Analysis

  • max time kernel
    142s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-05-2024 00:02

General

  • Target

    28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe

  • Size

    205KB

  • MD5

    28357c37e444030d84a1b4516ddc32d0

  • SHA1

    5467b9cd50846d306ac8206b51e6b9841386db14

  • SHA256

    cf5b0b153fa2e108c83665ea9c13a5d0f44e73e97d59190fef243b2bdc85cdab

  • SHA512

    39203541af816de57577387bc36463fd5dcc1c5bac3020d3bc6c0d733503f910d3b7e3adc33d5562b1becfeb5d236a309662905c1beebd6ecab1bbf80a3e64ed

  • SSDEEP

    3072:E/5F/E7tEf0i+p+tYlpJH7iXQNgggHlxDZiYLK5WpY9vSGmF3onW+MBm:EhF4cH+wWJH7igNgjdFKsAvHmF3onW+x

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 14 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4836
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3232
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2388
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:456
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3596
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4552
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4200
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4340
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4300
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1280
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1988
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3416
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2488
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:636
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3428
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:740

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

      Filesize

      205KB

      MD5

      7db46e55a034aa94da8f268c94091df8

      SHA1

      3326e96b932af0f35518bcc185d57596f72ccbc4

      SHA256

      d0be2dc5996df74b70ab314ec96e269680d3fd8b65992f8017430067166a3f1b

      SHA512

      5496de64f0c98b609dcbf86ee47cb3d2f345ac3e0e8a5740df0e84c728d0de48c920d1f90034ae281141e2ac1f12dc5a02a02b23ea3e10259774c2b59587afe6

    • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

      Filesize

      205KB

      MD5

      0dd5a71e2bfb6769959a87da5ccec38e

      SHA1

      cf3eba71540e6b11d433c819f04a8827db18eef3

      SHA256

      9e672c97626d0418eeac4f0d91ca5d34f6a144c6581f74f4529e9111249166f3

      SHA512

      4d9cc0fd34fd411f6c6b9fc13942afd4bbcb6e23b785760fed522a0a6d437aad8c1a3b4371c61b438b872c32c62c0eb77cfeef3b89fe6df098e292fc8406beeb

    • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

      Filesize

      205KB

      MD5

      0352bfdcaaad4b73dc8fd8aca5a1708d

      SHA1

      d52f0576b637923585f518f82e3706b82b4d74e0

      SHA256

      ccff5c987c54548734c5ce1588a304739f97b55b8dc5a65f5dbe86554156ba97

      SHA512

      a24acb5b47ad87bb9b0435f118d2e5be00697e07e987476a6e2206680ec4ea22047cb31f8c7e4cdac87dd520ec9f87d4afa984d42efc0706fd2d7bb82cbac083

    • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

      Filesize

      205KB

      MD5

      ec02eda20ad10bd3cdc9484ea1db5486

      SHA1

      c2c09198e963db8e33d2d944d3c7f88025a084d3

      SHA256

      b2ae011a8f8681d8b1d737d36b170be0ca2a847a277863cf3c46068a84c7eb9e

      SHA512

      dfbb34fa432c3ccf758c4a13de5184afcfb46253634b2bfef0d02e26c5db9b264f1a04a506491fc62af71218865f5945b3176683bfffaf8f6df6d3805157848d

    • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

      Filesize

      205KB

      MD5

      7cceff7c8eb77c3f256690bb5d2c3c5c

      SHA1

      85fdbb451aa39455a39d4a9c8bfe090ca8a522e2

      SHA256

      2ad92c4fa8458b99aab0f63e55d8bd6eaaa14ca57916db07ac0872341a4467bd

      SHA512

      74870a120fdc93ea2f5ecc33e00f3df7d804accc19d6190a60cd42f457ac00dbb726bbdd451016a21ecd082ca627d9d68e0501478a3b666069e0f02510f7d69e

    • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

      Filesize

      205KB

      MD5

      4e551c18b9066ca283ebef24dd8bc795

      SHA1

      d8aecff10b29de40e0399271a0a5278d4e1d524b

      SHA256

      7efa6fcb7a4a1a541a07e48551295db82a152a5272c507482379265e3881273c

      SHA512

      84aa54f226375246e1959b845302a457ae18134bb6c198fb35db8fc8808e6a72f0222891e4153a4392620eb72437cd0508fb7ce4cfb09cdb99e3365b124a4c78

    • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

      Filesize

      205KB

      MD5

      173ce42f9ae35e5004e537e1d4237fa1

      SHA1

      9e9a53f8de816efedc4e7887193c4f5aaf0f643e

      SHA256

      abaffe70d964b25d8a063e052fe0d21d18c834d76e2ef28af89693850598a5c2

      SHA512

      9076a729fbcae4b23ba0d56eae144a3a47e4b56eb42855ea07c7784a7007bc8d0b1bd35ca4dd0ba4c8257f9b7eb30602466d1e39d3734dd8a3688ed81ba8e018

    • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

      Filesize

      205KB

      MD5

      1adc0d907ef7cecf3d1e9eee415c41d0

      SHA1

      e22d4ca55e1d79916353452b61bae67dbe6c8e66

      SHA256

      f9c19dc1ba51d06fc5e254d47c0e9e3284d240ea1aeea3148f8766a58d7dce94

      SHA512

      4f5de9060c564b73ba3bb80f92b5dd4262e8a7e0ade9db9ea7da9389674993a08a4bf688ff02989f53dca9b5c6792f3133e8195b344ae1b9cf2930e56a6da24a

