs
Processes:
rmass.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} rmass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify rmass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" rmass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\RECOVER32.DLL" rmass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" rmass.exe -
Drops file in System32 directory 12 IoCs
Processes:
a849b0ee7661118155c23cf19dea8600_NeikiAnalytics.exermass.exedescription ioc process File opened for modification C:\Windows\SysWOW64\rmass.exe a849b0ee7661118155c23cf19dea8600_NeikiAnalytics.exe File created C:\Windows\SysWOW64\ntdbg.exe rmass.exe File opened for modification C:\Windows\SysWOW64\ahuy.exe rmass.exe File opened for modification C:\Windows\SysWOW64\RECOVER32.DLL rmass.exe File opened for modification C:\Windows\SysWOW64\winrnt.exe rmass.exe File opened for modification C:\Windows\SysWOW64\idbg32.exe rmass.exe File created C:\Windows\SysWOW64\rmass.exe a849b0ee7661118155c23cf19dea8600_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\ntdbg.exe rmass.exe File created C:\Windows\SysWOW64\ahuy.exe rmass.exe File created C:\Windows\SysWOW64\RECOVER32.DLL rmass.exe File opened for modification C:\Windows\SysWOW64\aset32.exe rmass.exe File opened for modification C:\Windows\SysWOW64\rmass.exe rmass.exe -
Drops file in Program Files directory 3 IoCs
Processes:
rmass.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\System\winrnt.exe rmass.exe File opened for modification C:\Program Files (x86)\Common Files\System\aset32.exe rmass.exe File opened for modification C:\Program Files (x86)\Common Files\System\idbg32.exe rmass.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rmass.exermass.exepid process 2972 rmass.exe 2972 rmass.exe 2972 rmass.exe 2020 rmass.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rmass.exedescription pid process Token: SeDebugPrivilege 2972 rmass.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
a849b0ee7661118155c23cf19dea8600_NeikiAnalytics.exermass.exedescription pid process target process PID 2924 wrote to memory of 2972 2924 a849b0ee7661118155c23cf19dea8600_NeikiAnalytics.exe rmass.exe PID 2924 wrote to memory of 2972 2924 a849b0ee7661118155c23cf19dea8600_NeikiAnalytics.exe rmass.exe PID 2924 wrote to memory of 2972 2924 a849b0ee7661118155c23cf19dea8600_NeikiAnalytics.exe rmass.exe PID 2924 wrote to memory of 2972 2924 a849b0ee7661118155c23cf19dea8600_NeikiAnalytics.exe rmass.exe PID 2972 wrote to memory of 436 2972 rmass.exe winlogon.exe PID 2972 wrote to memory of 1360 2972 rmass.exe Explorer.EXE PID 2972 wrote to memory of 2020 2972 rmass.exe rmass.exe PID 2972 wrote to memory of 2020 2972 rmass.exe rmass.exe PID 2972 wrote to memory of 2020 2972 rmass.exe rmass.exe PID 2972 wrote to memory of 2020 2972 rmass.exe rmass.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\a849b0ee7661118155c23cf19dea8600_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a849b0ee7661118155c23cf19dea8600_NeikiAnalytics.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rmass.exe"C:\Windows\SysWOW64\rmass.exe"3⤵
- Windows security bypass
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rmass.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\RECOVER32.DLLFilesize
5KB
MD52b2c28a7a01f9584fe220ef84003427f
SHA15fc023df0b5064045eb8de7f2dbe26f07f6fec70
SHA2569e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb
SHA51239192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78
-
C:\Windows\SysWOW64\ahuy.exeFilesize
47KB
MD53eb5320d4a2567d8039565eaab8770ae
SHA174484f408b5ca4368c335597cf86ac6e75a5ba0a
SHA2568e52cbddd282414fc0ce81ed8213f8489c4e2fe3147430bb068b1f0ab13aa509
SHA512f13bf421352b8a24412cc4b75cb37c19476ade3bfaed4c0e12e186cf6653396d29c513e5a199f46b9d9f75da8a774a85e27725fb851027f106d69556f9557d9c
-
C:\Windows\SysWOW64\ntdbg.exeFilesize
48KB
MD56f1396b479d01ecd71034bcdaea9624e
SHA1b859bf1cce7983e9e34d951f0d10cf3e29a391e3
SHA256570156bd648e312a7a41ed62f2fe5960618f1160aeefe328971fd06bb286d3fd
SHA51216e2ec7657e466abe935e1637d88352fa90835aefc3c321429a4405f60d0754cfba3258102da4303ffc1987a5bfdabe95a645571bc0f3d8cd0e79a5ca34aee86
-
C:\Windows\System32\drivers\etc\hostsFilesize
1KB
MD5b10b13206b0f2cf3968050072f6979bf
SHA1699db21ba9cecf3f13ac3d76e22cfa41aa94da80
SHA2560eef3217095cb97b695c434e74d6314bf9e869a013d6e9c88e58c34576a276b4
SHA512d33bfd931be6676539507a69101d99fa4c5ef36b12422bd11f063b9b6a47b7444f6c4ad5f35e044714fdb872e96cd9fddf049e8329af1219483887f6ac5f4a5d
-
\Windows\SysWOW64\rmass.exeFilesize
45KB
MD5615b7bd47e1b1d454bba370944be333d
SHA1c3c26107230676fb223d1978ace63b1a4361129d
SHA256a343e6dd117443912880d38742f0f980ff7177fb3b99b118bcc751704f131cf7
SHA51271ec9a1ee48777281c3f3ea7ed26d95fc048b2254f9fed644154ac11a01e0b33b0e334192b6c01a8fe4b6d453af6e9403a40bf930394c8bf590e602d13ff3a66
-
memory/2020-54-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2924-7-0x0000000000400000-0x0000000000403000-memory.dmpFilesize
12KB
-
memory/2972-53-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB