Analysis

  • max time kernel
    154s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2024, 01:03

General

  • Target

    189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe

  • Size

    135KB

  • MD5

    189bb10a9d08aec81b7dad43fb017370

  • SHA1

    fc1a2a99fa80b621a87d86915e2352a0c690e30c

  • SHA256

    83a9cf4bc1e1744b3c2bf95577d27932a90befcbc046057797d176047dd34b36

  • SHA512

    86824ecb259d3a06606d5acbf78d42399a08994fdb78cb9293bc13c817d62376166a1b416494902e9328a5b21e07c9a47712ed41da24e7af5a1eab2cc820288c

  • SSDEEP

    1536:XfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbgy+0xI:XVqoCl/YgjxEufVU0TbTyDDalm2I

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2184
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2672
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3640
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4084
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3364
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4056 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3752

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\Resources\Themes\explorer.exe

            Filesize

            135KB

            MD5

            4a4d227abd2c2a2c9af3d142fab9f682

            SHA1

            54854d21261cb570dc06bcfb470e3114a9c3da95

            SHA256

            437ab718b194fb70676f02016ab72edcb3f782d89e2a8a9fc4abc8c27112aed6

            SHA512

            ee96bcf2077f20ff9e251999f1b0e73b90ad0e298806346dbd6a9a442a120b631db4be0780e53d0bc10a3f02009bf47451c3c9561733bfe6d6ae64593932bc11

          • C:\Windows\Resources\spoolsv.exe

            Filesize

            135KB

            MD5

            c656eb4c127146c51d0184c488714b5b

            SHA1

            db2f25fb002fde9c94a80004979d59296cd86522

            SHA256

            3f71c53bbb3dea8a5220b7eeba9ad04812cf142e7379c47a3ccbe2d77118a8e8

            SHA512

            57384ffa5bbe21da72622378c624eefc1f6c8fde69b4706d9da07d81c7197bad3ee4ccd1e0b414597d92f3f3aee3b5d7718e3c6ecea90dae1ca665a8155ee72d

          • C:\Windows\Resources\svchost.exe

            Filesize

            135KB

            MD5

            f717112ad1b8f699797d64d301fd8f99

            SHA1

            5f1b281d66f0ff3c76d14218c10773e6e0e3ce6a

            SHA256

            8f6f5078e0e7fe9178cc767db2eb83fde0e71e56774f19c0aeb1b0143b38b540

            SHA512

            a3a5e1c2d16f8be7559a4ffb52ba9176330979e02e2ad04a483184d6432787b32667b6a0f9cf9fc7c6f5ffbbb558ffa4b48841b5b30c40ed595fbe449fd7a227

          • memory/2184-0-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

          • memory/2184-34-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

          • memory/3364-32-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

          • memory/3640-33-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB