Overview

overview

7

Static

static

3

3e76863efc...cs.exe

windows7-x64

7

3e76863efc...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/05/2024, 04:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe

  • Size

    144KB

  • MD5

    3e76863efc9b779e7d4ff799df65dfc0

  • SHA1

    45dbf8b77811d1c366fe33860fa6e587e1f6b85f

  • SHA256

    11d1c8debe5780af021f2e446cc3723968ef92424bfe56bedda1067f5956f1fd

  • SHA512

    f4b0ea61fe68b6927df14005aaa84184d97465eade929eecb70e0b511b4c3d21029f0d6c6f10b86da1cdde880d6176fd6baf751fe1343c3597a485fed9a62d59

  • SSDEEP

    3072:l5SVkkgUgXC7AdYzrV+Dljy/32ubwZ/qJ:SUFCkdYzrVolu/J0Z/

Score
7/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Users\Admin\AppData\Local\Temp\3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BRSPY.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2532
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe" /f
          4⤵
          • Adds Run key to start application
          PID:2852
      • C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
        "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:592
        • C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
          "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1360
        • C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
          "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
          4⤵
          • Executes dropped EXE
          PID:2540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BRSPY.bat
    Filesize

    157B

    MD5

    f6a90c20834f271a907a4e2bc28184c2

    SHA1

    36c9d1602b74f622346fbb22693597d7889df48d

    SHA256

    73f29cd953eee40cea4de67842556ffd96efe8094a6a9b70f33a35df2582febd

    SHA512

    39cabae19fe1faa37455e4bd242c868be60d6252b07f01224b3f7501c3cf734e503300b840d83381a452707cab6df2f95f920655884be56d4024676b26943804

    Download Submit

  • \Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
    Filesize

    144KB

    MD5

    00657b45b436382477e182bcf8dfd69c

    SHA1

    2e6ed210351d59d97c8c7feeb0a1f0008c9d4528

    SHA256

    d3f5825e3128fb8515fa4cfbb53066b1c123fef674294a02f5ebb2375b0c6d3d

    SHA512

    87b81f24ba23faceee7e351a196cf73806c59822e0197dc1ed93655507e163cd972700b0aa40962dd1654988db767802401d6fd1d4b8511439b4b7dd8522efef

    Download Submit

  • memory/1360-955-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1360-1041-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2624-446-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2624-488-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2624-1034-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2660-2-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2660-281-0x0000000002570000-0x0000000002571000-memory.dmp

    Filesize

    4KB

    Download