Overview

overview

10

Static

static

3

1d61cba784...cs.exe

windows7-x64

10

1d61cba784...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/06/2024, 21:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1d61cba7849ce44e167e4722f18a9620_NeikiAnalytics.exe

  • Size

    66KB

  • MD5

    1d61cba7849ce44e167e4722f18a9620

  • SHA1

    13f59780f8d9ba09c2d7881eb676b0f8b001cefa

  • SHA256

    17dde2c0b57cc387900901ab24748b470e4ac166024cee18b6d1921bbaf035dc

  • SHA512

    38175bd199fede529cce3b55ed2363eeb1f349d0cee80ff4c77c6d69740ea69fe8571b5c6c53cbe3916bcfe33f3fece5a25844795b081b27f3d21d84d1009456

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi1:IeklMMYJhqezw/pXzH9i1

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d61cba7849ce44e167e4722f18a9620_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1d61cba7849ce44e167e4722f18a9620_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3400
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4496
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:456
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1280
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1488
          • C:\Windows\SysWOW64\at.exe
            at 21:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2964
            • C:\Windows\SysWOW64\at.exe
              at 21:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:4624
              • C:\Windows\SysWOW64\at.exe
                at 21:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:1084
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3780 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:4468

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\mrsys.exe
                  Filesize

                  66KB

                  MD5

                  acddfaef2054b7db20d036fcbfeee7ea

                  SHA1

                  a4d8c364575eaf37d2841872356711f0d2800a72

                  SHA256

                  219e01f2d65829c0faa53e22ed1fa61ff036f1756a9994a1c7a7662ad4610120

                  SHA512

                  66063cb6e50bb886277ca2325b25f490793bddee50e1ac38dd5fdc0a8d7c2664416cddb2474b3bc4be0b8da80e50e12da1a9fc782c476a1cfd171b84c6ea7fe0

                  Download Submit

                • C:\Windows\System\explorer.exe
                  Filesize

                  66KB

                  MD5

                  1a11050355a20bd06f78e2abd66bd770

                  SHA1

                  5f096ae93794e95a2a8d72964cbbdb6f2371aee1

                  SHA256

                  22ed08a1e2a383b35fd8a00e8f11e6051effa99ef8f875f25f2cfe60618faa00

                  SHA512

                  cb60e4e3395b5bea22d07752c5b3871d5380e320fc337e8dda4c1e1df7d8652d547c52049a39ad2568b26bacb3fb0c5ab006d48f7351c084b4a9a366dcb96b20

                  Download Submit

                • C:\Windows\System\spoolsv.exe
                  Filesize

                  66KB

                  MD5

                  03ec8d0e329688c8a29dc1b89bd5e3d4

                  SHA1

                  2b53b86a5ae140f6cc68ce7ba9f06502c7e2f9b8

                  SHA256

                  53f7322053cf9dbe20ccc56b0c568bda7e1dcca4fd591bb3044b58c81432715b

                  SHA512

                  50f650b433c761819971cc8547c174085667228e86844e627a0bfc46f047e74a9f7cd55a8426bf699b3c8324565110b5243a4064f8e2f832b56d07c299c87285

                  Download Submit

                • C:\Windows\System\svchost.exe
                  Filesize

                  66KB

                  MD5

                  934d84ccd1527d0baba34f0dbbcf491b

                  SHA1

                  170469631d1b1ee96bb7a03cd11eb351f1ccfe3b

                  SHA256

                  e2dc6f608e24c2f9495b273e426686d7fcd67af4a41c4dd49a98b9029bb0bfd7

                  SHA512

                  77b2a2009cd0e2effdc60ce546b41e9c54cad0626c5abd78916c98a4c56283badd48bd989067f47d563aa0d0779f6887c1b980ecc10260bc550ebd687c6b8941

                  Download Submit

                • memory/456-53-0x0000000000400000-0x0000000000431000-memory.dmp

                  Filesize

                  196KB

                  Download

                • memory/456-25-0x0000000075660000-0x00000000757BD000-memory.dmp

                  Filesize

                  1.4MB

                  Download

                • memory/1280-36-0x0000000075660000-0x00000000757BD000-memory.dmp

                  Filesize

                  1.4MB

                  Download

                • memory/1280-59-0x0000000000400000-0x0000000000431000-memory.dmp

                  Filesize

                  196KB

                  Download

                • memory/1280-42-0x0000000000400000-0x0000000000431000-memory.dmp

                  Filesize

                  196KB

                  Download

                • memory/1488-49-0x0000000000400000-0x0000000000431000-memory.dmp

                  Filesize

                  196KB

                  Download

                • memory/1488-44-0x0000000075660000-0x00000000757BD000-memory.dmp

                  Filesize

                  1.4MB

                  Download

                • memory/3400-55-0x0000000000401000-0x000000000042E000-memory.dmp

                  Filesize

                  180KB

                  Download

                • memory/3400-2-0x0000000075660000-0x00000000757BD000-memory.dmp

                  Filesize

                  1.4MB

                  Download

                • memory/3400-35-0x00000000001C0000-0x00000000001C4000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/3400-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/3400-39-0x0000000000401000-0x000000000042E000-memory.dmp

                  Filesize

                  180KB

                  Download

                • memory/3400-3-0x0000000000400000-0x0000000000431000-memory.dmp

                  Filesize

                  196KB

                  Download

                • memory/3400-0-0x0000000000400000-0x0000000000431000-memory.dmp

                  Filesize

                  196KB

                  Download

                • memory/3400-54-0x0000000000400000-0x0000000000431000-memory.dmp

                  Filesize

                  196KB

                  Download

                • memory/3400-4-0x0000000000401000-0x000000000042E000-memory.dmp

                  Filesize

                  180KB

                  Download

                • memory/4496-14-0x0000000075660000-0x00000000757BD000-memory.dmp

                  Filesize

                  1.4MB

                  Download

                • memory/4496-57-0x0000000000400000-0x0000000000431000-memory.dmp

                  Filesize

                  196KB

                  Download

                • memory/4496-13-0x0000000000400000-0x0000000000431000-memory.dmp

                  Filesize

                  196KB

                  Download

                • memory/4496-70-0x0000000000400000-0x0000000000431000-memory.dmp

                  Filesize

                  196KB

                  Download

                • memory/4496-17-0x0000000000400000-0x0000000000431000-memory.dmp

                  Filesize

                  196KB

                  Download