    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

      Filesize

      205KB

      MD5

      ed1472df5f85bde1ae7fe9c547971e73

      SHA1

      6a77765cec6e49b314f928d311f9d9c13ebbf0f8

      SHA256

      b52f305523e3ebfb6d2c6a7b8f0102c5d1ff9b6d0676aef8da907b61374fc594

      SHA512

      66db5f6b5c3742592f001cc1decd85e8655561632836aa947362a0cff967d872aef2d499411aba65e42837970fb6c3ab006b27606240ff76417d1e840f80ef21

    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

      Filesize

      205KB

      MD5

      c256461bb481733cf26ba21af04113a6

      SHA1

      78d107773e4563d6ac782881657766ceeacecaa0

      SHA256

      d64fa666537b21da38fe335114823e8b5521a9ad7f335a733b61f06c404c4d3c

      SHA512

      953c653d80b04fa1b3da81c45d6781423b9e23183031d7445f19e70858a82bed64bf1560ba90c450637520fda724068bf8bf67ae4f76be9e89b638b62907ec9f

    • C:\Windows\SysWOW64\IExplorer.exe

      Filesize

      205KB

      MD5

      13453c4074a23bdf45847bafed5186c6

      SHA1

      4e0156631bd5c0bfb5062e79e6de14f1d33dc1f0

      SHA256

      9f8013b87799f75f230b10b9f5ffd941db42b2dcc2da471af192219e87cd834a

      SHA512

      e6d41246c6d6c5cd32ca9ffc44b19e7bfae1b71d53c9ed012165f3ad4ab5fb19697e35bc188c233af7014b6b5d61bf67380f268d63dd59608b305eb614bdc354

    • C:\Windows\SysWOW64\IExplorer.exe

      Filesize

      205KB

      MD5

      f355ca87eb8d256556ee0727278be4f7

      SHA1

      9c30801a00b096e7d65c2acdd0e7b5a0ede8a337

      SHA256

      8d63b06862bf56d38b859d55d7e3dd8481c0c280728d6d8169d73e773445aafa

      SHA512

      3847d22678229d1d1d0309de5bc09f2907ba288dc18ceabd54ac2c68ca83eb05476f54dee2b3644f676055c854d4214ca01564d2b275fda0abdec8aba957198b

    • C:\Windows\SysWOW64\IExplorer.exe

      Filesize

      205KB

      MD5

      28357c37e444030d84a1b4516ddc32d0

      SHA1

      5467b9cd50846d306ac8206b51e6b9841386db14

      SHA256

      cf5b0b153fa2e108c83665ea9c13a5d0f44e73e97d59190fef243b2bdc85cdab

      SHA512

      39203541af816de57577387bc36463fd5dcc1c5bac3020d3bc6c0d733503f910d3b7e3adc33d5562b1becfeb5d236a309662905c1beebd6ecab1bbf80a3e64ed

    • C:\Windows\xk.exe

      Filesize

      205KB

      MD5

      a2200536d9abb3463203968094083d9d

      SHA1

      10cf146d4a9db4da36b69cac4d20f3a69aea5706

      SHA256

      b15a1972428646fc376145b142bf020cd7f6d082ce84a36de392a7a33ddf4e38

      SHA512

      eb40fb1793b6cebe37d15f12cd2f97e825504c0f68224bb8d64c214391eb19ec70a44b17c8f2a4c2a025a8b567e707aa55109a9da288fab148a7dab8a3e92503

    • C:\Windows\xk.exe

      Filesize

      205KB

      MD5

      2fd1f1e75ca7c4a834bde0ae765138f1

      SHA1

      9319a8f0e1ec8766fb0e8f6d47a9596d1276d592

      SHA256

      0d86392f26aabe7a141c45700d2f141f89fd5542781808d0f129de45d9037189

      SHA512

      38e82882fa5b9080392eb71f013905382e849ea2c2ba09cc8b95a91b1d980aa86dbe22241abf3843a3d6e709939a2d29613516c29b1779a061b241db90e9451f

    • C:\XK\Folder.htt

      Filesize

      640B

      MD5

      5d142e7978321fde49abd9a068b64d97

      SHA1

      70020fcf7f3d6dafb6c8cd7a55395196a487bef4

      SHA256

      fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061

      SHA512

      2351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9

    • C:\desktop.ini

      Filesize

      217B

      MD5

      c00d8433fe598abff197e690231531e0

      SHA1

      4f6b87a4327ff5343e9e87275d505b9f145a7e42

      SHA256

      52fb776a91b260bf196016ecb195550cdd9084058fe7b4dd3fe2d4fda1b6470e

      SHA512

      a71523ec2bd711e381a37baabd89517dff6c6530a435f4382b7f4056f98aff5d6014e85ce3b79bd1f02fdd6adc925cd3fc051752c1069e9eb511a465cd9908e1

    • memory/456-63-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/456-66-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/636-290-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/636-286-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1280-234-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1280-244-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1988-273-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1988-268-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2388-54-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2388-58-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2488-280-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2488-285-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3232-49-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3232-59-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3416-274-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3416-277-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3428-295-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3428-292-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3596-73-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3596-69-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4200-83-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4200-87-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4300-228-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4300-233-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4340-90-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4340-94-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4552-76-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4552-80-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4836-120-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4836-0-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4836-296-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB