Overview

overview

10

Static

static

3

01ba3daae3...cs.exe

windows7-x64

10

01ba3daae3...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/05/2024, 17:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01ba3daae3d2895e24dfd3e44462b870_NeikiAnalytics.exe

  • Size

    503KB

  • MD5

    01ba3daae3d2895e24dfd3e44462b870

  • SHA1

    eab2e468b50c062a798bd292abd5cbc2c700603a

  • SHA256

    ba0c27fa5e22f3819a4430f2e7e300c6c83524b5f65dedbe1638a0c2d2deba78

  • SHA512

    8fd49d7780fbc82db4beb6ddfc8d54ffd613c11f6db8ec95995e21baa3ad166e32806a4c16acbd09ed36056ca9303160637b3aaa6e0fcaffdaec8dc9cca71940

  • SSDEEP

    12288:3ENN+T5xYrllrU7QY6yRYiioQzhGTRKhWcFc9k:N5xolYQY6CYjJzhgKhWcFc9k

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01ba3daae3d2895e24dfd3e44462b870_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\01ba3daae3d2895e24dfd3e44462b870_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2508
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3560
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3056
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4780
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4660
          • C:\Windows\SysWOW64\at.exe
            at 17:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2060
            • C:\Windows\SysWOW64\at.exe
              at 17:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:3156
              • C:\Windows\SysWOW64\at.exe
                at 17:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:1016

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          503KB

          MD5

          a7a9329bc8eaae52061198b5b8f2e834

          SHA1

          3d2e1cefcca16690857df0ff342795ecd5236926

          SHA256

          83309e5fe6e9ac7158569e7f10a0555f19c96a30bb85e6e9b46943835e2ccad8

          SHA512

          ad267e9a35ad3ca2bbdc4c5b8f879477e53aadb36962ef1c4c39a2b59ab83c659b2fadaba7599bbb9a1e46d5cc4804f802e62693364dc9a9481e1eb632828b53

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          503KB

          MD5

          7c6df7b09b335d54aae7685be057f60e

          SHA1

          1a3e8da2869b6ed6127e368c7ef4bba6799fff77

          SHA256

          34ce8ccbe88cb525218ddc5097890ea8f3230e3c300b921ec7579c6d479ff110

          SHA512

          3c1ad43d6cae64ac32e201efecb904338cc497ce8055f63e7046fb13b37eacbcd3da519337af1d54b261cc5e54dd80e0c5c6884dddac970def7f5fbf00a99331

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          503KB

          MD5

          069b181f4388a3e6522270b851cbe72e

          SHA1

          0b1d79f72d339723a18a4d124f5ac3f37dc135df

          SHA256

          3d8cb51ca779b5255039d36b520453097328a719ca3f417225d72f5861d9eccf

          SHA512

          4d723d21f4f37efa89583bf80c99db19ff0df365b396b3eb12bfb35b9a7d656ad0ad5be3db620e85b731a1fc470165f49ff2016f851482a413b0f72358cc8575

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          503KB

          MD5

          c2ff9967343fe6c833ab5ba178fcb4de

          SHA1

          08bcc26287b247689a23280ba1a5d5a9ed6924c3

          SHA256

          d563bd760e4dd5a6a2749028432c9d18a3eebdbe759024b2e3ecacabe8454b82

          SHA512

          968ae7338e12ae140d404cf684d03c6bb5aa6299e43df4a08e988e88c900ba3224da3586987db0c4cf989277a09f1066c6f3485e070af5d0bf222fe30faf3b87

          Download Submit

        • memory/2508-0-0x0000000000400000-0x0000000000471000-memory.dmp

          Filesize

          452KB

          Download

        • memory/2508-37-0x0000000000400000-0x0000000000471000-memory.dmp

          Filesize

          452KB

          Download

        • memory/3056-36-0x0000000000400000-0x0000000000471000-memory.dmp

          Filesize

          452KB

          Download

        • memory/4660-33-0x0000000000400000-0x0000000000471000-memory.dmp

          Filesize

          452KB

          Download

        • memory/4780-25-0x0000000000400000-0x0000000000471000-memory.dmp

          Filesize

          452KB

          Download