Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/06/2024, 08:38

General

  • Target

    4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe

  • Size

    274KB

  • MD5

    4bf917aabe6d5488411defae0ebf28e0

  • SHA1

    4d3f53805b46e3fea83c924264e733c41d0e75f9

  • SHA256

    8a9ea014b45c6b85e465de1f6120932700031f03bf9a45504220839dfa4534e2

  • SHA512

    f924be78cf218f4aa2a3fa95e1c2f4e47e61f420eaf2b87cbd5037314aa36e1e0824c1e468b99d9ffd42ccd1913aa04d1e8bec93b2827cc71a50551ed9450163

  • SSDEEP

    6144:FvEN2U+T6i5LirrllHy4HUcMQY66bThVcHs:lENN+T5xYrllrU7QY68Thp

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4000
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4880
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4124
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1188
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2828
          • C:\Windows\SysWOW64\at.exe
            at 08:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:4404
            • C:\Windows\SysWOW64\at.exe
              at 08:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:1836
              • C:\Windows\SysWOW64\at.exe
                at 08:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:316

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\mrsys.exe

                Filesize

                274KB

                MD5

                3b2e2d4d3cc83c6378f7dcfcc250f0d6

                SHA1

                aa1fae2e981180cd6d9854d93c253bf84a8faa8d

                SHA256

                d5e75f857d2d58a17d1a335e9da7897e991eeb4741d9f7da2fe1bda5370816ff

                SHA512

                4c4306c5109628770f65c04e465a8c1c97937d474e85bae66f52245806654c6999d0ab28488b62ad9af9626cabeae1ddc73102272cd2b70c91e5c85713452efc

              • \??\c:\windows\system\explorer.exe

                Filesize

                274KB

                MD5

                6a61c5bf3bc5d1550e4306dca41599e3

                SHA1

                e710453410400b65394353ac55331253688996ea

                SHA256

                796dea69738805f044f972a1da669de2eaa7927e64e824d925c40650fbec1db6

                SHA512

                80c6fc9523625beeeebfd9ae5d080786fd4e6089a20202d76ba46cb30b6a65fc9e8c5ffb42a9b687531b45bdf989931dd33f60d096870a7fe5b40778e74676bc

              • \??\c:\windows\system\spoolsv.exe

                Filesize

                274KB

                MD5

                e979ce3855ca8fd4ee1f4d387ae37724

                SHA1

                761bd21ef34b9bbf4153c742cc6bb303ddafc619

                SHA256

                33ec019ba4b7f079fb534f312f1611c381f649ade8e11f772ca47f9ed9b8bd58

                SHA512

                33114ea6a09a344e8f4d4495776f263547d0175ca94a1aad9e798c6be7a1e8d64f2cec8f48aed2cab97c9d9ca7eaf8e7dca2381b0c069338956d756a34a78646

              • \??\c:\windows\system\svchost.exe

                Filesize

                274KB

                MD5

                1e9fb5aa013d32ffbc346e4604ae7bcb

                SHA1

                3957e97770f61559ed7f693fbc22616a2e6e8047

                SHA256

                0e7121044837ac6ffe4e88093fb7d769150a951c6b6dfc53f5ad3b22ed974b71

                SHA512

                5b7f5b8c0399c8c99cffc6c7aef514545b94351a1f0fdd6cb72d0628d6c729b767e2062b384d57fa5157badac8ee2f28f69be6ed151ab0e4e28b0f43d8d3c8d3