Analysis

  • max time kernel
    152s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/06/2024, 07:50

General

  • Target

    49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe

  • Size

    135KB

  • MD5

    49caa5edfc4e78f44f545d175ba9b5b0

  • SHA1

    ee61df54a4095b0b8c44541ce2409db8e69be51f

  • SHA256

    2d69a5b80c686a8297c15671404a80e39fe9c5d056d0a4e4cd717dbbb105c1c2

  • SHA512

    0b49b84199800d15eac0baeb754e91e01faaa27157843608555d8b7034159486052c658807217571a1e376631a281020e7d821511a47aefe99b0caa1a0fda34e

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVgt:UVqoCl/YgjxEufVU0TbTyDDalit

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5076
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4048
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4396
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4084
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1188
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4416 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3460

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\Resources\Themes\explorer.exe

            Filesize

            135KB

            MD5

            afab835f7a48d1dbf9ff4d0119da01d6

            SHA1

            123c472e9b2c5ea771a19f0921886b374beed25c

            SHA256

            a1182a6478f68d65bb13c1f1aacf8f00f3fd5e3058cae888aa5ea7abe159fe6f

            SHA512

            941e0ea98c8ebb9e6a5afaf495ff91f19db020a5e7ac455a68808df3f2acc157ca1a337577bd2fad5bdfb16e939a54ac0269855ed9185028f1ad836f4e30f283

          • C:\Windows\Resources\spoolsv.exe

            Filesize

            135KB

            MD5

            cd801fa2355f9a3f96f128b20cd6b91e

            SHA1

            a82cdc0831a86dd9b200ebe76fec3e94ee70937e

            SHA256

            98ff8197093387fada74a7532bfb886a0cd1aef96580e4374e78a8959732e4dd

            SHA512

            03992fcbe332df93ed5f70ef56663e2541e0717e7b717f7e43a522e2fbdf7806c0ee9b7eec52eeace403c1606b4cec5baa94453ceb83b2bd452dccb5880f8376

          • C:\Windows\Resources\svchost.exe

            Filesize

            135KB

            MD5

            a49ada2a8fef5db138bfd09f2750d909

            SHA1

            6f9d3ceee88250148c29d1cf350b824591b85b27

            SHA256

            67339aeb0256fd48f851d459047661bf2f4324fe3ba06a18d32b82b080a2194e

            SHA512

            79fb5b28200359709dd80c655bd4dbb52ac1c73509966e60421dabc3c447917e5afba22df5fdf6ca5f3181da39c72775a13d61b9b4c9edcc990358e6ed8fab35

          • memory/1188-29-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

          • memory/1188-33-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

          • memory/4396-34-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

          • memory/5076-0-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

          • memory/5076-35-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB