Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 03:47

General

  • Target

    9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe

  • Size

    135KB

  • MD5

    9a7d8dffbf9c972fe412e27df603d550

  • SHA1

    234f06d42bcf2542e82479dc432c157e5699b44e

  • SHA256

    fe9e0b6dc44da1531a24b7868c24a970788ccd393d4882227bc8d156aa0625ef

  • SHA512

    b21bc87a2dc822ecdfff6b2bb063e90562fbab3c4e50d8b0c8595ddc101d2e72569dc2b1c7717c38a4414670286598da83683c64463e7206d419033baaa13654

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVVE3jT:UVqoCl/YgjxEufVU0TbTyDDal/EzT

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2652
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:228
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:116
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3292
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3528

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe

    Filesize

    135KB

    MD5

    c216c7d60686343eff64c8ab263bbe6f

    SHA1

    77a374e509955f18c369556fb79fd6051e8fe757

    SHA256

    db93b3756895313684b6ccf2b6b5244c16a33a9b9868afc4d67bd92b4ae121da

    SHA512

    7fdf2c65ea5798c796a51c470073165820f219a76c84d2eecc406e7a6fb0e7cba4370692709f7f3c32920aa19f5b8a0da1d7f1d24ef2ea2e668987fad971ec65

  • C:\Windows\Resources\spoolsv.exe

    Filesize

    135KB

    MD5

    253ba7287bc811d8fc5c517af07279eb

    SHA1

    295e9bcd97d0282e12be925217afffa091b81b00

    SHA256

    d455bdbfba1f131f2cc23e623a99dc4eeb97e4dd1f82832e6eb03cbfa5bf0fb9

    SHA512

    afffc75b5ac418067794108ec0649161d91b97d50b11731b5733ead9da1cccdaf865011c289c8cde8107760cc2323c55189ba0ab6aec48ed1581b23de709ce68

  • C:\Windows\Resources\svchost.exe

    Filesize

    135KB

    MD5

    69e680a7a0d6503694afd21ba509c439

    SHA1

    1a138348baeface0216d5a1129173a464809781f

    SHA256

    7937e4871cfb738ab322478e19f491316b1b7a7467afa8867e107951c3be605a

    SHA512

    3e4e99cf0920e48faeb59cb664c2009128b5d6682d1388d96157ad908bfc54a6f04c984acb25af6b0d92a3e32ab6ace4830f44231e1152ae9d691979fa8bc9bd

  • memory/116-17-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/116-33-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2652-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2652-35-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3528-34-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB