Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 03:23

General

  • Target

    8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe

  • Size

    91KB

  • MD5

    8bac2c0dcd2fd87ef8d9170fe4effe70

  • SHA1

    4d098d2fdc60db19967630aaf09515204845da0d

  • SHA256

    0a1a2517d5253902840ae21d0e5c77e72fa4138590e84a8e966561a9475f9253

  • SHA512

    044545507c87c6aea0c95a041d339b44e07f9585b8ef7acc2be00d4ff83d06cbf8a5151a3b015ec66945c57003b2344225922ced760f5cbd184ac365f9075bc0

  • SSDEEP

    1536:zAwEmBZ04faWmtN4nic+6GXAwEmBZ04faWmtN4nic+6GU:zGms4Eton0XGms4Eton0U

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2020
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1580
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1636
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2712
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2196
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:316
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1992
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

    Filesize

    91KB

    MD5

    1baf6e0cd6c4ce6c7dbf222347c93073

    SHA1

    96a1ac4279eb92335712847c4c0326d647f0906c

    SHA256

    b7ea2b8e45b109a69cc9ce442a31f930f21e73b19518b14b2e4621523562af55

    SHA512

    6fa608643acc22d1b2256526bc094f07c472c655ccfbe00ef692d4c6b452a41a8cc97b7b1166847d1368ba172203b380c895ca024587036e37f967fdda7f3fd5

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    91KB

    MD5

    8ada7857a8b4c9b6874116ad85d5df94

    SHA1

    906b6812575133a27027a05def739b3ad1e5e391

    SHA256

    e292ddd37a401590ed31aecbab096d32df32afd789fb7d01cb08ac7e89089eaf

    SHA512

    d1339af778e4312a41945df427870b4572725226c36696ff619dc0269c476609491e30c1099ec0cec04b8939b890c12209ddddc83c1323d01c87c8a0a6395c80

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    91KB

    MD5

    8bac2c0dcd2fd87ef8d9170fe4effe70

    SHA1

    4d098d2fdc60db19967630aaf09515204845da0d

    SHA256

    0a1a2517d5253902840ae21d0e5c77e72fa4138590e84a8e966561a9475f9253

    SHA512

    044545507c87c6aea0c95a041d339b44e07f9585b8ef7acc2be00d4ff83d06cbf8a5151a3b015ec66945c57003b2344225922ced760f5cbd184ac365f9075bc0

  • C:\Windows\xk.exe

    Filesize

    91KB

    MD5

    e6d87e6e393893554c605a1c3128e27a

    SHA1

    7fae97bd865615e18578ed677abfbc2d8d6ac67e

    SHA256

    331c51ce4f7590efcd9dd6d4cf0278442c1181407b7d07ef328cad5f4bb0eaf8

    SHA512

    825f499bed3ab2102cea9d636bf8e8c38490058eb8e33d350662d9c3bb0f983b7f1b013cc21a61942c1fbcdf0a676077b48b851f7cfc8217d7dbcf818634041b

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

    Filesize

    91KB

    MD5

    b399c5baee9dbc860e1a220adaec4af0

    SHA1

    d774cd85ad67e9ce541285fa118ab353a4856a54

    SHA256

    d98102c6daf27273a254a8999bb7767f7844dcff4378d6281aa94480b88e6c4e

    SHA512

    468cde9529785232519e723f52e34dd52ce050aea91c653bb230f144813823740340174d09f5b7efdb1bbadbc51085ef1f3d03f964534070053d752b1b45c68c

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

    Filesize

    91KB

    MD5

    1870e054ec63f30aea779145c3c1ceb8

    SHA1

    0e169bd3282f79adff211753d67e88f746dd6bf4

    SHA256

    a5d459194bda60e2847cb8e444cd14562e04bde61085606f8b2e743099b131f6

    SHA512

    c2ec943ec2fc2998bc86397412df1915da7463e2f335ce9d3c8bbb1ae786503e25af68719a314e5809d72b8772bbd904311285d8b80d9229cd388b9fa5475c6a

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

    Filesize

    91KB

    MD5

    7dfdd6bce7a1ea76f07379a82d065cb7

    SHA1

    3f48c6bf2e8790a2103d344bbacb2bb8a8e62ecb

    SHA256

    039b2efed0186917f48aff704c850d95023e515891b76bc286671b1174e4f846

    SHA512

    4f4af4f4f7a53d45837b494117f2b202231ba38ff6b30e162f280394a9304fd53e89aec08b9d72e3427113d2c37a5543e31c7e8001bb2b0dfccaf711947f4e8a

  • \Windows\SysWOW64\IExplorer.exe

    Filesize

    91KB

    MD5

    39943e41a41778f5026c6e03020c3251

    SHA1

    f4a754012f33e7582b661b058a5d219723974af4

    SHA256

    3746029aff2168b55dab669964f4430cd1a4afd2d4cec5fdca715b1d11ac67c4

    SHA512

    ddb087b06c01f520c8ca383b2e38edf653750e2f7b29896c4d18fa7fa61f929ed50e70163b0a692f6393a803906c1c46775ab7e8c672a5aa569e6d2775db17ba

  • memory/316-162-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1580-116-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1580-112-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1636-127-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1680-184-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1992-172-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2020-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2020-109-0x0000000002490000-0x00000000024BE000-memory.dmp

    Filesize

    184KB

  • memory/2020-159-0x0000000002490000-0x00000000024BE000-memory.dmp

    Filesize

    184KB

  • memory/2020-110-0x0000000002490000-0x00000000024BE000-memory.dmp

    Filesize

    184KB

  • memory/2020-149-0x0000000002490000-0x00000000024BE000-memory.dmp

    Filesize

    184KB

  • memory/2020-175-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2020-135-0x0000000002490000-0x00000000024BE000-memory.dmp

    Filesize

    184KB

  • memory/2020-186-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2196-151-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2196-148-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2712-138-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB