Analysis

  • max time kernel
    150s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 04:35

General

  • Target

    9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe

  • Size

    225KB

  • MD5

    9bc28921c5022333a8e52ccc0d2a67a0

  • SHA1

    8912d6db5bdb5046336455781a4e728500bbe5eb

  • SHA256

    6af574f761ae76b680b0da61cc945b33b0bf4bbcfd635814ca8393b4c3961685

  • SHA512

    80287c96344e2cacd262b15fb2b5a8304bba3c603aaa7a8e0c579490f9651d92cef6a1d93b8f012ae342fc4adbf48ac071b3581cd9a474da340f35397817cbaf

  • SSDEEP

    3072:8vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6u8vMSR6:8vEN2U+T6i5LirrllHy4HUcMQY6vMSE

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3228
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3540
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1772
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1248
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3096
          • C:\Windows\SysWOW64\at.exe
            at 04:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:1648
            • C:\Windows\SysWOW64\at.exe
              at 04:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:1636
              • C:\Windows\SysWOW64\at.exe
                at 04:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:2044

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe

          Filesize

          225KB

          MD5

          434aaac15dc66f4d4e1acee41fdcf6ec

          SHA1

          54fd78ab2cd3303130f9472f5c718de2d6f1871a

          SHA256

          807dc521a73d072381d2fee2e57db1f6865757b034fec368a95b70c5b45b1f44

          SHA512

          41aa7150036e75105160186e26eb9e2b05ab3116bb13694308e870f821d7b03d05880c094561b091b86c260eaeae0e9fd64986e68c462984e02bc184966126fd

        • C:\Windows\System\explorer.exe

          Filesize

          225KB

          MD5

          9a48d6dd39617df18421a7434438976e

          SHA1

          eee60f0fb34bb68081254e3777cc531714a2c330

          SHA256

          377439310d1d1a2bf60c4c35037a0148d128c25d0e619db125280abfa4a8b1f1

          SHA512

          c2e18e6435c22c044514bb392e8ac30e32c3c0abcc5c798f035e16ab9f216c17df6f359c1f2c3c913ee1df67a7a88d4219caf751ef133c00c7b01d4ccf3b9c0b

        • C:\Windows\System\spoolsv.exe

          Filesize

          225KB

          MD5

          4e65992b5adb30d1226904d1815011a3

          SHA1

          46d2956cd357edaa32da5182a2ef068763c08dc1

          SHA256

          edbad86fedb6100deda43713b786d4b1229129d2746fc785625fac36d1a06ac3

          SHA512

          34258e6ad6968653df685461e859c10474ee91155d73b503cd6ad7cb468e38588c90654abd6d264df15a6a26be8bd4683b3e691884bdc8164f9b2026ec4c90ad

        • C:\Windows\System\svchost.exe

          Filesize

          225KB

          MD5

          47b9ef87ce54cd1091b6d45ff38a52be

          SHA1

          2afcb870fd6b0be7b98987d8d50a353c5bed606d

          SHA256

          dc728947644e2ba38b2d17611b2ea961a27e85b0636c9723d782e36fdc3f5f20

          SHA512

          a6d2c44e1f4801970968eb8a39dd60e9d8cad5852cfb80b23c76e20d5279c4c23b79eeaf85f918ecfd2ea64ce94de3ca400f5046bda49c0396d7c7be9877391e

        • memory/1248-40-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1772-36-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/3096-29-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/3096-33-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/3228-0-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/3228-37-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/3540-39-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB