Overview

overview

10

Static

static

3

55301eb548...cs.exe

windows7-x64

10

55301eb548...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2024, 13:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55301eb548e63bec7976ae797b12e6f0_NeikiAnalytics.exe

  • Size

    91KB

  • MD5

    55301eb548e63bec7976ae797b12e6f0

  • SHA1

    c198aea6d8172a2ae8ab82d05db7bf5fc98be556

  • SHA256

    aa6542b54f9f1957e6b1459257b2566817626b566c1eab579899d6511926723c

  • SHA512

    0fccbf2887e24d7c0ba935ec652f070949be4d22cd1c3a068055224ce0a9ce9f8d7bf968f2829e8f0fd337e7b45f5c7b899ee98f5f35ff19ff9f0b7fe2bbc694

  • SSDEEP

    768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3Imuz3gRYjXbUeHORIC4Z6:uT3OA3+KQsxfS4wT3OA3+KQsxfS4u

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\55301eb548e63bec7976ae797b12e6f0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\55301eb548e63bec7976ae797b12e6f0_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1156
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3020
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3332
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2896
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3032
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1364
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4896
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    aadce1705a8d15c5eac8b3221e78b658

    SHA1

    773ae741d50a66190b650f5cd74f1a495a282742

    SHA256

    fb282777906211405c58c5de55409d83e5744dc11addf8491fcc263bf3392024

    SHA512

    4babb166b4195a9e7c56045fd0386deb3cdcc5a217aefea801a3c72518b580d078997a23e95c94e915e672fdec9e8a8ff72d2d870a8cc341273d1ffb4fdf0636

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    824221693f10287860879a33094e60bf

    SHA1

    a098e46c0123a3d036c62239380fe870f59465d5

    SHA256

    76b218687fe13b146d4a63de5c9e9563f3f29b2b165f7bb791715ff1da97b04d

    SHA512

    f6bd30cb88eb7838dbd2d1360bd11f701624a98f86c57e133494fd4f42f29d3658029b3b3c69b53b2f02baba7162df093c59d90d706da58e815ef107023912cb

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    85ecfeafdf1ab5585c8eb9b11a4b2ab9

    SHA1

    c4a2ec69aa1fe2302d5428e45a3f068bcf940ba6

    SHA256

    11353144a5ee62aea9216b58f3c7dd58d025b0ea868111350fe903e3f34b3fbf

    SHA512

    44c205e747a8bef59885cb39606c61b94cce02bec9a14f87913f51f18e75cecc53bc3da47afd952ff735360917ef804dc85fc106a6643c4758f49b63fce3f25f

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    57601c1b823f3226414f8bf3286c8343

    SHA1

    bd95d498c673085af561f62689471864458f53fd

    SHA256

    02e94d5c890416349344e3406dc12b9b7d8d41007bf5bd06f38ba8da8c077509

    SHA512

    93653ce8f3acc214f1cdbe4f1fae3de8ff4df640cf81f0c89561fcf1ae827dc7edcab5dd9487e504dd7f7b32a4b2d2dcd0f427fefaf263dd29e07c36911e99f7

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    91KB

    MD5

    55301eb548e63bec7976ae797b12e6f0

    SHA1

    c198aea6d8172a2ae8ab82d05db7bf5fc98be556

    SHA256

    aa6542b54f9f1957e6b1459257b2566817626b566c1eab579899d6511926723c

    SHA512

    0fccbf2887e24d7c0ba935ec652f070949be4d22cd1c3a068055224ce0a9ce9f8d7bf968f2829e8f0fd337e7b45f5c7b899ee98f5f35ff19ff9f0b7fe2bbc694

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    fe7b363ba0657465f83226f701a3a2ba

    SHA1

    dcbcd72ec09932936da61691fef6893de693babd

    SHA256

    604458aa49a3be4993a17b1c5add20941671f7e6c82953f37651f6e5ebcd50bf

    SHA512

    9a7099f2f7a17a972d4c59df256e19558bb6ef0a64a88cdde2a51f6c2781b3f9898be87eace75c56f7d6198eb66067743d497df02b8bd0798dc4cb261a733fc5

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    3973eed6031d7b272f66df1c901ae40f

    SHA1

    fb6c8c4d7fa432ffb3a8bab1c59fa764f8e3f1f6

    SHA256

    f35c78f0d9dc12757923d9edabf223bebe07d51958bcf52faa4344538bd39db7

    SHA512

    31ba4da9d188dd8f06079dcb3929434abcf8def92e9e80af38ccc49b8c6e4be07e892a34b4a5102a52f0d41fe873df8c9accc75f6e71cb39e0a25548cb1361a0

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    69360307082a6128d3ca2e8445011660

    SHA1

    9993f32032362a0389ab81247025e247bfd9ddd3

    SHA256

    73daf220fe07b78a76db18710915ccfa5fa05df4373090d892c3b68c1544e3b0

    SHA512

    67ce4d4c3e69923549994b167da1e24515a3a50b84c6a5fab270800c30e19b26bac968c09d85cf6e9d0a9d9054009acef0f9705a83179475e10fa46209e42983

    Download Submit

  • memory/1156-4-0x0000000000401000-0x0000000000427000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1156-174-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1156-175-0x0000000000401000-0x0000000000427000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1156-149-0x0000000000401000-0x0000000000427000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1156-2-0x00000000756D0000-0x000000007582D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1156-0-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1156-3-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1156-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1364-154-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1364-150-0x00000000756D0000-0x000000007582D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1576-173-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1576-168-0x00000000756D0000-0x000000007582D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1576-167-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2896-135-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2896-138-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2896-131-0x00000000756D0000-0x000000007582D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3020-124-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3020-112-0x00000000756D0000-0x000000007582D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3020-114-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3032-147-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3032-141-0x00000000756D0000-0x000000007582D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3332-127-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3332-121-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3332-120-0x00000000756D0000-0x000000007582D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/4896-159-0x00000000756D0000-0x000000007582D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/4896-163-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download