Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
24-05-2024 04:44
General
-
Target
aa6076b34582bd11f9f84efab880a170_NeikiAnalytics.exe
-
Size
91KB
-
MD5
aa6076b34582bd11f9f84efab880a170
-
SHA1
f8a16fb3e2f32a31ea32f4bea6da7ac73d7c3e0b
-
SHA256
274f068a89ef5aa0f654c4086c058f758d9f4607bc5e59dfc44e0fab8701dca5
-
SHA512
25a2773ccf0acc84a752e43c1aa6f86d44fc54edfd4c457771365a6b9207c51b9ba39946bc61dfe1c9418f3c0e18a314cba671f9700d54d47a1136b64666051f
-
SSDEEP
768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3ImuS3gRYjXbUeHORIC4Zk:uT3OA3+KQsxfS4nT3OA3+KQsxfS45W
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Disables RegEdit via registry modification 2 IoCs
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 12 IoCs
-
Modifies system executable filetype association 2 TTPs 13 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Drops file in System32 directory 6 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 4 IoCs
-
Modifies registry class 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa6076b34582bd11f9f84efab880a170_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\aa6076b34582bd11f9f84efab880a170_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\winlogon.exeFilesize
91KB
MD5aa6076b34582bd11f9f84efab880a170
SHA1f8a16fb3e2f32a31ea32f4bea6da7ac73d7c3e0b
SHA256274f068a89ef5aa0f654c4086c058f758d9f4607bc5e59dfc44e0fab8701dca5
SHA51225a2773ccf0acc84a752e43c1aa6f86d44fc54edfd4c457771365a6b9207c51b9ba39946bc61dfe1c9418f3c0e18a314cba671f9700d54d47a1136b64666051f
-
C:\Windows\xk.exeFilesize
91KB
MD56edf30fbfb8926219ad04013310d3e3f
SHA162e88d64e73d5b6ba4047be6d6ab46f43fbb3b35
SHA256e9b3c10e918bd9f8dd01e4d0ae370f7b3907497fdc170b5bd4cec9971670a77d
SHA512e0c7c55366a7e9e8a5a9ae2c8d4bc1d92d6574302fa39f3a7cda754a5af805b5554ab60678bbc51b24fa627838e89ba7f97fd28dd18775ac55a09003cbb0a2e0
-
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXEFilesize
91KB
MD507ed4b7b9786152658538e738d71fa00
SHA193ee48809ab56c84f5421ecd7f39464edcc53c81
SHA256bb97faf421d592751402f7ab37c17965485e64e970ad6ef07d5b807af8f8e641
SHA5123d38c3e27f2de2b5e06c55ad6b9ca60727e1db5510f729345c810687a7a137275582ef670963cc7cda1c25f36a12c9135d1ab547bfd1c526f90f027a74491a58
-
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXEFilesize
91KB
MD5ff264e91f1019ca017ee4880d569f56d
SHA17533c3dad01ab38aead744b35db257d547b9c5d6
SHA2561d0da1ec7c34201b010c185d2edc1c894a413c09471119962d270a86a905d7f5
SHA51223bc3c057a102e88c1a9030efc3a542f589bc4d8f11695df06dccbfb8ac2294e9b3dca7435d6c0f1d037f7a355d2cac185e4f3ee48b111f8b05abfa43b3fb8f2
-
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXEFilesize
91KB
MD5c72aec914a55db3041dfaf6583d2195c
SHA1a14d72027f3075d675ac9991870e7591417d5221
SHA25676d2c8b0bd95c006e770c9d78db1b3629ab9ec5466459dd620f30fc7e5f8df98
SHA5121c2e1b8a70a3ab2880e424b1825a1fc15f9b18b92f8397225bc7483610615e16854338206eb35fce556a1876673f93ee35dbd4035a4f0edd6d355d9f1d7ef547
-
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXEFilesize
91KB
MD558d0acb2efa659c24e924bb008897a0f
SHA1028cb4160aa66e8abb2b753c40569fe1f356c79e
SHA256c786c3ee076ae5b579c2e9ea9e9dea07c9ebd9e1176a12f997d8612d95c33217
SHA5123de4bf8f95b70d1c18e5b61158c28076c137c83d700da008ca5476467af35cd3d6acb93fefc8183b51ea07a26d8018294b9c27fe3ebbe7d3aa97c74826ccb231
-
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXEFilesize
91KB
MD5e421a8c2c99684144e69d3631bd8b85e
SHA10571a53229663e6e9e776c2e9955476e2d636b49
SHA256b09e08a89019d85e45ed0c5b9d30823da6dcfdc56c007871f4deda2f17cc122e
SHA5128a6828d77310622c85cd296bf40160a4215e9134079812892a8d39c0c3379154f058589da31878bbee3002281317a9f3b5b4c020c03963e81940b10c321caf7a
-
\Windows\SysWOW64\IExplorer.exeFilesize
91KB
MD5295573551d1a10a7c30ac3db8ee7ee3b
SHA137d2cdb8abe9329d2fd1c348061e5643a0d8f76b
SHA256d862be9400aeb4a74fa15eae582606e44f92e4cbaaf7422c2f2362a86fc6f938
SHA512d686533718b5fa9f0c0ec535eab83529f861897c2719b5be9d500fdc13106612bd87b6e9cdcf75f887189b86c39d061659c96583b0ea78089fab8c24e0438352
-
memory/1516-189-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/1516-193-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1516-197-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1540-165-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1540-162-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/1540-167-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1704-204-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/1704-210-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1756-152-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1756-146-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/1756-151-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2180-114-0x00000000026C0000-0x00000000026EC000-memory.dmpFilesize
176KB
-
memory/2180-113-0x00000000026C0000-0x00000000026EC000-memory.dmpFilesize
176KB
-
memory/2180-209-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2180-150-0x00000000026C0000-0x00000000026EC000-memory.dmpFilesize
176KB
-
memory/2180-203-0x00000000026C0000-0x00000000026EC000-memory.dmpFilesize
176KB
-
memory/2180-0-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2180-145-0x0000000000401000-0x0000000000427000-memory.dmpFilesize
152KB
-
memory/2180-161-0x00000000026C0000-0x00000000026EC000-memory.dmpFilesize
176KB
-
memory/2180-211-0x0000000000401000-0x0000000000427000-memory.dmpFilesize
152KB
-
memory/2180-4-0x0000000000401000-0x0000000000427000-memory.dmpFilesize
152KB
-
memory/2180-2-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2180-3-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2180-1-0x0000000000020000-0x0000000000024000-memory.dmpFilesize
16KB
-
memory/2796-180-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2796-176-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2796-175-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2880-123-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2880-122-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2880-118-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2880-117-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2880-116-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2996-137-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2996-136-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2996-132-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2996-131-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB