Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    07/06/2024, 02:54

General

  • Target

    317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

  • Size

    272KB

  • MD5

    317861e60ac84ff8427325e249887160

  • SHA1

    37d9a6bee3eba04971dc7a174113141078f250bd

  • SHA256

    6c5a1126072bc5ae15385bf2097e8da72f8145345a47bab35c5716389ff5453d

  • SHA512

    f8db51d9878169cf9903c86bf238c46564a5b837d10f8b3119a9a686c03219165bb6441e729dd3bee651da33ddc3318a7ac9c0167dc03c0741c715c03e89d43a

  • SSDEEP

    3072:Ax/5F/E7tEf07jU+p+tYlpJH7iXQNgggHlxDZiYLK5Wpht4xZVX4/awxf/:AxhF4cV+wWJH7igNgjdFKsCRAR/

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\317861e60ac84ff8427325e249887160_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2044
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1056
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2808
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2728
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1892
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:376
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1608
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

    Filesize

    272KB

    MD5

    fd2b9347e94a0e51b6db31b4886f258b

    SHA1

    f0fde328763841e210f8e6b68d37c34b75c0dc48

    SHA256

    f5b1855f7ced0a0e54de1197a1220f4877466b3ac58afb297c400658c0c66bb7

    SHA512

    e85655440615c740e47ead1ccde424cba3b90ad39b2b44d1b6d787d7fc7ffc7f91b143dd9895f95a1148f01203c1086400868daad23862223c36e9deb7a1cab0

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

    Filesize

    272KB

    MD5

    e38406495e23a2d44839757b4ae6558c

    SHA1

    46091021f96bf485171fb15792bdcdb9931a6954

    SHA256

    7e8107ea941335cabe33105c05ae4666ea7151fb2b422c7c587eeac1078c519b

    SHA512

    60dd151032533298be936411308f907c94e782bb9c39bf8a8161c12925d2743765aea350a460d5321426dc4216d16e00c4e67edf379be54ee68a7f4fe881cac1

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

    Filesize

    272KB

    MD5

    95e63bda7b79926f854a3716afdce098

    SHA1

    95c2e3039732b77b93d7053ce2118ece16c5bdc4

    SHA256

    96cb8ae0048ad3174fafdd50d14556a9bb0ceb820a0aeea816ef725dd4e11000

    SHA512

    016bc0310bf1be12724f3490d2d382d92bbda9c62eafba7f735e358151aa3fa3d521d470e4c30e0c9f9d968cbd7366b77cf21335ab3e21acf7a968c064539c9e

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    272KB

    MD5

    317861e60ac84ff8427325e249887160

    SHA1

    37d9a6bee3eba04971dc7a174113141078f250bd

    SHA256

    6c5a1126072bc5ae15385bf2097e8da72f8145345a47bab35c5716389ff5453d

    SHA512

    f8db51d9878169cf9903c86bf238c46564a5b837d10f8b3119a9a686c03219165bb6441e729dd3bee651da33ddc3318a7ac9c0167dc03c0741c715c03e89d43a

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    128KB

    MD5

    81df711af52e37ad1fedb08f120723aa

    SHA1

    34b444a05458bfcbbf372213728cfc679ed22c1f

    SHA256

    4f2996b2b26186587f3ac0414a19907dc3c51e209382ea4f4460809a4c07535c

    SHA512

    6c8cd74d65dbfdaa25df730cbf5a603d0e1794ed3bca42d188e19b1a0c55aa553488f511068f65ea1d214600ffe59234f897fed7fb5339c18729875581f6ad05

  • C:\Windows\xk.exe

    Filesize

    272KB

    MD5

    c66ba444280f87cc838fa17b91498c82

    SHA1

    420b1872f8382f3d84c79cffb0727c866896be87

    SHA256

    4c20665a7369990148ead2905be6fce72ac5780b7754bf29b5a6807322f28b62

    SHA512

    c88f208b96fa3fefe1d91a72f88877aef32416684900ca5f8998cb64aed753085f0ada145728346b5a563e50952a247debe05d0a7bae5c0234bf90c59ce888aa

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

    Filesize

    128KB

    MD5

    fc14ffd586403abc45151dc2c3be3000

    SHA1

    9c34c185fb3b25f5ea92ef18a4f1c2b16986a985

    SHA256

    966c1c80cc737b41685511b371a0751e4c5df9f382ab87c2db602c92f596e8d6

    SHA512

    e8316238ca72499229e11129cb0a408b7cb33d20174a1b5fcdc989ad14ad43ff61816d6688ad8f651b10ba86f67493a52133ef91ba3a2f8b6fdf77dd7101714e