Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    05/06/2024, 07:48

General

  • Target

    49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe

  • Size

    206KB

  • MD5

    49a987fc6b3f7f5d1e9db05f3e2a4250

  • SHA1

    0dfc6804f1db3dbd390c3689adbc0eac6c96e006

  • SHA256

    50a33c105b3addbd2444dfa2c176ac686bc41bc92e1a2e3866bab1c262088033

  • SHA512

    52ef5f4c787cd12e55e87e189971632a48d1113736b44dd459fa0f855aeb92edde0e74102babad06b4ff3f84f495a69de94273242dbfdd21482b76d54434a470

  • SSDEEP

    3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unLp:5vEN2U+T6i5LirrllHy4HUcMQY6Kp

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2764
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2900
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2580
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2780
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2472
          • C:\Windows\SysWOW64\at.exe
            at 07:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2440
            • C:\Windows\SysWOW64\at.exe
              at 07:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2248
              • C:\Windows\SysWOW64\at.exe
                at 07:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:2756

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\mrsys.exe

                Filesize

                206KB

                MD5

                394026253fa41da68c233311533ea0c1

                SHA1

                d651655df113c890b67a2bbdc46a2c99ac4c2547

                SHA256

                7af9a8712364e9c6a5122ebfdf8701a3bc2702cf1b1701c70877ec0a6ee5408c

                SHA512

                5a142958e35e432957ec4d58d0d0e49c6a315a3941649032849c09a60b95f86ed1e2be2e919c472797fdd5ae8bdf61034b345d9e79c79e4b6755c2c9559d7e12

              • C:\Windows\system\explorer.exe

                Filesize

                206KB

                MD5

                35e307c702778cf7819474ba144c9cbf

                SHA1

                2a6be08ea511314c3c305baefbaf7569248c2027

                SHA256

                7aa19c41289678d1f9d1b843c0aca5b82e320fbd62072b1a325962fb192867f7

                SHA512

                312965bac4539424bef997cc9183a970da66991c4edbc86efa2cb5433cda822050ca3c594eaf4d9cd3a21f6ea5d3d47fad3616eeb425b839edaeaaf16339fdd6

              • C:\Windows\system\svchost.exe

                Filesize

                206KB

                MD5

                6dd3ca693b77832059aaadada64ce94a

                SHA1

                89346e4f99c6f54a0e11abd6f9c0c7cb23352946

                SHA256

                db6124d6b76e07aea7b5d6540807087582fc7041b710c80a7eae8d224c5d642b

                SHA512

                a2f2e96b06bcdacc13fe7c21c2595a1e5cdfe4a1036bc21d769e0da63efa3155169acd2ba90966227f8a71ccc9567d699b775e70b2b5211159c3ddbe73e9ad89

              • \Windows\system\spoolsv.exe

                Filesize

                206KB

                MD5

                63c906f7b2d0835fcab8c9fb30c0bfca

                SHA1

                c1b7dd8c74cb5bd1aeea5f8b3e8ce1d06d0e22ef

                SHA256

                c1ff9d66c7e5070a6a3bdd7ad8bf077b435667e629aae2b785a7baa7f4f23013

                SHA512

                56afc52f9d9463d66ae10b84ce908fb8033b28b06e00bf0c1d61ac9768a7c54ba4535af8ba110112661360c230291ca617320e367b4249999f7447f02c69fdb2

              • memory/2472-52-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

              • memory/2580-31-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

              • memory/2580-55-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

              • memory/2764-0-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

              • memory/2764-14-0x00000000025C0000-0x0000000002600000-memory.dmp

                Filesize

                256KB

              • memory/2764-13-0x00000000025C0000-0x0000000002600000-memory.dmp

                Filesize

                256KB

              • memory/2764-56-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB