Overview

overview

10

Static

static

3

55301eb548...cs.exe

windows7-x64

10

55301eb548...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/05/2024, 13:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55301eb548e63bec7976ae797b12e6f0_NeikiAnalytics.exe

  • Size

    91KB

  • MD5

    55301eb548e63bec7976ae797b12e6f0

  • SHA1

    c198aea6d8172a2ae8ab82d05db7bf5fc98be556

  • SHA256

    aa6542b54f9f1957e6b1459257b2566817626b566c1eab579899d6511926723c

  • SHA512

    0fccbf2887e24d7c0ba935ec652f070949be4d22cd1c3a068055224ce0a9ce9f8d7bf968f2829e8f0fd337e7b45f5c7b899ee98f5f35ff19ff9f0b7fe2bbc694

  • SSDEEP

    768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3Imuz3gRYjXbUeHORIC4Z6:uT3OA3+KQsxfS4wT3OA3+KQsxfS4u

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 18 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 20 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\55301eb548e63bec7976ae797b12e6f0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\55301eb548e63bec7976ae797b12e6f0_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2216
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:792
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:344
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2752
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:896
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1284
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2164
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3028
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:396
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1364
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2084
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3012
  • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

7
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
    Filesize

    240KB

    MD5

    ca5082affecfb68ecafbe95c31d0c25e

    SHA1

    24bcfe931fe8e60e5655f5d6155010613146504c

    SHA256

    7b5e09f0ffcde4f4f4a37dae9bcdc8f7e557381fe8b92579bc4c1b3a953a67f9

    SHA512

    35ef527ef330325c3129825d2759f92e9d053b319935c2c12fe308e0fce4b030520073eb67c54fc25d98928a16a95d4c0bf946d6a11b2e3e8ca8db05e631bbf9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
    Filesize

    240KB

    MD5

    e610da3065750df57ab87a94ce36910b

    SHA1

    84b14e9125c3b2a41a07f50cb1e24b732ebed624

    SHA256

    2b7741e8364c0aaa64982eb465cf386704d8e6f9cb52d75ee509149af9a72bb2

    SHA512

    a6ccfb9d1e60de233394482b42c5a7f67653b5ebc06d672b93bdb537aaa9fc3009a99c25f75e053cb14ae3abb0c44e0cb0865668abc7f512efc89375954037b8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf
    Filesize

    1KB

    MD5

    48dd6cae43ce26b992c35799fcd76898

    SHA1

    8e600544df0250da7d634599ce6ee50da11c0355

    SHA256

    7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

    SHA512

    c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    58391e6e23f34be0a5d259050222ecb2

    SHA1

    eb8d92dcef6ff3d66892449a47e9df6e6534ec06

    SHA256

    d6009afb00b18941936a999ecd142a791a23f340114245ed58143647cacf02aa

    SHA512

    fb2219e7f767c32702d3f3a4eab23d96655b67db0dc8dcc87b38abbf8f4664fd102ade24553d9af4d991a7ea06c208d24f4934cfa599064858687c445962cf66

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    91KB

    MD5

    55301eb548e63bec7976ae797b12e6f0

    SHA1

    c198aea6d8172a2ae8ab82d05db7bf5fc98be556

    SHA256

    aa6542b54f9f1957e6b1459257b2566817626b566c1eab579899d6511926723c

    SHA512

    0fccbf2887e24d7c0ba935ec652f070949be4d22cd1c3a068055224ce0a9ce9f8d7bf968f2829e8f0fd337e7b45f5c7b899ee98f5f35ff19ff9f0b7fe2bbc694

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    4dee1d2f2e8f66cbbd87b4f966388896

    SHA1

    5ec2f3a24719f1fe7f336306227ae22d50a5fce2

    SHA256

    d80a6f6e12e2163fd411292a61bfae8d05f4458acff45d1b61b75ee1929afe6c

    SHA512

    c7c643afa24c12ab09d4fef32d5cc0275b35a654f22dfacfcc1362f77f2247f3fec83c13738c3a0fc9e77cf9e696515757b97f16669c066db3427d71b718b95e

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    2ab88bf63d9bfafa475ad327d7801935

    SHA1

    21bd7327eea7ebdbdf96464d25e9afa38b2511ea

    SHA256

    48b9c51e3a2d2884a72dcbf3554d601c1d15eec277a310628a18dbcb3b2ba5d7

    SHA512

    27a030579b4e01ce04d51ab471b05e6423be20629ad86c32603fa2cc23c6a0a0f9fa1808ea9a90eb8c6a638328d6d5db41977e9f082b8daad5f0668132bbe63b

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    64d40290393485177f7aaed5c7eeba9f

