Analysis

  • max time kernel
    159s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 03:50

General

  • Target

    9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe

  • Size

    135KB

  • MD5

    9a90e30cd449584c79538ba4089ed5d0

  • SHA1

    3e87868e987c1e29655e101ee388dd3860a9d004

  • SHA256

    bd9aff70e3b930f399364299a2e997d7ca316e5240be024292d46ec92c8843af

  • SHA512

    85943ab0d8d880aead7d8891ba492f52284e7b31c8a2ce261ff744431b4f852f03ef595cc7283fa4499995709f180fa6666211a15361133bff2419669854b07a

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVqLI:UVqoCl/YgjxEufVU0TbTyDDaluI

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3080
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3812
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:800
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:488
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1856
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4204 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3972

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\Themes\explorer.exe

      Filesize

      135KB

      MD5

      f23d8e37439515064284d785eecd5c94

      SHA1

      73cef8c63c11346c3fefff4ecb64b6aa429cc06e

      SHA256

      8a1dcffb3b8aae0724109c519630d9f59a6c27fd568d15dd050b82b3084496d2

      SHA512

      5f7b10b01e5a2dca7d50e9266d47b5d7cf9fd35e94251d51fe5ca300cac233a7b1958d84d67474a6c2d6f02a0a7f8fa3d434dcdff87c2cbd817d53dde5c96554

    • C:\Windows\Resources\spoolsv.exe

      Filesize

      135KB

      MD5

      b03d84cd3319438f970a3087e08c748a

      SHA1

      02f36f5e0bbf867bde07773de6b3aa2b4734a5e6

      SHA256

      caec66a1733d7024c9d313a1c56da28099c2e82bc5db0c7539127a289720427d

      SHA512

      91eff2c672525fda2b09c8605d031347d1da90655d2bf6d2f11460476280d96c2c53d6d1f28b0f9c6befa39a5545ba5c48646ccc924cf9e0ed6d7e52c09e8aec

    • C:\Windows\Resources\svchost.exe

      Filesize

      135KB

      MD5

      5949ac8ba0f9482bd55ff0d2891d0550

      SHA1

      edef28b917a9b147cfcceff60e92452ce2017a67

      SHA256

      538f055799695f27b94294ddc6861eaa0ef91bba02896fc84b7ce1f33d8f8f7d

      SHA512

      d6b61fd5ba17258a935a14ff5b5ced64359a1c57269712e5f500d56b322cd439f1ccbbee897d7ca3e6cb3c6a2def46d0e42acc99b00f877c24a22a804c19323a

    • memory/800-33-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/1856-32-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/3080-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/3080-34-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB