Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    30-05-2024 13:04

General

  • Target

    6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe

  • Size

    89KB

  • MD5

    6e69ce42995c67a7d08e5beb171a0b60

  • SHA1

    92ef26c42433f3360a00dfaddebb88f8d5f883ec

  • SHA256

    79db5ee51b3e04f6d56b27a9305c39331e803e363994b0ab6ed64b0e1aa4701c

  • SHA512

    1a1043d69c51a8c9408f57bde5017bf4a6cb14849a6a534d42b497a212f50c7358847bea8cccd7224fa5a3294f5f9ecd11f87186c80d0cf9174280bbf9d74ec0

  • SSDEEP

    1536:71sMveb4lR0daHy9v7Zc86y9U4AFRfBWAEnn:BDeb4T0daHy9DZc86yGUtnn

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 20 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2076
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3036
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2760
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2272
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Enumerates connected drives
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2804
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1664
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2688
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2548
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2968
      • C:\Windows\SysWOW64\userinit.exe
        C:\Windows\system32\userinit.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          4⤵
            PID:1956
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1316
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2720
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.doc"
        2⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1980
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:1652

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

        Filesize

        1KB

        MD5

        0269b6347e473980c5378044ac67aa1f

        SHA1

        c3334de50e320ad8bce8398acff95c363d039245

        SHA256

        68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

        SHA512

        e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

      • C:\begolu.txt

        Filesize

        2B

        MD5

        2b9d4fa85c8e82132bde46b143040142

        SHA1

        a02431cf7c501a5b368c91e41283419d8fa9fb03

        SHA256

        4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

        SHA512

        c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

      • F:\Recycled\SVCHOST.EXE

        Filesize

        89KB

        MD5

        7ff93d0514eceb0211c206844b2b204f

        SHA1

        0f8bc74dacdedae1dc02110543c05da5560193c6

        SHA256

        96153b57662b2aa88878017d93673d50d6b15f3fd43b6c5c4162a71e946b60dd

        SHA512

        9166940ac2baace0af590a552cbee442a14395a55c7561704bc8acff06cc3d972de85f45c668c730131637bb748408c9dd4e149df39e18c8e10434af248a00e7

      • \Recycled\SPOOLSV.EXE

        Filesize

        89KB

        MD5

        8922b4a060f7e5fbe2cf31e16338dc4d

        SHA1

        72a177373b1cef99dc66fa28e33dd6f27be8a48d

        SHA256

        51dc0f633b62680165b82ee2931d98f5fb856ed02ee32dded77e635b5324523b

        SHA512

        7c78ff85774c4c4500608d6022fda8a42e4172c8ba95aad7887d7777e41fcbe17ffef0bfb65321d6bd8200ce48cdba01fe1b2fc813e4be30d0c05d377a17df6f

      • \Recycled\SVCHOST.EXE

        Filesize

        89KB

        MD5

        bd239d379298357d6d38d90cd991ac69

        SHA1

        34446066ddea9afbc4e9c71c24c21a0bae4359ad

        SHA256

        33a78d4f55b3a62d3d63675a2b8a353e9e5d98fa5bbfb0a123517ee506515352

        SHA512

        73ec09f27d89272ee4a7fcc40f64f796f617ccc5f84a35f7e923e89d18034e65fb801eccbaaffa4825e3ce346e009b1978c45809c2ed3b5bde317205f3335f58

      • memory/1316-98-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

      • memory/1664-74-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

      • memory/1980-106-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/2076-37-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

      • memory/2128-25-0x00000000003D0000-0x00000000003EA000-memory.dmp

        Filesize

        104KB

      • memory/2128-0-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

      • memory/2128-105-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

      • memory/2128-104-0x00000000048A0000-0x00000000048B0000-memory.dmp

        Filesize

        64KB

      • memory/2128-18-0x00000000003D0000-0x00000000003EA000-memory.dmp

        Filesize

        104KB

      • memory/2272-57-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

      • memory/2272-60-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

      • memory/2472-32-0x0000000000730000-0x000000000074A000-memory.dmp

        Filesize

        104KB

      • memory/2472-41-0x0000000000730000-0x000000000074A000-memory.dmp

        Filesize

        104KB

      • memory/2472-40-0x0000000000730000-0x000000000074A000-memory.dmp

        Filesize

        104KB

      • memory/2472-26-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

      • memory/2548-85-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

      • memory/2548-86-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

      • memory/2720-103-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

      • memory/2760-52-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

      • memory/2804-71-0x0000000002430000-0x000000000244A000-memory.dmp

        Filesize

        104KB

      • memory/2804-78-0x0000000002430000-0x000000000244A000-memory.dmp

        Filesize

        104KB

      • memory/2968-93-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

      • memory/3036-61-0x0000000000800000-0x000000000081A000-memory.dmp

        Filesize

        104KB

      • memory/3036-42-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB