Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    27/05/2024, 19:06

General

  • Target

    0f0cbb820e78029d86b8646df081f840_NeikiAnalytics.exe

  • Size

    2.1MB

  • MD5

    0f0cbb820e78029d86b8646df081f840

  • SHA1

    deed7be3d6216dfb55e76cbed70755ac07ecbe32

  • SHA256

    d1ff936ea7f9fb510c9fb5cbde514b1290f956c0913b604367c6a92427f2e137

  • SHA512

    22e5447c135789172127129911c7fd3b305955d679bb22dca70cfca26b4811aa6afde9c00b15120254094f404fe12b32db4d93baf21675e67e3d2eb22052d18b

  • SSDEEP

    49152:+8Y/4O8b8ITDnlaTeEXGF+6z8zmqtqCK3RTeyay+hviOZ8afQf2PynO:L2rw+6zEmqtqCKkT6OWO

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 9 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 17 IoCs
  • Checks processor information in registry 2 TTPs 15 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f0cbb820e78029d86b8646df081f840_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\0f0cbb820e78029d86b8646df081f840_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1852
    • \??\c:\program files (x86)\common files\microsoft shared\vba\vba7\vbe7visual.exe
      "c:\program files (x86)\common files\microsoft shared\vba\vba7\vbe7visual.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1068
    • \??\c:\program files (x86)\common files\system\microsoftsystem.exe
      "c:\program files (x86)\common files\system\microsoftsystem.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2924
    • \??\c:\program files (x86)\common files\microsoft shared\help\technologymsitss.exe
      "c:\program files (x86)\common files\microsoft shared\help\technologymsitss.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:568
    • \??\c:\program files (x86)\common files\microsoft shared\help\1042\microsoftrhxdsui.exe
      "c:\program files (x86)\common files\microsoft shared\help\1042\microsoftrhxdsui.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2672

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Common Files\microsoft shared\Help\TechnologyMSITSS.exe

          Filesize

          2.3MB

          MD5

          a94a5913554e49da13cb33e891416dcf

          SHA1

          0b59dc05c165b728c6da54f5a7f9cd5141192d79

          SHA256

          31bc090dc557e5c6d31ecaa459511c898291f8cc60b1d6507baaee673f8f7057

          SHA512

          e11655816bd307fa433e9e357938c870e6e6fde74599a48a4298766f0c883fdbed15d3f995b7c55f033bbaf02a5a2db0563f6f089abdc916d13522d33a664846

        • C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNotePrintDriverFilterSendToOneNoteUI14.0.4763.1000.exe

          Filesize

          2.1MB

          MD5

          0f0cbb820e78029d86b8646df081f840

          SHA1

          deed7be3d6216dfb55e76cbed70755ac07ecbe32

          SHA256

          d1ff936ea7f9fb510c9fb5cbde514b1290f956c0913b604367c6a92427f2e137

          SHA512

          22e5447c135789172127129911c7fd3b305955d679bb22dca70cfca26b4811aa6afde9c00b15120254094f404fe12b32db4d93baf21675e67e3d2eb22052d18b