Analysis

  • max time kernel
    140s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 19:26

General

  • Target

    4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe

  • Size

    5.7MB

  • MD5

    4de8076561c810fa155b9c8754d71780

  • SHA1

    7f29d44366a762952fe3a190d701b3344ab9328c

  • SHA256

    18825efdfdac5f2523c0a2624e002299dacfaa2faabd3c5e0f491d49ee3e4e63

  • SHA512

    4f60462cb3f2fc7a17e0c6d9fe84f4134c390a9acf7ca0e5443fb82d70df758fc9afba68a4b3ec48d3ff76884cd5ca65b92794df4e28870c02d81c228592fef1

  • SSDEEP

    98304:rMDtIXLr06AdfEThF35PzuifwiBzE1gZpueVpdrdNXiy7BZ3KPR0PBGW7ubQkGjK:NrmEdF3no11qppVppbiylZaPR+BCMK

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\zbe202463192627402.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3040
      • C:\Windows\SysWOW64\schtasks.exe
        Schtasks.EXE /delete /tn "Maintenance" /f
        3⤵
          PID:2700
        • C:\Windows\SysWOW64\schtasks.exe
          Schtasks.EXE /create /tn "Maintenance" /xml "C:\Users\Admin\AppData\Local\Temp\zx202463192627402.xml"
          3⤵
          • Creates scheduled task(s)
          PID:2572
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zb202463192627402.bat" "
        2⤵
        • Deletes itself
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Windows\SysWOW64\chcp.com
          chcp 1251
          3⤵
            PID:2640
          • C:\Users\Admin\AppData\Local\Temp\4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe
            "C:\Users\Admin\AppData\Local\Temp\4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies Internet Explorer settings
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            PID:2576
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 3 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:2812

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\zb202463192627402.bat

        Filesize

        688B

        MD5

        bbac5d6b1746afc65c363881b89845a7

        SHA1

        374d987d2bc96ca3f415c5b8eb131a3216626aa7

        SHA256

        89feaaa8f203e41905a2cab10f47c26ce67a943999d489df0959c6da4e38dd32

        SHA512

        d73197bbb64380afacb035fdf4c9636c30f8656411ca2f65482404654bb51a99ee9002e53de810b2c57894c0f7acf7094b6a54ea40907e099b12379e84c9d974

      • C:\Users\Admin\AppData\Local\Temp\zbe202463192627402.bat

        Filesize

        199B

        MD5

        05f085a568e0b53b6a482f7b953d1e9b

        SHA1

        cd0f04e48fbe473ba31b1e5793b78c997a775652

        SHA256

        415164b9013d30231030a80d8e2f9cab310d2ea2408accd32614cc3245202fb7

        SHA512

        60f5a00bbd74d9b4383c98b7514c9cf7bf8d00feb51571af6ab9533164e5fff861362b491f56fd68dc1a26ab037d4bec7710a41f6d0add4fd2615257fbb8bade

      • C:\Users\Admin\AppData\Local\Temp\ze202463192627402.tmp

        Filesize

        5.7MB

        MD5

        6cfbde390717f6aafadb84d4f644fc84

        SHA1

        428cc8e16e7920c34bb7ad296674737fd58916b3

        SHA256

        83f471e1c7f6c16da15e896aa181380ec849014c370042c028cea2b1b401d329

        SHA512

        6302b5cf9b5b9c8654431ed5d7a9b71b37adb63ff659c5a05d4ea2b58566d59b06ff5a7b3c47ffbddd568c0b76adb698a78de68fe64c2c7a06719ba2c13dfcc5

      • C:\Users\Admin\AppData\Local\Temp\zx202463192627402.xml

        Filesize

        1KB

        MD5

        9f9b3932bf6f25db20b9f5144c22c1a8

        SHA1

        fc0c9956b4effa3d0374493558144ca583e67651

        SHA256

        c8e9414cc95d2420c797059a1ec9761e596cda0a8b1924fefa2a758e2940386e

        SHA512

        ac3d3f5e00ed13c668f2c82210ec3585fcc1f4223be6e6ad4d5d1c9a56e1c3e4205601f57cd5dcf9812a238e214d7e9f55be6ac112b41153a71295b5985bcf1a

      • memory/2576-28-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

      • memory/2576-30-0x0000000000240000-0x0000000000263000-memory.dmp

        Filesize

        140KB

      • memory/2576-29-0x0000000000240000-0x0000000000263000-memory.dmp

        Filesize

        140KB

      • memory/2576-44-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

      • memory/2576-46-0x0000000000240000-0x0000000000263000-memory.dmp

        Filesize

        140KB

      • memory/2576-47-0x0000000000240000-0x0000000000263000-memory.dmp

        Filesize

        140KB

      • memory/2644-23-0x00000000002B0000-0x00000000002D3000-memory.dmp

        Filesize

        140KB