Overview

overview

10

Static

static

7

6bd33cc7e2...cs.exe

windows7-x64

10

6bd33cc7e2...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    30/05/2024, 22:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6bd33cc7e2ce964f13c27cfb4f77a520_NeikiAnalytics.exe

  • Size

    255KB

  • MD5

    6bd33cc7e2ce964f13c27cfb4f77a520

  • SHA1

    2a8f4ca1b97b99dd36bef8e937fbf817a5683855

  • SHA256

    971b2888e55a4a8bb04d9862bb51b4abf8d626438a73a0176ad57522b61230d6

  • SHA512

    5aff27cecb92a80c872e87f616d0d11ba7d5f2fe0fff3e6d5a5d1017ce5b2050ff5f95ed34ce740624c5b0e5205a95a9552ed74248e242c82121d1befabdf351

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJU:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIh

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 56 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6bd33cc7e2ce964f13c27cfb4f77a520_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\6bd33cc7e2ce964f13c27cfb4f77a520_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Windows\SysWOW64\youlztwjyx.exe
      youlztwjyx.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2312
      • C:\Windows\SysWOW64\cneqmqqz.exe
        C:\Windows\system32\cneqmqqz.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2568
    • C:\Windows\SysWOW64\dspvdhssopbrgud.exe
      dspvdhssopbrgud.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2676
    • C:\Windows\SysWOW64\cneqmqqz.exe
      cneqmqqz.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2932
    • C:\Windows\SysWOW64\xhttvwukimewm.exe
      xhttvwukimewm.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2592
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2436
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2320

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      cc7fa39dbdc626091d03f367a2ce40a2

      SHA1

      0cb7ad356801f258226520167b793f76224647a4

      SHA256

      4eaee2c9bd2776bc5518e5ca9947e1b0d690515fa02f607961fa750434848b61

      SHA512

      a41d0e12789b89b2eea86ddb30287f30f331590181a2a73e0f56f7907873338f011cbaeb5cb7e36913558e7e23f6764285407efbbc146ae726f68218870c6fba

      Download Submit

    • C:\Users\Admin\Documents\SearchWrite.doc.exe
      Filesize

      255KB

      MD5

      1ac3ef80e8851b5921deac619420828b

      SHA1

      eacc47e98c292a739672d6a357d147f3c1d57b2d

      SHA256

      8f0a4cafedeef6ce8a06a89108cfc2dd30c97021fcdd325204b35ee3bc191ede

      SHA512

      8fbd54267a358d5afa80893bf7a7bd9d36dc18e61fe7446e0f4971026ca86b5b4d403cc0359e1e8f2bbad32b2ec6c3436116d512fe4767246964fb3f92e963fa

      Download Submit

    • C:\Windows\SysWOW64\cneqmqqz.exe
      Filesize

      255KB

      MD5

      32bec2e2c7a1f97551bb67f7039f396b

      SHA1

      182a5fc84e89b0b784b97a048dc22176ea8c5d9c

      SHA256

      f5fbf86c22dcf66a59548cdaf595a011f4bb4d16652aa7beb2e9d991d2a0eab6

      SHA512

      bdcb031991375e35d82aca3b99a1f0fdce8d1c2cd555795198b4955a06e5a0482721019846b22b43096c4c96d1da5379b9c4fbcd145ee78a22deeeba8e21784d

      Download Submit

    • C:\Windows\SysWOW64\dspvdhssopbrgud.exe
      Filesize

      255KB

      MD5

      c3e05d56ae567b48d41e8a5c9cc94feb

      SHA1

      8e151faf9dbdb8fc2f5a56e6718803ad6476b307

      SHA256

      f0b2d404ef3f915bafce2823877a2b0ee06b28dcf15e9c57b940cba23eed83b6

      SHA512

      6928b75614d459e58715bf814e2f487afe61e79793100775924a662a7c80a276dff4e0c0583d729d4151b697c4cf9b7a065a8b515fd494b53c1a654566ab7614

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\xhttvwukimewm.exe
      Filesize

      255KB

      MD5

      3c817bf67eee62378550e0f8b4e44b00

      SHA1

      7c3dcdc88718fd6a96cc01fb447a914e7b9c275a

      SHA256

      586ce94afa313d583b5d587cc84edba15cb836ecae6cf04eeaaf2ad666fb1d0f

      SHA512

      be097413c2e65b36494242b3f9c96705f0d18cf76d55b169969f5d95ef3f6ad3eea3bf867b8002d31a49d366b5e0b5c688d54acc2cbc4fa66842833c2f2b8dfd

      Download Submit

    • \Windows\SysWOW64\youlztwjyx.exe
      Filesize

      255KB

      MD5

      2b73412a891ecf4db03e7c0172dbe54d

      SHA1

      bba5e438084eaa89d6951919fee6986f6f925984

      SHA256

      40d5976b6e835ff49802f73f6720377bc89b1b63e4431c52a57a7d957e1713ec

      SHA512

      aa2ab14d4c6730f4f9944155682659c8caa53b112f269bdfac858153c94ae3d7a5e7e6c7d2cc093fb54c940b9f97d170771c9b09371785e29140476096cc1018

      Download Submit

    • memory/1468-46-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1468-18-0x00000000021A0000-0x0000000002240000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1468-0-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1468-27-0x00000000021A0000-0x0000000002240000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2312-114-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2312-98-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2312-145-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2312-148-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2312-151-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2312-80-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2312-142-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2312-78-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2312-139-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2312-101-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2312-25-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2312-117-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2312-87-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2312-104-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2312-111-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2312-108-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2436-47-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2436-138-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2568-84-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2568-96-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2568-91-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2568-45-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2592-150-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2592-92-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2592-38-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2592-103-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2592-90-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2592-147-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2592-106-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2592-119-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2592-110-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2592-100-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2592-113-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2592-153-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2592-144-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2592-141-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2592-116-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2592-83-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2676-88-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2676-105-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2676-118-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2676-36-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2676-99-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2676-152-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2676-115-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2676-140-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2676-81-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2676-112-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2676-143-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2676-109-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2676-146-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2676-86-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2676-102-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2676-149-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2932-89-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2932-95-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2932-82-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2932-85-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download