Overview

overview

10

Static

static

3

1d61cba784...cs.exe

windows7-x64

10

1d61cba784...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    06/06/2024, 21:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1d61cba7849ce44e167e4722f18a9620_NeikiAnalytics.exe

  • Size

    66KB

  • MD5

    1d61cba7849ce44e167e4722f18a9620

  • SHA1

    13f59780f8d9ba09c2d7881eb676b0f8b001cefa

  • SHA256

    17dde2c0b57cc387900901ab24748b470e4ac166024cee18b6d1921bbaf035dc

  • SHA512

    38175bd199fede529cce3b55ed2363eeb1f349d0cee80ff4c77c6d69740ea69fe8571b5c6c53cbe3916bcfe33f3fece5a25844795b081b27f3d21d84d1009456

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi1:IeklMMYJhqezw/pXzH9i1

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d61cba7849ce44e167e4722f18a9620_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1d61cba7849ce44e167e4722f18a9620_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1796
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2456
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2732
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2808
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2516
          • C:\Windows\SysWOW64\at.exe
            at 21:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:1856
            • C:\Windows\SysWOW64\at.exe
              at 21:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:1288
              • C:\Windows\SysWOW64\at.exe
                at 21:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:1140

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\mrsys.exe
                Filesize

                66KB

                MD5

                16cf9f2257e829f75becd7877f06a685

                SHA1

                bedd483c8d1031d3c1d4ed1e9396d34f6caba1a2

                SHA256

                f8466896b4b6aaab6ca2a8a1ae2470ffb786ab09fad9552627798dd1115d0c18

                SHA512

                fe53b1736958330bd9b599a577b612d2ed02d2aa57790df80e6798a01242e5aaae2e34e728129af149c075a36530e9c36a79363429beb29895e1e760cd022bf0

                Download Submit

              • C:\Windows\system\spoolsv.exe
                Filesize

                66KB

                MD5

                e54ee6f352861303853091dbfeb63b27

                SHA1

                74753f58a53d31db52c0ee54225ddbd7c091f88d

                SHA256

                d1da85bd522b5b4ac96bc3fd004c2a72de31b3b1adf7d8ffb0f7af7c2bd9dd07

                SHA512

                1d59c73d21fe23d0128f5a9561bd2b8f1159ef39ad0d626701f7f1ec9559db563c76575f62a0bbcb6bec788da2f9867c72acb920b8325fa6bfe7a13a4703adaa

                Download Submit

              • \??\c:\windows\system\explorer.exe
                Filesize

                66KB

                MD5

                07267ffcbe88e4c68eca67e2cedc4e00

                SHA1

                d070893e8bf03b7fee4ea98f13b63c636fc194e9

                SHA256

                075d2fcd94683918af8fe7ff20de8cd694755dd28be2d76c0d803c8f1c7be4bf

                SHA512

                69a8e33d90062a2777092872217826ab45ff426aa5e15b3f4c928c90b6c61f46e662ab08929e2c3e12eac1f526824cd7f8095329246f27023c67f9a381b494d2

                Download Submit

              • \??\c:\windows\system\svchost.exe
                Filesize

                66KB

                MD5

                5e5c6afd305da42034cfc6e31c5bd92b

                SHA1

                3bc8e12b65da16b2ddc85c78faa748b2a016824e

                SHA256

                a3b023aca1cb8f5cf9fdf4dea195b21dabad4150406d0bea873a5fc58a90831f

                SHA512

                ef603cfa625a243e0ee67431bd805323a1581290aa6892a61074cff5f1a3d51012a02a793d899d1fd702e0e60416a2bac933e01b29ed393703354d89daf189d0

                Download Submit

              • memory/1796-4-0x0000000000401000-0x000000000042E000-memory.dmp

                Filesize

                180KB

                Download

              • memory/1796-80-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/1796-0-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/1796-1-0x0000000000020000-0x0000000000024000-memory.dmp

                Filesize

                16KB

                Download

              • memory/1796-2-0x0000000072940000-0x0000000072A93000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/1796-3-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/1796-60-0x0000000000401000-0x000000000042E000-memory.dmp

                Filesize

                180KB

                Download

              • memory/1796-81-0x0000000000401000-0x000000000042E000-memory.dmp

                Filesize

                180KB

                Download

              • memory/1796-55-0x0000000000020000-0x0000000000024000-memory.dmp

                Filesize

                16KB

                Download

              • memory/1796-17-0x0000000001DF0000-0x0000000001E21000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2456-36-0x0000000002BB0000-0x0000000002BE1000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2456-18-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2456-93-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2456-83-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2456-67-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2456-23-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2456-19-0x0000000072940000-0x0000000072A93000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/2456-20-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2516-74-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2516-68-0x0000000072940000-0x0000000072A93000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/2732-78-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2732-38-0x0000000072940000-0x0000000072A93000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/2732-42-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2732-37-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2808-54-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2808-56-0x0000000072940000-0x0000000072A93000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/2808-61-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2808-84-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download