    SHA1

    85ef69979b7c5196b9e3504b25a37a5f44e9a4d0

    SHA256

    c85027abdb57346e70a89ca09b0433fa2d6edd589903b4083b6be7468c79334f

    SHA512

    4b6a2ef5a77906d1afe61f21e6ca662d0346403b51a287c26cc08607c4969c5271d3dd6c9b45f91831c50bdfc6db7bbc378de2a08e6b97db059b823828d0eea6

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    49bb2074ed4781c81b4e354f154cbe32

    SHA1

    c67f261c9a67a7d499ab6be12cd1a39696256856

    SHA256

    4401a761864940d4cb584df5259ec4b2731680e91ae8e6d0f17440eb837a338e

    SHA512

    e3e8c2b6f3838d05ba1fa80d7b6c44433a0a8646b999d021ce4c30f4fc5b26335401e1708ba947d1631057271d95372043de2eb23988bb2a0e30a81fe31f5bd4

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    8433f83e23fc28053c55e08264561f5d

    SHA1

    72a679494eac92fb07b508f1d9564e53a2935976

    SHA256

    cb42fa7771ce4c23f17b31a5e215639827ecc2e298b0c4549bf0306cf6a81423

    SHA512

    bb8d59e2c55cc80aebe409d90dc84642d01f742a85ee0cf47912f49676f71f754e2ec5450c95b6a1ce2e41978da0ca2062bfc28202f7bfb877119cbb3daca2ff

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    a4e000361c34a15199cff5f0d5ae9d26

    SHA1

    5b1f20335aa251a7d486532d059744fb4d9d2aff

    SHA256

    10aaab2b180a11b4de582270b97f6286ad21f6d247ffe837d2969c9ce454d8da

    SHA512

    6225b53664cbcf3f401e5890c942f6e261ff400a6d307cf338dc2e388c4c08230790ea62fc92c6df3446e25e320278f0aaae9f9e52f3cb8796e4e39c2f6d952a

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    ea167e868d7d337d931615516e91e724

    SHA1

    aee6ef149c9f218ca985cba6fb40b23b4adad801

    SHA256

    a3b12751ba46b3e0af6b5219cbb8e79dcbffdf151200679d162b4cb7e836da60

    SHA512

    2f6e2ef18e470da84d9cd63067ea142eb3ceb3653c6b3abba8f523300a3d45d9bce7f5da6ed300d2063f7e753c63a455969b4ad1d5b92b26349d94e221b3d016

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    eee3f530f042ebe21625de25d3092a22

    SHA1

    c6ecc1d29cbbd8b5c5cb18ee6223796e5b99c3bf

    SHA256

    8bec1af562690263d862ec2464c052de469ea80438bd26d4aa479569df8c8c51

    SHA512

    758809a51920d238d6c65dfff722df34b7bd1f402a65aed07bd334ee306821a3a30bb39f14e11205e1c0acf8e121fcee4e7454023ac1e0fd3f6a7c1944d1f443

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    2a8829d3b427b90003131536455c20da

    SHA1

    2495ffade04aa0a2e03eb8ec5b6b71e5918fe5e1

    SHA256

    ace146f1c659c2f9205a32e6482b06eba22c5c07e21676dd522b73e27657785c

    SHA512

    a9279bc35f9dbd77c52b1dc2e5577db482075755be0a7c23d8e8058660db3321cc9d93c18d9e61e3a814dbe24f866a2c149490c5dcea132ee7270991436c2023

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    44b3b07fff8d0ab93046ae458705eac3

    SHA1

    2795070c179476466efa655ece441f9d4021d00f

    SHA256

    d88e6586c4695e9eea9eb13c5e4a5bc8555d8c5db77c61887fa7b1d8e85e0212

    SHA512

    0c1982535fc41301c9e4fda357aaad5b7bde3842b6f93b52a7bf4765e3b28050a337bc53a8438e40fa7e75a95c931b29e2b01ff3bb1b0f73212eabbb1ff5295a

    Download Submit

  • memory/344-130-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/344-131-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/344-136-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/396-268-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/396-263-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/792-123-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/792-115-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/792-116-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/792-118-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/896-161-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/896-166-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1000-333-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1284-224-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1284-231-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1364-280-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1364-276-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2084-294-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2084-289-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2164-237-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2164-244-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2216-2-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2216-160-0x00000000022F0000-0x000000000231C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2216-145-0x00000000022F0000-0x000000000231C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2216-0-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2216-4-0x0000000000401000-0x0000000000427000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2216-458-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2216-114-0x00000000022F0000-0x000000000231C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2216-1-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2216-287-0x00000000022F0000-0x000000000231C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2216-222-0x00000000022F0000-0x000000000231C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2216-3-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2216-144-0x0000000000401000-0x0000000000427000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2216-302-0x00000000022F0000-0x000000000231C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2752-152-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2752-146-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2752-147-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3012-303-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3012-308-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3028-250-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3028-262-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download