Overview

overview

10

Static

static

3

1b2e6863d5...cs.exe

windows7-x64

10

1b2e6863d5...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    27/05/2024, 02:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b2e6863d541a4c2a37e06818c529d40_NeikiAnalytics.exe

  • Size

    97KB

  • MD5

    1b2e6863d541a4c2a37e06818c529d40

  • SHA1

    2800b6a11e190be6e5cb7822f58470ffc19d75d5

  • SHA256

    8e4605ce9403ff902ebd6c92a15f2f15be46967c43217b4ee3c9021d826da3d3

  • SHA512

    1534d59c08e4ee51337fab8c301d32d96dc82dd1e26513cba95446164cda4d3e158ce2df2b1200713040f5987cd48f88915fb73163bca540ae23a1018982b8e8

  • SSDEEP

    1536:4a3+ddygX7y9v7Z+NoykJHBOAFRfBjG3YdoIe:J8dfX7y9DZ+N7eB+tIe

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 21 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b2e6863d541a4c2a37e06818c529d40_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1b2e6863d541a4c2a37e06818c529d40_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:620
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2756
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2572
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1636
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Enumerates connected drives
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2536
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1236
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:856
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2768
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2560
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1548
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1744
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1b2e6863d541a4c2a37e06818c529d40_NeikiAnalytics.doc"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2256

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recycled\SVCHOST.EXE
      Filesize

      97KB

      MD5

      16b597b0778d21f76e06ba6449b74564

      SHA1

      1870d448ab0d8c3d11962730cf10a069f7211f41

      SHA256

      ac60e7194d7434f636ba24259698b25e85f8e10e8dc935315a726737f11d0e08

      SHA512

      e511c627a2ecf4d5744f037d27f4e3a6bd08a79b3d41537563c8e843e5bb1b2e4e8f687d2815acfb42f900221c32965808d1ec866c0db128f5868d54f77e47c5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
      Filesize

      2KB

      MD5

      1a1dce35d60d2c70ca8894954fd5d384

      SHA1

      58547dd65d506c892290755010d0232da34ee000

      SHA256

      2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

      SHA512

      4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

      Download Submit

    • C:\Windows\Fonts\ Explorer.exe
      Filesize

      97KB

      MD5

      a16eb27a463442229f6e3a277601fbb0

      SHA1

      f97eef36ed30d27f92b5d6901eae41dd907f27e7

      SHA256

      eb3c272ca1c811805103892b79dde53c2faeffc30db409451c30dc356694a340

      SHA512

      07b38ad4b125951f6428b3db2d76e374c393169a91f730cea83e775976f5c520c221255550a3897bf91501080f8275a3c065cb0f2211f929a46cb754c7f21dd5

      Download Submit

    • C:\Windows\Fonts\ Explorer.exe
      Filesize

      97KB

      MD5

      007c2ccf60250b9a96edc73e0e733e98

      SHA1

      a1d2a0af2d564b810359a2761a4d719a32fb4c8d

      SHA256

      cdfa194b376a0ffaccf8a5ccca23e55caae7f25a8d34628144f06729ec3fe5b4

      SHA512

      0e3c53a6cf68b7233de2c707da226975921324ed9123ffdb66807c771848f3bcfc703a8f77c748c7b240e9a0740bce5f83d4c709ce1e94f4c616b7453553f653

      Download Submit

    • C:\Windows\Fonts\ Explorer.exe
      Filesize

      97KB

      MD5

      4e5f86c2f1b5c7833a0afd0864fdaeba

      SHA1

      06a81a5860bfaf470ff08af7023ecbdf00a59a6d

      SHA256

      da04f4e82658fb813662a0cbe6ae94db9f99ee990e51863bfd3e1b179ca7ad59

      SHA512

      d5c81abf1492eeae41eb26d47bd33a19f5e8d96a7ba3e9746997ce4020dc4e6af9afd81af57c4911f8742276c5b2c0554a31b3dcc57fe8f2a0bbd4c12ccddf74

      Download Submit

    • C:\begolu.txt
      Filesize

      2B

      MD5

      2b9d4fa85c8e82132bde46b143040142

      SHA1

      a02431cf7c501a5b368c91e41283419d8fa9fb03

      SHA256

      4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

      SHA512

      c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

      Download Submit

    • C:\recycled\SPOOLSV.EXE
      Filesize

      97KB

      MD5

      c95ca607d83c12c22e8e74ff14c333fe

      SHA1

      da6ab6ba41b7a5e4c64a5e782937155613d4de21

      SHA256

      868e51e163dccc32c9e4cbb10d2bec392aebad37fedea3a7a28901c86b4536fb

      SHA512

      ba9f692ee3f26c96c02ea7afe586fe3c1ffb7a1b9dbf347b65b10768f085cd5823875298de82f2cad6c6f610211c87c9589691e7c58e8793a6fbfd6899dae236

      Download Submit

    • F:\Recycled\SVCHOST.EXE
      Filesize

      97KB

      MD5

      a966113c038433c8761575049c648783

      SHA1

      77b5dd803ede055d98a95348ac7a287caae07d19

      SHA256

      c28ef1ea0cc47ce20aae505ea5a33171a4130f369b4db089233c478a8a04af91

      SHA512

      b9f69168d4fd65056e69b9570c836131319fc82f09304832da9d9fce79ccc03208c5c3967ff0a7e38a68812fb0c9dd54444225f8ce5cc91de20e8a94bb15aa9f

      Download Submit

    • memory/620-117-0x0000000002480000-0x00000000024A1000-memory.dmp

      Filesize

      132KB

      Download

    • memory/620-116-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/620-1-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/620-114-0x00000000048C0000-0x00000000048D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/620-23-0x0000000002480000-0x00000000024A1000-memory.dmp

      Filesize

      132KB

      Download

    • memory/620-24-0x0000000002480000-0x00000000024A1000-memory.dmp

      Filesize

      132KB

      Download

    • memory/856-90-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1236-84-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1236-78-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1548-110-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1596-118-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1636-64-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1744-113-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2536-72-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2536-87-0x00000000004F0000-0x0000000000511000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2536-88-0x00000000004F0000-0x0000000000511000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2560-100-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2560-101-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2564-43-0x00000000005C0000-0x00000000005E1000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2564-37-0x00000000005C0000-0x00000000005E1000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2564-25-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2564-149-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2572-57-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2740-65-0x00000000003D0000-0x00000000003F1000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2740-53-0x00000000003D0000-0x00000000003F1000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2756-38-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2756-39-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2768-94-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download