Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    05/06/2024, 08:38

General

  • Target

    4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe

  • Size

    274KB

  • MD5

    4bf917aabe6d5488411defae0ebf28e0

  • SHA1

    4d3f53805b46e3fea83c924264e733c41d0e75f9

  • SHA256

    8a9ea014b45c6b85e465de1f6120932700031f03bf9a45504220839dfa4534e2

  • SHA512

    f924be78cf218f4aa2a3fa95e1c2f4e47e61f420eaf2b87cbd5037314aa36e1e0824c1e468b99d9ffd42ccd1913aa04d1e8bec93b2827cc71a50551ed9450163

  • SSDEEP

    6144:FvEN2U+T6i5LirrllHy4HUcMQY66bThVcHs:lENN+T5xYrllrU7QY68Thp

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1444
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2012
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2368
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2744
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2628
          • C:\Windows\SysWOW64\at.exe
            at 08:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2728
            • C:\Windows\SysWOW64\at.exe
              at 08:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:788
              • C:\Windows\SysWOW64\at.exe
                at 08:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:1344

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\mrsys.exe

                Filesize

                274KB

                MD5

                6fef04bfc0cc13d80580888f6f8363e7

                SHA1

                b9eec361f75511b0e3a1f5fc09c5a59cd92f72da

                SHA256

                0590c57d25710788c7ea0910831a3db491ca6081f2118442c8a370570e1245ca

                SHA512

                0d279586a93c77ca3128c450ee3c3c4abe466d560dde2f1800d183edf67ff103c067f1dba3518ad594982f5ef5e977fae9898c3234f1fac29d81fb2c4e4e3ab0

              • \Windows\system\explorer.exe

                Filesize

                274KB

                MD5

                8ed4f75c228b76f1313834336b3e227f

                SHA1

                421e15b0c14acfa550958d5f9ee34ca721b8308e

                SHA256

                0d643afcf8c40876fd92bc23b666f5e58d374eb463dab0f3045bd06c0ed94ac3

                SHA512

                923c45bd42550ad0223d1e3e5a9c41107343a1f5951ef487afaf68c82a0ade78185f82263ecf408950c6ff17d6f21aa4ea7cd4515fe822eef6c578aa5f8c5a34

              • \Windows\system\spoolsv.exe

                Filesize

                274KB

                MD5

                80a08836e231d64984aae7ad966434c1

                SHA1

                d7fd181fd458a7da87fbfc7923db470524ffa103

                SHA256

                ad0cf9275af08d5d6284fd68289181d16e3d99318754ee1b57568e891714b2a0

                SHA512

                a9927d41e169ccb073493fb88e53026d14f96b45dd1dfa37ac384c14364bdcb1eb16dd78f8fdfabc47210389a0cac9db265e8309fbeb4385420c4b2df65dfb84

              • \Windows\system\svchost.exe

                Filesize

                274KB

                MD5

                b707a3fe1588a6a0ccc1ed11786a9963

                SHA1

                d6d7a8c2fc0cbbb3cd343c2a3c7a26b0ab0cec75

                SHA256

                c38bafdec96b9ee33b788218ee13e92c14f1d03ce38978b32a5b8a6bc225e85e

                SHA512

                47a95980c16ae2f6c3efbf688cd78e19c86441420668a120d287c4d6272533407de7c3f2248d50ef9cf89340ac21628400e8f76ce9e9a6ee890beffbe2108303