Overview

overview

10

Static

static

7

30a050e49a...cs.exe

windows7-x64

10

30a050e49a...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-05-2024 03:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    30a050e49a3f567fc2c7983056cdc820_NeikiAnalytics.exe

  • Size

    91KB

  • MD5

    30a050e49a3f567fc2c7983056cdc820

  • SHA1

    10b845aaeda73a3142106ab367889a5d475b4b34

  • SHA256

    8454c949cbdca36e697202efd9fa718c67dcd03453ef69487ca11ccb21a14a6c

  • SHA512

    7de5df64bce0c55182af9933c251541864fee8a3daaa0c2ba1f81c89c01effed5f59ef57072475f89a1b99ab9c7ff315a08c59de1526a5bc5856b6ecf3f588f8

  • SSDEEP

    1536:jRsjdEIUFC2p79OCnouy8VDbRsjdEIUFC2p79OCnouy8VD/:jOm9CshoutdbOm9Cshoutd/

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\30a050e49a3f567fc2c7983056cdc820_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\30a050e49a3f567fc2c7983056cdc820_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2248
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1016
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:432
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:5076
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1516
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4024
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3312
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:636

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    2d7c3a875b1c9f702358cbbb2b9e4c76

    SHA1

    0cb26ae8296c5bf4f9d084cb91c3addbc42be9db

    SHA256

    0b0fe8f63476e601549431c8b4edc6e24081600703f9e80a5c36b516d7699707

    SHA512

    47ff714cd6be64232c4edae4d5ace88e212210dc10df6c13b88306b5de32ecf2780b9e4dd11633931d997d3e79b05f1d747150574e33e8f4ce82915b94b35df0

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    75c8e1e480e84204623fb403f6c0b1ff

    SHA1

    affff9cd0d7af4a1b5cbaadba0fe04cf78c2ed80

    SHA256

    a18663d9b439fe9c1248653f8d45a38691fdff5c9eceee86fcb5a8a182ee09f2

    SHA512

    70a6349396c8c2bf1d2fb7a62c7263e557cc72ddfd731bb7860bb8374e44a02c5345af591c33791908f4dcbf522ed4445478afe022c8f8ab7f64a640729268f3

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    ca12256529faae087f940f7faec699b7

    SHA1

    71bad9f51e6540b164abf1f49e9fd57f4c996cef

    SHA256

    0a4c7c982b62e0ec6f46123a43661e65f82638d31b7bc4a3cbf16affdfb3557a

    SHA512

    bc302fc930e4bd024ae77f2312f0aa8fa3c9df336626a1793682b2198bf3bf33debb42a71bed4bbb8f20d044db78f6a77a9f845de9918061b49c5d80cee18c40

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    e6b26211aec787ccf0f93117c97f4faa

    SHA1

    bcef0d1cb46080d85694e1c7542b29471dbeab8b

    SHA256

    01d2f2b4d6731f5e92c191ba052b1b381cd96b818a189d8a62611beda50b6242

    SHA512

    52c74d7ffb69c10525c9f31c02af2757146d2153c5add3ffe0ff9cfc39f2db55fcc6f07ae3d5a09cc85eacedc380667802dc57109a6df82224f0317be3b0710c

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    91KB

    MD5

    30a050e49a3f567fc2c7983056cdc820

    SHA1

    10b845aaeda73a3142106ab367889a5d475b4b34

    SHA256

    8454c949cbdca36e697202efd9fa718c67dcd03453ef69487ca11ccb21a14a6c

    SHA512

    7de5df64bce0c55182af9933c251541864fee8a3daaa0c2ba1f81c89c01effed5f59ef57072475f89a1b99ab9c7ff315a08c59de1526a5bc5856b6ecf3f588f8

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    13c7bf1f03123d45bbcce6e7c6046fd2

    SHA1

    32938a401112ec218c43dc7760220756f4210556

    SHA256

    62da19a6a6793e195f76f26829f0753e77d4c91a3d29b1db640c30638175f68b

    SHA512

    a1fe7ad3c40df51cf99e18824b526c6b4fccf0fbcc658251787fdd1a6d1e4484c5b2109fae0879936e8e95df848f795c992d3e75ed5957b037cfe2f644ee4d8b

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    cd1f33734cc1d4f2a40e62439488cf28

    SHA1

    308f259cf8068dd9465ad87822985e688aa22538

    SHA256

    3af6e517948f3feaccfb8eb98d7c6080442b9f0579245220a211b225622168d4

    SHA512

    9c89c7d9fa181ab6f9dfc912528c5d234a4c4792159be0eacbebec08890afceedeb63b6e5b009d3eed8c89716717ebcc2e69dea372f8fbea7689f6ebe922d38b

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    facfc1c43f218ac3c39acc85caabf3d2

    SHA1

    ca71428bbeeb6a134ea105e6cb049fe94080c7d9

    SHA256

    a7ef0ca2424afe8495dbb4ad5e858b9343b29adb45f305b8804c0af068445e2e

    SHA512

    518f87f04f4d3f95998091fac4c0aa2ab104ae9bbe42a9a09027bcafbbb27f4d25a60a4572be2e2910892f9788a9a91c3ed2b9b99838362a1dca26a4aa787c12

    Download Submit

  • memory/432-114-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/432-119-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/636-151-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1016-111-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1516-130-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2248-152-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2248-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3312-144-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4024-138-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/5076-124-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download