Overview

overview

10

Static

static

3

0f546ffdd3...cs.exe

windows7-x64

10

0f546ffdd3...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/05/2024, 22:22

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0f546ffdd39724a5ead211aac9d513a0_NeikiAnalytics.exe

  • Size

    89KB

  • MD5

    0f546ffdd39724a5ead211aac9d513a0

  • SHA1

    84364261a904e909be8ceb5ffe1955834ffeb9a5

  • SHA256

    146c698259e2a4d34ba6df382404ef5f21e72f61bf327c166de0ba77866d65d3

  • SHA512

    b57d8fb816cd0657ff1dc358186c8a2dcbcf0aff1bc5727d8e2a62c20e4e96483b4b7b9494b93843cceb2d8d8017b475b78bba2f92e99e7cfe8247765467d3bf

  • SSDEEP

    1536:71sMveb4lR0daHy9v7Zc86y9U4AFRfBWAEnG:BDeb4T0daHy9DZc86yGUtnG

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f546ffdd39724a5ead211aac9d513a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\0f546ffdd39724a5ead211aac9d513a0_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3452
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:376
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2732
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:3376
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1936
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Enumerates connected drives
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3992
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2432
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3848
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2652
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4344
      • C:\Windows\SysWOW64\userinit.exe
        C:\Windows\system32\userinit.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1504
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          4⤵
          • Modifies registry class
          PID:3736
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2828
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3788
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0f546ffdd39724a5ead211aac9d513a0_NeikiAnalytics.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recycled\SVCHOST.EXE
    Filesize

    89KB

    MD5

    755194182176a37ae78393ba401fa923

    SHA1

    28962ee666ed52c3787d35203cd5887363863905

    SHA256

    3b4555049078f1c55ef78e46450d800c5b8b3c797288a9b725ec37ba1abef98a

    SHA512

    81eac41625f673359d541909a3eea18b728ffd71bf08b4118cc300e19e71bba813762109ecd5b84947e31a490a2f77d566e16dc688c2ff22d81c9f6bcb4667ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
    Filesize

    1KB

    MD5

    0269b6347e473980c5378044ac67aa1f

    SHA1

    c3334de50e320ad8bce8398acff95c363d039245

    SHA256

    68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

    SHA512

    e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCD7EB9.tmp\gb.xsl
    Filesize

    262KB

    MD5

    51d32ee5bc7ab811041f799652d26e04

    SHA1

    412193006aa3ef19e0a57e16acf86b830993024a

    SHA256

    6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

    SHA512

    5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

    Download Submit

  • C:\begolu.txt
    Filesize

    2B

    MD5

    2b9d4fa85c8e82132bde46b143040142

    SHA1

    a02431cf7c501a5b368c91e41283419d8fa9fb03

    SHA256

    4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

    SHA512

    c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

    Download Submit

  • C:\recycled\SPOOLSV.EXE
    Filesize

    89KB

    MD5

    d175093f331001363c7c94fd28b8f662

    SHA1

    275be587ad9d55dc766a4d12c3d7db085e207a0b

    SHA256

    7ee1ded5ff71dc471700e214545a6fd8983d482ef1700de8bbec16c474e654b0

    SHA512

    df8670f45c9f3554cecc623b6fc2e26fa21fdadc9948a9a4a9a0c5ace1135068d74ac85c2b6585406156a79fab146fb9c5ddbcf7cf6f75f2b604b80269cf7b09

    Download Submit

  • F:\Recycled\SVCHOST.EXE
    Filesize

    89KB

    MD5

    c4a893a27ad4c994a3878160c48d77c4

    SHA1

    9cd9bd8607f1dea4d99cdcb232be8230959ad1df

    SHA256

    8dad2564556aa17d6bb9c02eeb1588961546783a57f23155eec91e6abae5ea49

    SHA512

    3f76035f646e67b3736a54ac2fe747d812660837dc5f443d6f48d9cb5e7d13c848d2cb86bca294d166344866cea8f89737ee0bcd7abf042d6b195d0839ba5b1c

    Download Submit

  • memory/376-18-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1936-42-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2264-28-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2432-52-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2432-56-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2652-61-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2652-64-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2732-29-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2736-81-0x00007FFE1CED0000-0x00007FFE1CEE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2736-80-0x00007FFE1CED0000-0x00007FFE1CEE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2736-85-0x00007FFE1A710000-0x00007FFE1A720000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2736-84-0x00007FFE1A710000-0x00007FFE1A720000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2736-83-0x00007FFE1CED0000-0x00007FFE1CEE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2736-82-0x00007FFE1CED0000-0x00007FFE1CEE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2736-78-0x00007FFE1CED0000-0x00007FFE1CEE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2828-74-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2828-72-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3376-39-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3452-0-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3452-79-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3788-77-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3848-60-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3992-46-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4344-69-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download