Overview

overview

10

Static

static

7

a097fe52bb...cs.exe

windows7-x64

10

a097fe52bb...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/06/2024, 10:45

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a097fe52bb82e6fdf906a8b0fb3f3080_NeikiAnalytics.exe

  • Size

    315KB

  • MD5

    a097fe52bb82e6fdf906a8b0fb3f3080

  • SHA1

    af85160aaaedc83995d3977bcc497506d247051d

  • SHA256

    3753e867225346a32e12b052fe1300a2bdbe3fb9e1f693f2eca340bce5cb2b0b

  • SHA512

    acc26bbfa93794e7c360d5722be6fe1e9075faf7b06514e6ef5f82f0ac19ffa27c96f2e1a38fca8326d1f19aa74ad46a7eb7726175f3bcef426ee3b76412221a

  • SSDEEP

    3072:7sgCullUQN7gsBh1LLQikygCullUQN7gsBh1L1P:7LleK771Q/RleK7715

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a097fe52bb82e6fdf906a8b0fb3f3080_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\a097fe52bb82e6fdf906a8b0fb3f3080_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3600
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4708
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2092
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4192
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4760

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          315KB

          MD5

          1cf82aed378b3430044f6f35cc4188ee

          SHA1

          c491158c901ca52518e62af7dfde2f74d49d7b08

          SHA256

          eab74cd2decb0004f6af7ccb68a5de53af33198ed0fd74d87f0e61f86240479f

          SHA512

          228c9602723996e0f5c2c9f60ef14390017a9af9ee9f297e887f5b7b3fdb85251429f807fa34cb2e464f85c4b34bdf0e26973712da8bb435122420be543b5f66

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          314KB

          MD5

          cdba7fc1e0a5b655382035945ae4b1f6

          SHA1

          b5256656bd39b3778e58aa26f65ad0f5d97973be

          SHA256

          9fa7e4618b7652474159b3a385ab6397fd840a145034d463b262ad8804b7a5e9

          SHA512

          eb098858e1fba31e5299e5a18d68ee399301e1270f1c23f0133bd0cf688006b87e979726ad1523bb0194ebcf81813c3e5e5500619bb2a4fcf1bb3f0adb965a67

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          314KB

          MD5

          7ba0e75f8becab89c033cbd19b72b21c

          SHA1

          08b07583a1cfe2415e33fc09e737073e46b54581

          SHA256

          da96bd94690ae3cc1447bd55faa01e445e3b4a4a79491618526d3531241f4d82

          SHA512

          6b71a5f1ab81c24e7b4441e22e2dd17a780417a16330e98af8d45fc54242ea2988ab8240a4a43d239d2913fe4b94f8a0a012051cee78c98c0436a1b7888f1fb3

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          315KB

          MD5

          4ca95f8c40fca102f640aeb05fce8a7e

          SHA1

          c6fc4dbd68a5a8f6cad07ad645769838655cdc1e

          SHA256

          79918403c2c70fcc63c3bb5da6741a3eb2bffa9762c86c13af022a10cad97615

          SHA512

          38417a8f059a6c9fa731d948df2c2513fb0078ceaf5db3f0a9a1298b00ffe50574c97acd23bf952e821afee79119a97889c145369673183c312d7d8c844e3e22

          Download Submit

        • memory/2092-36-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3600-0-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3600-37-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4192-40-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4708-9-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4708-39-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4760-33-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download