Overview

overview

10

Static

static

3

1bff664f93...cs.exe

windows7-x64

10

1bff664f93...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/06/2024, 01:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1bff664f930564db077ebf93e31385e0_NeikiAnalytics.exe

  • Size

    206KB

  • MD5

    1bff664f930564db077ebf93e31385e0

  • SHA1

    9825754d11b7d941809073b884a19d05361cefc2

  • SHA256

    6eeacb1dbd789ab0783e72844750852223704cbba2c3bc2aa8217d5809e0f4f6

  • SHA512

    1dca77bcc3359df1a93913b0d1676276d27e2ef36335f839b464ffca5d7c98400b63ba844207e5630dc2915ace2ac977ca91dff4858d403a53755eefe7c12a76

  • SSDEEP

    3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unLi:5vEN2U+T6i5LirrllHy4HUcMQY6Ki

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1bff664f930564db077ebf93e31385e0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1bff664f930564db077ebf93e31385e0_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4520
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2432
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2136
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4496
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1704
          • C:\Windows\SysWOW64\at.exe
            at 01:20 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2616
            • C:\Windows\SysWOW64\at.exe
              at 01:21 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:3836
              • C:\Windows\SysWOW64\at.exe
                at 01:22 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:824

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          207KB

          MD5

          a0ba4701918d8bd649b22304d29261b1

          SHA1

          657133071d4e0649a7c514d3f5608907464d50a4

          SHA256

          4b770b71fadce3ca69f81fb44d04efb81d70a8731d18c8a1982134553c2f2307

          SHA512

          c450be39b2cfa1a2a93c0127e9c1c874a3c7c01acfff471733e9827a43a5f0dc4118a6feeeee2387daf09870c1d7d1bdd79d1cb802bf0f89ed89fa4d7167f6ef

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          207KB

          MD5

          c5eb7e0d89b97c220620d98d38283652

          SHA1

          f413a0f5b4c188e8a8286da8ffa57752cdbcc236

          SHA256

          2d96d8a831538e01d89ac9eedd7182eb3381f703243414bcc18c120104b16b79

          SHA512

          27f34b71ea421f8a09918d11ce9e26603e9520779b267f453e3f6d26074de534d022e995947b179ebe060e133e7f666d2b383c90f53568a256e6d4b8ab8a1ec5

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          206KB

          MD5

          10f6bb014131befd42eed68bfeb5c9a3

          SHA1

          de714d3f6d63c34a83dc143ad64b674d29f9b40c

          SHA256

          3c17ce67905e7d5db87d09f0dc3aaa867334d889437ac54a8873040f1c91254b

          SHA512

          4ef7e2eb6bd367d8cdc2da5a4eeb6b121e1d0f91e5bae0b431872e33fc1915991f50d8851cdd4cc3add0a6d38f537eca9b28200a681e203f51426a5b7df1dfc2

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          206KB

          MD5

          07b109be6464a336134ca15de7702bf1

          SHA1

          b6752e614229d92e32ea107d7c186bf9fb67b342

          SHA256

          338c836c7d392c794fad4b17a0a2b608603be945dfc106b3d1cb9aa2cad6bcdb

          SHA512

          5ab720fcc478b17e80282590014d5b888691639c7b16ba11edadb723a746013b0e8b7ac0170db361b80ffc3535c737a5eb6f3626bb84661fd118271c3b7b361f

          Download Submit

        • memory/1704-34-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2136-35-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download

        • memory/4520-0-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download

        • memory/4520-36-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download