Analysis

  • max time kernel
    140s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    27/05/2024, 19:10

General

  • Target

    0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.exe

  • Size

    1.9MB

  • MD5

    0f6bf27f59e1d9644b197a4958b84840

  • SHA1

    465c7327357028ef070f7706a370af247db8a788

  • SHA256

    2c19fce1d2f4251e8d1371b526ef96938ef99a51742b5d2ebb5125428b16b804

  • SHA512

    bb95bbd9ae104fc8196483ba8c2809113ee276125faef17360b00da312c7017ab73079f4680c9e3a2ccc9db4e2c966ee1fca92449b1ebb01382a721143d9289a

  • SSDEEP

    24576:G0c5Uj7xttpUz6RLVEuLl4zQsquuP6Kc/4E7CFXNIfu4jPNMRgpLT4kWN3WK4si3:fcoltOc8Z6PjE5fu+NfxpWtWK1e

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Kills process with taskkill 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Users\Admin\AppData\Local\Temp\is-Q9SNH.tmp\0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-Q9SNH.tmp\0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.tmp" /SL5="$4010A,1106218,862720,C:\Users\Admin\AppData\Local\Temp\0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Windows\SysWOW64\taskkill.exe
        "taskkill" https://setstat.ru/api/savePostback?chid=%s&guid=%s&type=vkdjbin.exe
        3⤵
        • Kills process with taskkill
        PID:2584
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN impressive-clever /SC ONLOGON /TR "C:\ProgramData\dormitory-extent\bin.exe /H" /F /DELAY 0001:00 /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:2432
      • C:\Users\Admin\AppData\Local\Temp\is-BQOC3.tmp\7za.exe
        "C:\Users\Admin\AppData\Local\Temp\is-BQOC3.tmp\7za.exe" e "C:\Users\Admin\AppData\Local\Temp\is-BQOC3.tmp\5.14.zip" -pvkd -y -oC:\ProgramData\dormitory-extent
        3⤵
        • Executes dropped EXE
        PID:2292

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\is-BQOC3.tmp\5.14.zip

          Filesize

          5.9MB

          MD5

          9910448ffeec9cc75efb5d13ea748eb4

          SHA1

          2a3725c95ea04dc64e168e5e2e4ca60ce8f43764

          SHA256

          405c1c78198ad42ca2be86b7ee973ec883f7c3a4a444896439631dbf67fc6210

          SHA512

          dee942daa8d3403ee9168d8914d2f2c93b3d3b011b442cf1d2d34ee73ed40927df660780aaa5fb68ce6c4708eb147d1992b922e65f00cae3f3b70eb6818c93fb

        • C:\Users\Admin\AppData\Local\Temp\is-BQOC3.tmp\5.14.zip

          Filesize

          319KB

          MD5

          9e4b72b280b584979b48e05c963815ab

          SHA1

          1ae1d6f6b0a192e8f82fdde9086ef1641cd27875

          SHA256

          8e842f4e4b7240ac9fef5c5e9ffd54cdf4eed97a017dd898551c868e97bc05f4

          SHA512

          cebb9c5d1b91c4f79bb64a69aa9db884da31093a79fbe8e4e84009d672b78cf2172147d3dbb44dd50c18b09bb837a8a41b795965d2f7cb0509627f0603716b4d

        • C:\Users\Admin\AppData\Local\Temp\is-BQOC3.tmp\downloader.exe

          Filesize

          319KB

          MD5

          8f63ed519188210cca67bb69ceeda37f

          SHA1

          d03cca0567501dcc070eb6b3ca4d34c01922b68d

          SHA256

          040c4750873a6cb7d8825eff4639171dd1fd728a32d7f50aa5613a7bf4887c60

          SHA512

          a1b9752efac9b9cdb6cd91164d6c1d6ef440eb8c176fbfafd39292a280ede774faa8d35c7be46df2e888d80b87ec10af30a0c915a67c8523d0fad48e314a74f7

        • \ProgramData\dormitory-extent\unins000.exe

          Filesize

          3.2MB

          MD5

          51d762b2e0e1491ade4af202ebbd5dad

          SHA1

          e16a5477e594b7baf85fe66f9c6f2260f6449781

          SHA256

          1f375a1423d8b62c45964c4657aa2f1972539e6cd2b6459d445edd8bc2ad212a

          SHA512

          1708b23f0ea1629a9aa7107430ad2587d2bb700d53cb5c1d581e9d8d466e4eacab60d73edacaac2fde07f593d2c0c99463cab3272e06a21248d6601a9338332b

        • \Users\Admin\AppData\Local\Temp\is-BQOC3.tmp\7za.exe

          Filesize

          574KB

          MD5

          42badc1d2f03a8b1e4875740d3d49336

          SHA1

          cee178da1fb05f99af7a3547093122893bd1eb46

          SHA256

          c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

          SHA512

          6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

        • \Users\Admin\AppData\Local\Temp\is-Q9SNH.tmp\0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.tmp

          Filesize

          3.1MB

          MD5

          533d56b88cefdb286a63f159b10f6abd

          SHA1

          fd1868d9edae70d66aedd51d6a8d1cb533396517

          SHA256

          cd019578773ab276df704fb4246453c8474b245b2564dcf9c538bf53e9ca3f8d

          SHA512

          b59e02c201a070fea1619dbd4094ea3c8076ffb1872899f6547c1168b702c4db9275709efb538f53732cafbaa33a7da8e72ded5d81913bf9d48181ea728ef712

        • memory/2160-9-0x0000000000400000-0x0000000000730000-memory.dmp

          Filesize

          3.2MB

        • memory/2160-76-0x0000000000400000-0x0000000000730000-memory.dmp

          Filesize

          3.2MB

        • memory/2160-176-0x0000000000400000-0x0000000000730000-memory.dmp

          Filesize

          3.2MB

        • memory/2204-2-0x0000000000401000-0x00000000004BE000-memory.dmp

          Filesize

          756KB

        • memory/2204-0-0x0000000000400000-0x00000000004E0000-memory.dmp

          Filesize

          896KB

        • memory/2204-75-0x0000000000400000-0x00000000004E0000-memory.dmp

          Filesize

          896KB