Analysis

  • max time kernel
    134s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 03:23

General

  • Target

    8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe

  • Size

    91KB

  • MD5

    8bac2c0dcd2fd87ef8d9170fe4effe70

  • SHA1

    4d098d2fdc60db19967630aaf09515204845da0d

  • SHA256

    0a1a2517d5253902840ae21d0e5c77e72fa4138590e84a8e966561a9475f9253

  • SHA512

    044545507c87c6aea0c95a041d339b44e07f9585b8ef7acc2be00d4ff83d06cbf8a5151a3b015ec66945c57003b2344225922ced760f5cbd184ac365f9075bc0

  • SSDEEP

    1536:zAwEmBZ04faWmtN4nic+6GXAwEmBZ04faWmtN4nic+6GU:zGms4Eton0XGms4Eton0U

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3364
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2572
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3788
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4572
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4608
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4584
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1108
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3592
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4168,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3824 /prefetch:8
    1⤵
      PID:3680

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

      Filesize

      91KB

      MD5

      0b5378171b2a225add0d702d3aadaab2

      SHA1

      970da2aa746de2a2fd0bac1bf480f9ca7b23ca19

      SHA256

      b325f30a5b1b08f694209db99510704354386bd9124f710eb34ea324ce17a731

      SHA512

      c4616e892885623cd1b71110fa46079bef059927f3e87da62edba396eda846417ead11efb105eebecf021f9d046219ae34f374a0ac3f23c66f719d2482817701

    • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

      Filesize

      91KB

      MD5

      44583a0560a8c7d539dc1049f1a130c2

      SHA1

      8560852907f057ffa9bebf27cfe54bfc3b7ba681

      SHA256

      66843d8a6cbd1f8bf8678ab3fc689e14fc09eadfa7155f8befd4905e2c017f93

      SHA512

      27ba132a0f6cb75ac0e52d23f9826acd462d97dca2b2ba89a6db689702effd28415c25d01d93b6753b52772e6a780deeade76a5f3b76bf7a1f65199080f73255

    • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

      Filesize

      91KB

      MD5

      79e2536f9dc1232353f251295143ddb8

      SHA1

      42abd897a93412c3d5ecdea39c298147b2d48a64

      SHA256

      5b7b8c57e79ed02da036a4dee79e88dc08a46be26fc2849f207d0f3e2f60a0ce

      SHA512

      d8dcc1663c1bc85ee296439cdc8f7fc36fb9a1ceadcfa95e62868b16aaa78e78d438859ae538ee4bdecd090b82b65a719d02c2a60e6bedaa99e65eb879e7d1e9

    • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

      Filesize

      91KB

      MD5

      91a872fafc75900161d07e587b6f60b0

      SHA1

      66b37d0dfb78718355f933fb32e994a9c4b1f926

      SHA256

      9d7ca36502faab4ee942134470bf8a64ec78c4fde168f0e5121117e53f8e1811

      SHA512

      b3b790bb872bf612e17ee6c49306e127872c11aef39666e4bc397845b3dafea69c5b1249c5587b58189116a7ff9ad309a38bdc75dc334461a60fbfc359eccb21

    • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

      Filesize

      91KB

      MD5

      3a21b1d27361db3d9b97d95fd468c2b5

      SHA1

      3387aefaef302faf5889220a8fdcd97c78c8d28a

      SHA256

      520d2ba063d872d2f5e84466ebaab221ca61e05b88a96dcf129db401af4f2f72

      SHA512

      cd30e24d194a8fa06fa650dcd1713a1b0bab1f1b19761a9308df7bb1955543e878e45e230ab0764c1b742ca9df6986779044553cc4fe9bee1c4b67ccfb28b127

    • C:\Users\Admin\AppData\Local\winlogon.exe

      Filesize

      91KB

      MD5

      8bac2c0dcd2fd87ef8d9170fe4effe70

      SHA1

      4d098d2fdc60db19967630aaf09515204845da0d

      SHA256

      0a1a2517d5253902840ae21d0e5c77e72fa4138590e84a8e966561a9475f9253

      SHA512

      044545507c87c6aea0c95a041d339b44e07f9585b8ef7acc2be00d4ff83d06cbf8a5151a3b015ec66945c57003b2344225922ced760f5cbd184ac365f9075bc0

    • C:\Windows\SysWOW64\IExplorer.exe

      Filesize

      91KB

      MD5

      67efda232f165ae6805486405bf5a2c7

      SHA1

      b7ae66c6d7cdb6599156f8862a6749f8ddbe0a8f

      SHA256

      4a9421bd8eb84cfd7219f909878b47033d9f39a4bffa4c9045293e1d851b0ff0

      SHA512

      47a225db769e73b6f0fd87fc4000691bcba50b4349e0e165e2cfb4be43d9e705f5bd3f5042344595a4d5283f024b77b048a0e991c1a02d46341ff4fbc537368f

    • C:\Windows\xk.exe

      Filesize

      91KB

      MD5

      a4b61e12d8eaaa0dc79aad9a5c5d0504

      SHA1

      dc1b004b7ec2dddf51c3f0bd1fe44a3fbc687967

      SHA256

      4246740ad6db95ca684c22862bfc3025be5b3c20e757e95b81ec0ef77d334f3b

      SHA512

      6df1207b9254b891842309ac91fd362d7182a16414dc9193ce3e5b143a6fffe1bdf09dad0581a6662900403e4064ab19f7096faae7033f9d848b1bf07eaecbf8

    • memory/1108-144-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/1108-140-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/2572-110-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/3364-0-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/3364-154-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/3592-152-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/3592-148-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/3788-116-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/4572-122-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/4584-136-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/4584-133-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/4608-129-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB