Overview

overview

10

Static

static

3

899c4174db...cs.exe

windows7-x64

10

899c4174db...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-05-2024 15:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe

  • Size

    45KB

  • MD5

    899c4174dbd82b7e72a00262a617cbc0

  • SHA1

    2cdc4d66cb5140903945c87b3b885cdeea216e3b

  • SHA256

    af815581f029893c1f65abcc8eed78f3242b9d01f75a4ad61cb2e0fc2b65f5c5

  • SHA512

    5afd5cff8938bfc0ed3d349f64e322e984a229b61a4c5bde7ab0b17142c7fb7605becac1313b19b69fa42984c6944dc59687c5925cc5fb67480c77ba6caa88ff

  • SSDEEP

    768:PmFQj8rM9whcqet8WfuzHVHFNNqDaG0XjqGoxhz/8szBnP7DFK+5nE4:FAwEmBGz1lNNqDaG0Poxhlzm4

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 14 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1572
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4892
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1308
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1972
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1224
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:960
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3020
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4928
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4896
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2512
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2332
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3348
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2972
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4548
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3632
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3820 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4624

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Event Triggered Execution

    1
    T1546

    Change Default File Association

    1
    T1546.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Event Triggered Execution

    1
    T1546

    Change Default File Association

    1
    T1546.001

    Defense Evasion

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Modify Registry

    6
    T1112

    Credential Access

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Inhibit System Recovery

    1
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
      Filesize

      45KB

      MD5

      bdbd9684fb3d2bba104d0d0cc1b7e748

      SHA1

      338899c20f86c7680d4b7a02574730477545aa41

      SHA256

      4d115f75a0a2f7e8c202e979d25853bf2beae5edb85cdabd954481df488abac9

      SHA512

      98f58d5732fb665cc0333ce94ac9cc85e957c1897ec8c9f83782d05019bad1306c63b1c69e7aa9ddf63e76df9e234857f258db5432db09a7b39770d6b0b3797f

      Download Submit

    • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
      Filesize

      45KB

      MD5

      c436585332ea185d04f7195fc0d2df61

      SHA1

      e59edce0b830c95856d4f323c558b8b2d878b748

      SHA256

      c1d1c14a6f229a496c7fc1facc3cccc96b86437166dec1128e7a561eca581396

      SHA512

      b6a13a1980cfcfcbb1964f53778aac310a5c50c3313e8ad91022197da07ea9184a614bbe2ccb79c06e3fc9cf0ddfc2f1b077a314e8b87b9d8ec530e7335149f9

      Download Submit

    • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
      Filesize

      45KB

      MD5

      7e089ff14800986f626bf11580f9c64d

      SHA1

      dcd7dfe3d847a27eff588039e508986f0357e28c

      SHA256

      53efb5060640111e8f33773f6adca2244ec3bd560bd46306404fbe23204546f6

      SHA512

      514256472dba000ae09d97f964e0a8169a3a37812fea31181a2c54a791bc1e168db5a59a371637f9077469f800e59ba815ec34d3fff7c1ef6883456dee334a98

      Download Submit

    • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
      Filesize

      45KB

      MD5

      a13872b52d28733082980676e5150f5c

      SHA1

      449a271691194b01d3c58961f2dbed11279d1e7a

      SHA256

      01aa1d6c287a7466998ba064d3e6e8202d58df2d1c29fd10058480a4a40ccae5

      SHA512

      e2f3d2dd2c39586a5d2eeaa194ee0b291c973a8cbc867c113a443986799490661dc6bec1bbd8288239e1cacf9a27c8d036c2d98c9e3e1595df28a4a1def6d55a

      Download Submit

    • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
      Filesize

      45KB

      MD5

      c08703dd08f82566753d9802f45c6520

      SHA1

      e5308cc131db52602f12b22335c026ee31190f5a

      SHA256

      d91686299a4bab99b06c77272b7af553db46a8ed2498c372e861b2548d9b4c4e

      SHA512

      a6e5d2e881e0a2602391c95eb726d88baea8135f0e321bb2cde63c24c5e6172ce2ed5eead275da064b3794089f7bf7ddb2ba114d1dad91cd7a3329b0958531cd

      Download Submit

    • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
      Filesize

      45KB

      MD5

      017108e168a34a3b0b1ab5e038dad13f

      SHA1

      62760a3420f508d93f04f77f9f742afa7cc7df8c

      SHA256

      4a7b0ebf8bb8a3296384d9f57d099f75af44695c15eba31e328471dedca9e6b3

      SHA512

      cb955b66bf40bc469a844dc8cb3ced5a0334c9631d7c2307372e904f7b17fe3f2db14753646eef13fc30bd6c7ea4118c154fae79b2a1dd17e8f81a17735cc1be

      Download Submit

    • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
      Filesize

      45KB

      MD5

      ed94ff20a62c8509f7a5a969836bb47f

      SHA1

      d6d6beeafd3068346823d5ea32b13e7fcb2b2f1f

      SHA256

      695b38d00323e7e02294a635a9d424ae60f54d1e39067e6507719da4240d95c1

      SHA512

      b72321f82904426af61ffa8f2cae3537d9e5775460cb5ffaf9444f81a3f3c0f6788f287a478b3619fa35850b2e2f3f922f39f4185dbda6c89310bf593dcf53b7

      Download Submit

    • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
      Filesize

      45KB

      MD5

      ab97cc82828a1e0d0e35a43dbb10d087

      SHA1

      a4d27cd4bbe9c47c9fc66f23ad448d67436e6a5c

      SHA256

      9b0b98dacd789a2677aa8de581a752cfb05368f177c6bb8ee420ae9e79ecc406

      SHA512

      d9198fcc54c7611a699ab515b073e038f7cb7977745d210d52c9fe6629828469de07f3b95f1401a9f5e0967f0757f1d12644fcf4602f027640e2e7877728168f

      Download Submit

    • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
      Filesize

      45KB

      MD5

      04ba3b7ff589e72b18fd5c6a6523813e

      SHA1

      1247cb307bbbc4c2c0473d0da4ef6be45f3614df

      SHA256

      f0a94cb3ce52607432eaf0a1132476862f7622f424c1f783ee52749c1f9f9823

      SHA512

      62f2639e869d78a16cc00f841646d15537fadeeb0fbb6f638a0c3021ae46d5205e3a7a1cd1a8ef1e19a610d290a7dd9fc2713d7449a010c8ce62c072336a540e

      Download Submit

    • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
      Filesize

      45KB

      MD5

      11a545630bbd3db0751ea1241a8d7e5b

      SHA1

      e011010ef96a112468e2bf4277f45903115a300d

      SHA256

      5e82b649835eb14fad81f79ace2b345485595f9f6feb9781c0bf9a6d4c10caf9

      SHA512

      83e63b0380c2aed61f9070d5105756dbf6dba9f40de1e491909a47eefefd1a542fa1be4751feb59a822d38dc3e873aeda9c83d05e08310a91345015c898d0379

      Download Submit

    • C:\Windows\SysWOW64\IExplorer.exe
      Filesize

      45KB

      MD5

      e2c21a7f925ae0e742f6cc457e5f5e58

      SHA1

      4fd2aee70b56668a222a2564d2ee3cec6ca7d0b8

      SHA256

      833b92055c74c02273144cb301a59cb08fcf771ffbbf31f6fd6bc748b44239d0

      SHA512

      b7d71c45c9ae1ed472493598c7d2525f2c2229539fd9817d422654d89585b2c30196473719c221bafb61bc08f278c456cf15881c73fd030f011e60c1738eec05

      Download Submit

    • C:\Windows\SysWOW64\IExplorer.exe
      Filesize

      45KB

      MD5

      6f2e674ac752be66e601d6e82a50736b

      SHA1

      fff94c0785cd4034cfb782369edd914fb9afa47d

      SHA256

      fdfc57720f229a3faf53dc4c0e58eb6349652169af6c8f8d1eb95ba3127fda3e

      SHA512

      ad7f733cd71bf28e5f445c64c6f2831e6de8772aee6a4b1968adbc8f98714e3337eb837403f253dc96ebe9e19e8793649abb076b0876514fc7a856e21035d601

      Download Submit

    • C:\Windows\SysWOW64\IExplorer.exe
      Filesize

      45KB

      MD5

      899c4174dbd82b7e72a00262a617cbc0

      SHA1

      2cdc4d66cb5140903945c87b3b885cdeea216e3b

      SHA256

      af815581f029893c1f65abcc8eed78f3242b9d01f75a4ad61cb2e0fc2b65f5c5

      SHA512

      5afd5cff8938bfc0ed3d349f64e322e984a229b61a4c5bde7ab0b17142c7fb7605becac1313b19b69fa42984c6944dc59687c5925cc5fb67480c77ba6caa88ff

      Download Submit

    • C:\Windows\xk.exe
      Filesize

      45KB

      MD5

      205a326bfe26fb5417cdd38ab2b42d20

      SHA1

      bb9ebcd450a2c790d93a5270b3609c4f522811ef

      SHA256

      75e6203aad1d779bc72ec184db3ede601f2923d82f09cac860d1f4c9e8e23e1b

      SHA512

      a32822456070ae305ebc7e1f76fdaa8799aa0f51ec8f3c85b95e69cb975c405a59f48240c73bd73c2716ba4c316679cd4bd16d4e900151eccddaf88719709108

      Download Submit

    • C:\Windows\xk.exe
      Filesize

      45KB

      MD5

      0a459863b11d1292729bf3a7b898f371

      SHA1

      ec745b6ef4e0c3a3711f45c3cea9d01f8df598da

      SHA256

      8de43c93f8c6a8154d2db8d0585b3b9a4317e5715f353bf390470013309de9da

      SHA512

      e692fa6ff01eae5c54d0fc226292c05672a1165192eac8af499f1ebf6e1837eb2c9ef7904a183b0fa418a1d9645176ce2e0bbb3603d3244d1c91f52c3022b943

      Download Submit

    • C:\XK\Folder.htt
      Filesize

      640B

      MD5

      5d142e7978321fde49abd9a068b64d97

      SHA1

      70020fcf7f3d6dafb6c8cd7a55395196a487bef4

      SHA256

      fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061

      SHA512

      2351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9

      Download Submit

    • C:\desktop.ini
      Filesize

      217B

      MD5

      c00d8433fe598abff197e690231531e0

      SHA1

      4f6b87a4327ff5343e9e87275d505b9f145a7e42

      SHA256

      52fb776a91b260bf196016ecb195550cdd9084058fe7b4dd3fe2d4fda1b6470e

      SHA512

      a71523ec2bd711e381a37baabd89517dff6c6530a435f4382b7f4056f98aff5d6014e85ce3b79bd1f02fdd6adc925cd3fc051752c1069e9eb511a465cd9908e1

      Download Submit

    • memory/960-79-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1224-73-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1308-59-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1572-323-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1572-117-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1572-146-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1572-0-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1572-76-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1572-303-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1972-65-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2332-271-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2512-265-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2972-312-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3020-85-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3348-283-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3632-322-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4548-316-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4892-58-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4892-49-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4896-259-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4928-91-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download