Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/05/2024, 22:25

General

  • Target

    2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe

  • Size

    135KB

  • MD5

    2a475f8958f2f7239411bfa116c2ab30

  • SHA1

    5b8630d34cbd02e4c0a087582884bbbe53e54f75

  • SHA256

    58c93c5f18b71c84c4de32d19c42a40490183ae9447764894fb5597487795d44

  • SHA512

    3b4b2fa34c0d8ef473dea49a6042fa42c97d4fbaa0e15f405014babc46ccc13c22940ffff2e713293640c694dff8b56be087779ceacd5e7f4a684dc031ef56a7

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVXW8O8O8O8O8O8O3:UVqoCl/YgjxEufVU0TbTyDDalRW

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1448
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1892
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3700
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4216
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:5084

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\Resources\Themes\explorer.exe

          Filesize

          135KB

          MD5

          3fd6380fa5a2cc5f8410b2bad9bebb17

          SHA1

          dfc0f6b338005133f9596ebf0cf9d79b9281c8f0

          SHA256

          a980216fcd2c8ab471f3c95e887c3c83f371bad2c2c1954443405d6bcad12fc0

          SHA512

          77762cde5472731322c108629d1ae4bd1b53b647c1eb20b9b8da18be8cb90620d84f8281a900ff2ae31dc9893df7779e273cb2b3db0c4a20cd1a08e7dc97b619

        • C:\Windows\Resources\spoolsv.exe

          Filesize

          135KB

          MD5

          7f189b51c1af53dcfe3fd487db54bf54

          SHA1

          7b713609b989ddf740e38477365448396b68b1a7

          SHA256

          4d2bff28c6e6f6aca0d86eb61c4bffa1745dbd62738c4cadc5d0f05e19889ee4

          SHA512

          ac1199a38f366f4cd1dca2fc410372889a28779cd5e0bc856afcfb42f29888f3a4933ba6524de43c0674adf3f7d34936859d592ef51de71a21f14b09394e9e0d

        • C:\Windows\Resources\svchost.exe

          Filesize

          135KB

          MD5

          a646086f283199b31739416713031f8b

          SHA1

          737674815997880a29ad8f0371a2a48a77ba3569

          SHA256

          03ba4b476b58830e4c991e9b53853711b03218fcb88676ee6dc0ef1a3e33249f

          SHA512

          aae3111926d2a6eb141d65e15192cd8f6ea0222a3fc686a8f776218fde2b55992885508e0fcf9c85f8646d38bebda33aaa248043c35476e43df7614fe870e5dd

        • memory/1448-0-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/1448-35-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/1892-9-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/3700-34-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/5084-33-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB