Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 03:55

General

  • Target

    9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe

  • Size

    9.2MB

  • MD5

    9ab8a20efc529edc4e7c786c2278ee30

  • SHA1

    62de9b763ae491de0dfb1e67dd9cc3514e3bc727

  • SHA256

    968f8af87654c5613001ae3ffaccfcd9f03842e451090374ccd30a886a405226

  • SHA512

    026069d680a40619c61db9a92754042b924ad2b273bc5a1ca0961160bbda88ec09e79cb73b0b2a6cfc13f3ea98ebd2c6c57e8321c75bff075f8d226c53db9bff

  • SSDEEP

    98304:3+k7QDw+PcYq5LnYvacmm1xAWewWAWUlWJwSb099Pi8bh9x/NvBaudEGst+g2lfW:uktBlNChWX8bp/Bq6YAOjLcTB8kc

Score
10/10

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4216
    • C:\ProgramData\rr.exe
      C:\ProgramData\rr.exe -y x -pFASJKLVFDAJKLCDSA434JKLFDS "C:\ProgramData\playtomenu.jpg" "C:\ProgramData\"
      2⤵
      • Executes dropped EXE
      PID:2212
    • C:\ProgramData\playtomenu.exe
      C:\ProgramData\playtomenu.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:720
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c delself.cmd
      2⤵
        PID:1896

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\playtomenu.exe

      Filesize

      4.1MB

      MD5

      684fdaae316e5f59baa6f69f5bc2526a

      SHA1

      958061cff425622da5bf931f7ffdd22a1f784763

      SHA256

      17f875b64eedb6ed608cca84e3d9804c947e7200c294b3ff5f91568e35a0d2e8

      SHA512

      7eca3352b7d4195c3f793db86ad9a98cdcbd2aff55e94cc1dccc754a8e84bf2eb9d13e991c672d08a162dbc01f9a9d7bcb873f1446147e77dbbdcecafcbd51c1

    • C:\ProgramData\playtomenu.jpg

      Filesize

      1.7MB

      MD5

      c2348c7e8ac7e2812f7967c126918b90

      SHA1

      626bb46101ccf131d6981f338cd4b4edcf76ca31

      SHA256

      40eeb9683bfd6ce4bf7e3bd836ff9beb2838a6afbd1ab9a149d9ec9c5f5d9a8f

      SHA512

      74270cda47170f3f92fc1688c3fbc2c8f6ecc1b2b2c45016f00e56989d0f256eab6b354fea253e2045b56952ef665805ab51611d54a53e3bd61ac8d558eede11

    • C:\ProgramData\rr.exe

      Filesize

      572KB

      MD5

      f2ae502d448cfb81a5f40a9368d99b1a

      SHA1

      f849be86e9e7ced0acd51a68f92992b8090d08a5

      SHA256

      07ad4b984f288304003b080dd013784685181de4353a0b70a0247f96e535bd56

      SHA512

      9f3aea471684e22bf9fc045ca0e47a8429fa0b13c188f9c7a51937efa8afcec976761b0c4c95aed7735096fcc2278bbd86b0ab581261a6aff6c694d7bb65e9be

    • C:\Users\Admin\AppData\Local\Temp\delself.cmd

      Filesize

      107B

      MD5

      cf766626a5051d9485061fa254b45c76

      SHA1

      7b854c5e4ce890e7b403056bee9ac2dc017b076f

      SHA256

      a45dc47c56a943836dc828d40a14fb136cbc7883fd92da7f183c0b7ac06139d7

      SHA512

      ddee1ecb11819d76dd1bd263493ab954988b5e7e082607eb66086c0651817a1acfb99b7016a31db4094da55b6a40d3860808bfd47edb5bbca97295b899414547