Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2024, 01:02

General

  • Target

    1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe

  • Size

    71KB

  • MD5

    1880a56c2c4c6b49744019f909c24090

  • SHA1

    301682d45a7253697d0522830a7c24bdd1c07973

  • SHA256

    210928547fea895545d44f56da985c6257c30fd5f520aee3a86cd15e31ab1885

  • SHA512

    4f86f08058195f6b08c7b5a99bb58170e2586ce8c778726f7d0b820c15315152445009480f6378379e3e94aa497f97941ff2ca2eaba7028c35303d963454e33b

  • SSDEEP

    768:EXKeT2Si83nLt8tkGX8uxOHgRrW5YLKG9Y/HrSNm0kmG7xMsVAnc3yy85SBiLFMv:EFrmh0HgB3LKrL9AcnQFMc9zwR6i+BO

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5108
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2124
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:60
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4992
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3568
          • C:\Windows\SysWOW64\at.exe
            at 01:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2084
            • C:\Windows\SysWOW64\at.exe
              at 01:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:4852
              • C:\Windows\SysWOW64\at.exe
                at 01:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:3676

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\mrsys.exe

                Filesize

                71KB

                MD5

                fff9e1d054a021d383386ef496e27b32

                SHA1

                94154adea58441fd2789ca7d94bd8bb7633fcc7b

                SHA256

                a31a90537c1a3f810a0dce7215209b0362664db3156fba7af0d3de66e5ab79ee

                SHA512

                ab31c91cc811e6010174e8cdb514cf9f414252b090eeafbc2cac2deed531b5e89ece45b6c986dbc6e944a1ea2f473f1304821cb90c77a70019647c173e588a91

              • C:\Windows\System\explorer.exe

                Filesize

                71KB

                MD5

                d716849f5e9087e33bd31ef6ebafe0d9

                SHA1

                e33070988c9ffb9f9d9e071b10f31cd2497457d1

                SHA256

                f1de4fade9e097605db961f2c36c0f444ef4942e4c143582dfdb9d8668f6060d

                SHA512

                15b5ab20f33a684bff897e77bfd5f421d5f488a972df7fee21ff74761785e83a00bd2ee60af114f61bc025318e8f4878f1dff8d36b6e7cc6c1c9f06d1d51b1de

              • C:\Windows\System\spoolsv.exe

                Filesize

                71KB

                MD5

                9dfadb7cb7065c94b2dda8982268c693

                SHA1

                b3540bd25e62dc7038ef0dc418c410177f442372

                SHA256

                e69f47bb55f435d5742109e74c04a7f5604d112e3cca6ea2828544e38a963d4a

                SHA512

                0d3a171fe9ed2e73e6b8c88d8e5ae89b1b4431050b5b02c004cfa460a34f71653d5343b3af9613e3db9c60cf81198231b8a018083fbd0f046be1a3d118ed8918

              • C:\Windows\System\svchost.exe

                Filesize

                71KB

                MD5

                bc3c1875468d894f650dbc73a8097209

                SHA1

                72cb20e4eb577dc526e01c054c3a628cf538bc3a

                SHA256

                f36b7da620f76cea04867bdbcf47729b76e2e7254d574e81ed7d016a7a59555a

                SHA512

                59dd2b5b27037756ae4cc3369fe65978659064ac000022fe37b7c4be05d660b039fbea5cbe137c9bf523b4db6721d31ce25e2bb7c3b3e4d04249510d207e774b

              • memory/60-17-0x0000000000400000-0x0000000000435000-memory.dmp

                Filesize

                212KB

              • memory/60-38-0x0000000000400000-0x0000000000435000-memory.dmp

                Filesize

                212KB

              • memory/2124-42-0x0000000000400000-0x0000000000435000-memory.dmp

                Filesize

                212KB

              • memory/2124-52-0x0000000000400000-0x0000000000435000-memory.dmp

                Filesize

                212KB

              • memory/3568-34-0x0000000000400000-0x0000000000435000-memory.dmp

                Filesize

                212KB

              • memory/4992-43-0x0000000000400000-0x0000000000435000-memory.dmp

                Filesize

                212KB

              • memory/5108-0-0x0000000000400000-0x0000000000435000-memory.dmp

                Filesize

                212KB

              • memory/5108-40-0x0000000000400000-0x0000000000435000-memory.dmp

                Filesize

                212KB