Analysis

  • max time kernel
    141s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/05/2024, 19:10

General

  • Target

    0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.exe

  • Size

    1.9MB

  • MD5

    0f6bf27f59e1d9644b197a4958b84840

  • SHA1

    465c7327357028ef070f7706a370af247db8a788

  • SHA256

    2c19fce1d2f4251e8d1371b526ef96938ef99a51742b5d2ebb5125428b16b804

  • SHA512

    bb95bbd9ae104fc8196483ba8c2809113ee276125faef17360b00da312c7017ab73079f4680c9e3a2ccc9db4e2c966ee1fca92449b1ebb01382a721143d9289a

  • SSDEEP

    24576:G0c5Uj7xttpUz6RLVEuLl4zQsquuP6Kc/4E7CFXNIfu4jPNMRgpLT4kWN3WK4si3:fcoltOc8Z6PjE5fu+NfxpWtWK1e

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Kills process with taskkill 1 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Users\Admin\AppData\Local\Temp\is-7NLPS.tmp\0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-7NLPS.tmp\0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.tmp" /SL5="$A0054,1106218,862720,C:\Users\Admin\AppData\Local\Temp\0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3184
      • C:\Windows\SysWOW64\taskkill.exe
        "taskkill" https://setstat.ru/api/savePostback?chid=%s&guid=%s&type=vkdjbin.exe
        3⤵
        • Kills process with taskkill
        PID:3164
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN impressive-clever /SC ONLOGON /TR "C:\ProgramData\dormitory-extent\bin.exe /H" /F /DELAY 0001:00 /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:4488
      • C:\Users\Admin\AppData\Local\Temp\is-GG3M3.tmp\7za.exe
        "C:\Users\Admin\AppData\Local\Temp\is-GG3M3.tmp\7za.exe" e "C:\Users\Admin\AppData\Local\Temp\is-GG3M3.tmp\5.14.zip" -pvkd -y -oC:\ProgramData\dormitory-extent
        3⤵
        • Executes dropped EXE
        PID:1080

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\is-7NLPS.tmp\0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.tmp

          Filesize

          3.1MB

          MD5

          533d56b88cefdb286a63f159b10f6abd

          SHA1

          fd1868d9edae70d66aedd51d6a8d1cb533396517

          SHA256

          cd019578773ab276df704fb4246453c8474b245b2564dcf9c538bf53e9ca3f8d

          SHA512

          b59e02c201a070fea1619dbd4094ea3c8076ffb1872899f6547c1168b702c4db9275709efb538f53732cafbaa33a7da8e72ded5d81913bf9d48181ea728ef712

        • C:\Users\Admin\AppData\Local\Temp\is-GG3M3.tmp\5.14.zip

          Filesize

          5.9MB

          MD5

          9910448ffeec9cc75efb5d13ea748eb4

          SHA1

          2a3725c95ea04dc64e168e5e2e4ca60ce8f43764

          SHA256

          405c1c78198ad42ca2be86b7ee973ec883f7c3a4a444896439631dbf67fc6210

          SHA512

          dee942daa8d3403ee9168d8914d2f2c93b3d3b011b442cf1d2d34ee73ed40927df660780aaa5fb68ce6c4708eb147d1992b922e65f00cae3f3b70eb6818c93fb

        • C:\Users\Admin\AppData\Local\Temp\is-GG3M3.tmp\5.14.zip

          Filesize

          383KB

          MD5

          8ca801d609496516de022c754e117a5f

          SHA1

          1d5eebe279163dfd4635418f37ec2fd25dc373ff

          SHA256

          bf85b5a3688ad5e308068802cf89b79a90235bc774541ded956517eb41aa50b8

          SHA512

          036e6d5d1fe630cefc0b273de379069a93eb2b4f989a78be63d2c1aa597fcd038c3a192e49ff013600d02a39a73bfd6de2958d041c25748bb981d4648812397e

        • C:\Users\Admin\AppData\Local\Temp\is-GG3M3.tmp\7za.exe

          Filesize

          574KB

          MD5

          42badc1d2f03a8b1e4875740d3d49336

          SHA1

          cee178da1fb05f99af7a3547093122893bd1eb46

          SHA256

          c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

          SHA512

          6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

        • C:\Users\Admin\AppData\Local\Temp\is-GG3M3.tmp\downloader.exe

          Filesize

          352KB

          MD5

          aadf4352d33ff9095ca64c25389eb82b

          SHA1

          0b1f088ce1c6b341d85cd0bea4c26036da89b26d

          SHA256

          3ada90b21b96154a200878c39da717c397743b07b74e9ae84b591eaf87a29b69

          SHA512

          16ec302bbca191df3e9cf49db109757cd621253b9b1a18a0d9e91566d34c4daf28d3ab99bf925fb56821321a8d3bf49e353bcad04480fce131931a4135fb1d1d

        • memory/960-0-0x0000000000400000-0x00000000004E0000-memory.dmp

          Filesize

          896KB

        • memory/960-2-0x0000000000401000-0x00000000004BE000-memory.dmp

          Filesize

          756KB

        • memory/960-159-0x0000000000400000-0x00000000004E0000-memory.dmp

          Filesize

          896KB

        • memory/3184-6-0x0000000000400000-0x0000000000730000-memory.dmp

          Filesize

          3.2MB

        • memory/3184-160-0x0000000000400000-0x0000000000730000-memory.dmp

          Filesize

          3.2MB