Analysis

  • max time kernel
    91s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 03:50

General

  • Target

    8c60f460950b78393884830f30990350_NeikiAnalytics.exe

  • Size

    91KB

  • MD5

    8c60f460950b78393884830f30990350

  • SHA1

    fb34db6b9fcf426c49bc3e4abbd699a161f00632

  • SHA256

    baeb79c0e0111a0ea27f4dfe6e387ef4e5816d14c6f30cded0b027d7504bcc48

  • SHA512

    ea935bb7383d430ecdaff3383c41c3b2c11e57808b745477978fdec211cfc3e31f2672d2dd5b384850ab4c499643caf8633fb7be59d96f4963e65d2efa03c097

  • SSDEEP

    1536:kRsjd3GR2Dxy387Lnouy8VT/Rsjd3GR2Dxy387Lnouy8VTb:kOgUXoutN/OgUXoutNb

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3772
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4904
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4600
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1564
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4340
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1760
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3280
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3792

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

    Filesize

    91KB

    MD5

    35a6611fbb46759efc8c2397cea9483f

    SHA1

    73c2b5944c5c9d62f4bde1356e6aa26b7bf2533e

    SHA256

    c92740592752e0c21d489b74b178afe461eeb51a8759f145b14b57b63d405862

    SHA512

    df9596d281402e6cda60babc839a1d5e8c3d034593b2e616391caaeb67ba5084ce4662fd62992f52ef29a5ec8445f73fcbdec991480def8cbc341e4086d6e8bb

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

    Filesize

    91KB

    MD5

    c9e31a1354576b9c47ccfe6e077106dd

    SHA1

    2f4ffa6fcf1ec3b9900fcbeb73372d5f6a5a1f79

    SHA256

    8d2c43dd1e3c97818531b3ec4b6862eac2f32985a4a079c460f3108d270f8ce9

    SHA512

    3471e2983f623d7092deb898767a316dd9bbff2f5a31f70db7a29345eb6f8267cbb3c0a6d78de28105caffe782194aeba43bbc95d0602a62b295b665d003c9be

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

    Filesize

    91KB

    MD5

    78649cb018d807f6d854b221fc3eb144

    SHA1

    920eca0ee66e6e41c63e2d16176c440fdf0abb99

    SHA256

    598d82492503173077e85d8f54e7a43c82122119ea69282f06cd0aaf99946d78

    SHA512

    be7ae94f1cee6acc70446dc082e36a520d78f9eeb92b776af26101e735e2dd890b047190a3a0e2a9e1a6d7094c04bb7c17df50780c5888a5a9b8226c92d11429

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

    Filesize

    91KB

    MD5

    3b0aebe993e45323a8ccb46ef331a9d2

    SHA1

    72072d718153ea07775a1a70518887c2c02b6834

    SHA256

    29f03b6d203139b31598e7f01abf5d8212e2ce3fc08728a8dd1e7debd97ac1a8

    SHA512

    4a352f82b9c41f03ab939a645a7bf1e4b1f631d61e916de63cf7a02d0ad0626d0a0e3d7f6b5c718f2093e2bc6ea96609357b8cae85d9b331240f2e7f37f26ec3

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    91KB

    MD5

    8c60f460950b78393884830f30990350

    SHA1

    fb34db6b9fcf426c49bc3e4abbd699a161f00632

    SHA256

    baeb79c0e0111a0ea27f4dfe6e387ef4e5816d14c6f30cded0b027d7504bcc48

    SHA512

    ea935bb7383d430ecdaff3383c41c3b2c11e57808b745477978fdec211cfc3e31f2672d2dd5b384850ab4c499643caf8633fb7be59d96f4963e65d2efa03c097

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

    Filesize

    91KB

    MD5

    28fa284569f6dba1259ddf772a34c2a1

    SHA1

    7c0fcd5c5812f6af17b6229d0fd247066cc1110f

    SHA256

    0482ca2aaf55182bbe1fd84ca4b9ad1723dcd4445e196c70527bf0fd5757ce4d

    SHA512

    54b2ceb9a4e77632499d20624c20abf551081dd7dd949c90436333a1f12a6b795a432b288de99f7229c31f6c746a64d27080d7fee261134e853667ca70e141aa

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    91KB

    MD5

    cd1fc4bce681e6f73ad5d77f0889b86f

    SHA1

    c653d18b24c21b5d499b36181ec1bcac0c845a50

    SHA256

    b3a5d3924c5ec07ec56927093f05383dc066e8061d726b00a339abc8f66e8ed7

    SHA512

    0666d6986bd4ddae0b0af69ae539dfe1ddf617386eee4c85f2b42a1542e4a4764d25bb77df17355f15d2bed3ad6f9f081b10790de82636cf3638b7c517ad3a11

  • C:\Windows\xk.exe

    Filesize

    91KB

    MD5

    3726d2a54962bf005f43583dfe07d7e3

    SHA1

    432725f549f2032a4ee8190a58500d18d27cc5ba

    SHA256

    9de156c671ec5588ba9287834a7437326fe890343931c3a8b993c267cfbb1cb6

    SHA512

    262d0cc9065ba265acea7909ca44462aca562dce606e4755308713e14f7412d97a80fa83c0d5da2a0e9067631def8a2d71cd55211e12cb8933a7a69648efefa1

  • memory/1564-126-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1760-138-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1760-140-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3280-147-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3772-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3772-156-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3792-154-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4340-133-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4600-119-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4600-115-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4904-114-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB