Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/06/2024, 08:41

General

  • Target

    4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe

  • Size

    91KB

  • MD5

    4c29fc38a6eee0f6c67258f461f836d0

  • SHA1

    b44c07905f8c4c1eae72d1cff537e7109a3d9d4a

  • SHA256

    2b9a353e41202823310c0124a1b88dcc6ac43ddb57b4a1e8760a1106fc6040e2

  • SHA512

    f11e9f412e1051aa10d1d85de17055be55bd5524627db87e659e2afa28ccac6a8bad8f92e2fdc87bdb7cbf6596f9d25920b4e761c2ea6bfde89a83730e97fc62

  • SSDEEP

    1536:zAwEmBZ04faWmtN4nic+6GfyAwEmBZ04faWmtN4nic+6Gm:zGms4Eton0qGms4Eton0m

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1924
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2564
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2732
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2128
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1836
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:852
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2640
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2036

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\services.exe

          Filesize

          91KB

          MD5

          4c29fc38a6eee0f6c67258f461f836d0

          SHA1

          b44c07905f8c4c1eae72d1cff537e7109a3d9d4a

          SHA256

          2b9a353e41202823310c0124a1b88dcc6ac43ddb57b4a1e8760a1106fc6040e2

          SHA512

          f11e9f412e1051aa10d1d85de17055be55bd5524627db87e659e2afa28ccac6a8bad8f92e2fdc87bdb7cbf6596f9d25920b4e761c2ea6bfde89a83730e97fc62

        • C:\Windows\xk.exe

          Filesize

          91KB

          MD5

          19b336ac9178da89fb93f0f4005b697d

          SHA1

          63c431f193db51d2867bce1eee8f676839f3775e

          SHA256

          bfd1c641121400ecda676aa77ccc6572a73b0897c586ff2d9d831821d966135f

          SHA512

          b8b77eb5efaddbdcd02294a92f37aa683d8b8b79e51ffec4d77061af5952fbc76c93167cd13a23dd057160750313ca438d5a7ad91e381917090090b4892f725e

        • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

          Filesize

          91KB

          MD5

          1d02e3637866311acf1fdefbd2412a20

          SHA1

          b798b7d34271164fedaf3b1d0a7298a9d364a084

          SHA256

          c26e08ea745def52f25c4a6769ceb7cf1b6234bd2b6f5b0c398861afaa703e74

          SHA512

          6f6a63f4d096959b92b1a144384070cca32cc75911a93836020896e27bb109c384737e863086ae0378d79cf89af649947dd0b15943c3a4a8c4036e8d4e2d8a67

        • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

          Filesize

          91KB

          MD5

          e0dee34adc8b62d2f12377fd495167cf

          SHA1

          081e988738614e32070c53ed764131a1906f4223

          SHA256

          ecd4f387e893db0edf6d88eaadf8d93c9721dc8b1c7e26acb610c8f6f171430d

          SHA512

          54a9e302080f5e1fa3452e67b88302b4581db98e25b4f7cb51e393d9b4a273815b3568bb740c3c68fad548d0adddc572321468116cf9d9b6f919d59ca33186cd

        • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

          Filesize

          91KB

          MD5

          6bcc03d40d9d5f514641e9abe45fcd14

          SHA1

          2e5f0f53cf2a333e3478a39d2a081105fec7b439

          SHA256

          6da5a5365ae0b8039a1d7017a170214f64a834c6b97fb11815cefae2abb3e18f

          SHA512

          02c4ab1d5a026987ae0688941b23e0f309df9ef16f7de6f8c1f611688d4841b85a4eb5d6055c172600d74a5495dcb69206075f50f947845265748c0ab69a213a

        • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

          Filesize

          91KB

          MD5

          9242ba80c1f2c8fdf082fb263f00c630

          SHA1

          e70aa91472011696bd2c29dbac43867f068bd32c

          SHA256

          4e3a17300c2c0d0db0df16d18c1b26bf06dda61e8593361b1352839f4f4cb95e

          SHA512

          963dda546cb42cd9d08a041490ca4586d98c9b778735dd45ae651bc0e6b2533996d4a06cd4b2bf523046f8f3774b1117ffd35938713b29e889215b1b93ed9970

        • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

          Filesize

          91KB

          MD5

          ee8bb2b5b4e4dac456b711ed892d2157

          SHA1

          5051afd2eabc2d7b5a3f2382d49c783609495d56

          SHA256

          eb2b5b888c298c0ec6630dbf5c337cec93f66cd1da27994437e8615a0501ed7d

          SHA512

          ebc1625d368c362a5735212509f9b343368777aff9277e0d2454074df2ea9dbffe6e264ef6aa0bc321af9d88ea90aa538fdf7389897f8bf7d735ab729972aaa3

        • \Windows\SysWOW64\IExplorer.exe

          Filesize

          91KB

          MD5

          d023bda5fa084bca4a97bd2ec16e3676

          SHA1

          72a32217d022415c239d96ec81efb5ed22494542

          SHA256

          ea882d99197b5c98a63aac44cac19d3c3cfa8ab198828b210be44826a994a3e0

          SHA512

          b2b7e28678238c233f741ba097cdca210b8ef46e75dffe36b0111f678ab31e067b2b5774607f7a120b6b749f7da629d42931a0660387c72f0624b5cd4c54d797

        • memory/852-160-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/852-162-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1836-146-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1836-149-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1924-0-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1924-121-0x0000000000820000-0x000000000084E000-memory.dmp

          Filesize

          184KB

        • memory/1924-135-0x0000000000820000-0x000000000084E000-memory.dmp

          Filesize

          184KB

        • memory/1924-105-0x0000000000820000-0x000000000084E000-memory.dmp

          Filesize

          184KB

        • memory/1924-158-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1924-186-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2036-184-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2036-183-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2128-140-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2128-136-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2564-113-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2564-110-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2640-175-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2732-125-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2732-122-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB