Analysis

  • max time kernel
    123s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03/06/2024, 21:34

General

  • Target

    05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe

  • Size

    9.5MB

  • MD5

    05421a3a7d61ef0172dfebaced7ae130

  • SHA1

    2e770a098d720781e409379f118f26665b228312

  • SHA256

    478ce9d713b94900e8deef871499cac0bda4c7c75e31bae22186bed1a61dbc2b

  • SHA512

    34014d1b1688646392daf930c864bf3e4a45c974753a4cf1b0e29470402da3b9af8610789dd7add0358ea37420a96fdd47dc020684555a6d360a7e16549ebfa2

  • SSDEEP

    196608:gMmD2mDe2mDMmD2mDc2mDMmD2mDe2mDMmD2mDc2mDMmD2mD4c2mDMmD2mDe2mDMO:3

Score
10/10

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2588
    • C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      2⤵
      • Modifies registry key
      PID:2100
    • C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Users\Admin\AppData\Local\Temp\avscan.exe
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2720
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\windows\W_X_C.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\windows\hosts.exe
          C:\windows\hosts.exe
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2408
          • C:\Users\Admin\AppData\Local\Temp\avscan.exe
            C:\Users\Admin\AppData\Local\Temp\avscan.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2960
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c c:\windows\W_X_C.bat
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2260
            • C:\windows\hosts.exe
              C:\windows\hosts.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:2940
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
              6⤵
              • Adds policy Run key to start application
              PID:2748
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:1568
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:108
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:980
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:1172
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
          4⤵
          • Adds policy Run key to start application
          PID:2764
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:1188
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:1752
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:1268
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:2028
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\windows\hosts.exe
        C:\windows\hosts.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2420
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        3⤵
        • Adds policy Run key to start application
        PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    19.0MB

    MD5

    38bcb4ceeec1323df46204c4b745bf47

    SHA1

    db5eeab2cfa504d53c91bf2ef4f48c3babf1dee7

    SHA256

    28e0fee6b24dc983251a81032656ef9b13ccddd75d620c5651aab5602bb39cf4

    SHA512

    3672e7d08e92bc4da6f4a63b4ee972bc6e82d5e09cc28736123bba06ea73ec7288962226e70d777135aa708c338aa6b1b1b3ce10531227d9819954f366873d77

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    38.0MB

    MD5

    444dfcfd1e517e15d4241961b46f154b

    SHA1

    cb5981e858cce76342505d00c2fb42f5daa880bc

    SHA256

    953f3dc1c0c2701fdad1b9c747743640309aa433cd4587b1383aeacb396c8dcf

    SHA512

    14009b9872d615f436128033e9638be02d664284f8e8fcce4d81eb08ac73a8787d6629a29e5d4b9504b78fab0b52e2b8f6d30e45c65b3ef54b3ed075bee7e97e

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    56.9MB

    MD5

    9e7ab4f21c8f20d21bd502ba98662c7f

    SHA1

    750e5ccc30057c8988f696faa5a6dc08811b3d5a

    SHA256

    bbe036fe2ba43f2bc1cbd67b1ff58ed5b6eb7e9ce64e6c1f466980a29b6edb61

    SHA512

    371cb8f1b5b0c8c349fcfede26a0cee9d80f4cba81c912561553a3af8f099fb03587b32a6e40b2a3bdcc5619541a39de476bdbe0b23d8a3555773c45eda150a4

  • C:\Windows\W_X_C.vbs

    Filesize

    195B

    MD5

    953cf5c915c9c58501354c4826dea466

    SHA1

    2934232a159f5c3738212aa3ece4cdd45ba8cfe4

    SHA256

    bbdb3fb588b1aca990fbc6355f577bdd40c60e69d9951142da5e8dc84e0b33ed

    SHA512

    77472ee7f75bee37380d22c14e698b07240c0177b1b4850b72b5ee05136cf17ac3e391b26c6876bfed15049326cd0e2717d0f1de8c4fffba4cd83446218c3147

  • C:\Windows\hosts.exe

    Filesize

    9.5MB

    MD5

    7011ebab29a1d71a492d66506baa02bb

    SHA1

    c25577c58457e9ec0e852eea66fb59a474e48f24

    SHA256

    5b90d0d4f8e27e20c88558db68e9e1b72dbf2f68a076a171a3f7ef1577e480b3

    SHA512

    63cf6c94731382236b344fa40bc5951d62e91db24e976369dd7bc004ddee975a8ab19b9815093176c585e1ff8c2df57f53c0a337d336c46f4f5d52855426fba4

  • \??\c:\windows\W_X_C.bat

    Filesize

    336B

    MD5

    4db9f8b6175722b62ececeeeba1ce307

    SHA1

    3b3ba8414706e72a6fa19e884a97b87609e11e47

    SHA256

    d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

    SHA512

    1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    9.5MB

    MD5

    f8cebd0206b86cc7a431be05ae4f24c1

    SHA1

    c9338d5fda22d75645cb4d5c2c4db3f3d078ac97

    SHA256

    b62f8abff7b5004f872ba97cea7c145536ff3c710650f53d2b4e8bfbf5077ef3

    SHA512

    281607fe8a5a37eeabd345ce743e52070f5ad7ce4ea10464484e4592c00a450cab52603da30ad2d1db95c5c7cd9ca19539c1bd5394b5516c953dbeee64ac11cc

  • memory/2420-37-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2420-36-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2940-74-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/2940-73-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB