Analysis

  • max time kernel
    93s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/06/2024, 16:22

General

  • Target

    6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe

  • Size

    232KB

  • MD5

    6bea8ef3668d7c8dbffc79735771d080

  • SHA1

    549e0647687d06f98b48d81109444492dc43dcd9

  • SHA256

    36af0f14f529603d7046850eff639ec28b64fda03f286c91c87e7cd2a6aefe46

  • SHA512

    7e75df5fc16f03187b46bb172c2e5856de7df07471938e974d92042516b551c83176fbfbaae795c3badcb41782c5cdb7b6ee4d96dea89124528d8e561e38641e

  • SSDEEP

    3072:51i/NU8bOMYcYYcmy51VRgiFCpCIXUWOLTsEsigcL3P6xxc1VOz1i/NU82OMYcYU:7i/NjO5xbg/CSUFLTwMjs6oi/N+O7

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 47 IoCs
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4924
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2600 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4904
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:4868
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3320
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:4048
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4920
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
        3⤵
        • Views/modifies file attributes
        PID:2932
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:4056
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:1064
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\WINDOWS\windows.exe"
        3⤵
        • Drops file in Windows directory
        • Views/modifies file attributes
        PID:1504
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1380
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "c:\system.exe"
        3⤵
        • Views/modifies file attributes
        PID:2736
  • C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\servicing\TrustedInstaller.exe
    1⤵
      PID:1380

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

            Filesize

            471B

            MD5

            b342fb24d6c7d9215731a17e94743502

            SHA1

            0e6ef1eca8b3c7bda6da7f1f792919a5fdc71a34

            SHA256

            7be1369161dae7ccbe4b699b2682bdd28141761e6afed9451ffa8626bf812cd1

            SHA512

            963af63ab70072c83ca49a658735b7d6b76d09081e8b97eb1a23b2e5ef131a83a4ab5903edcc53596f216ee1eb6b2c68e48f2a102e2b6eca672a99b71b51eb40

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

            Filesize

            404B

            MD5

            f517ee4a7b0317abcf4d618b44c17683

            SHA1

            02caa5a48378931e898c347b808ef38a00a3c3d9

            SHA256

            5867c256a76c099b3092a47b0e8d5f56667545ba8c4a15675bbb95cbcdedd4ff

            SHA512

            766f62fc93dbced430d0837f2d12eeb1b811d77c5ec6824f2bb377d8f069913f15c235b0ae35a770e460e9a87596f3c38aa1f1cb67b3d526e3f4838b6301edc4

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\favicon[1].htm

            Filesize

            776B

            MD5

            0542ad8156f4dfca7ddcfcb62a6cb452

            SHA1

            485282ba12fc0daf6f6aed96f1ababb8f91a6324

            SHA256

            c90cdefdb6d7ad5a9a132e0d3b74ecdb5b0d5b442da482129ba67925a2f47e8f

            SHA512

            0b41affa129277bf4b17d3e103dc4c241bc2ac338858cc17c22e172ec2ac65539b63e802246efb462cd134d99907d9c5ed9bc03937cadcca3155b703ac6e3195

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\suggestions[1].en-US

            Filesize

            17KB

            MD5

            5a34cb996293fde2cb7a4ac89587393a

            SHA1

            3c96c993500690d1a77873cd62bc639b3a10653f

            SHA256

            c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

            SHA512

            e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DL7YY2B9\js-sdk-pro.min[1].js

            Filesize

            33KB

            MD5

            24bb520e9517f2ed3ed987b46aeaf723

            SHA1

            846723563d7dd2bff3954f93633b11af0103adc8

            SHA256

            d1f1bfe698f2ffb7b3e7a885a301d58f9554d45df0a31c3e8b53c84b33c80d27

            SHA512

            31afbcd2ee87c84cc3e56355da8ddc741a69d918c2687984265745d8046deb18c494cbca6aaf8d4eae6b035e888e6f7cf9b0d59a255f2714963d7b3edbb3c87f

          • C:\WINDOWS\windows.exe

            Filesize

            232KB

            MD5

            35e5ca3f533198464154c48a4c23afc7

            SHA1

            6f54418e1964881c72b5a759370bbd62fc23e698

            SHA256

            f12888b3e1db565eac882abcf67ac2ecc3cacb6c8443b1654428b813807ee183

            SHA512

            a8c38fc989f0e6cdcfb1dbcf3f38c509df74da27d56ab7c13e179e880624017b844abb499a9a6a4f89a57b2aea878e39ad5160d57754dbd2e6f472cc2c49f340

          • C:\system.exe

            Filesize

            232KB

            MD5

            ecfed6d12a63ba09bbc71c3d2fe56ef0

            SHA1

            e3bef29ffe53aa4c1006a87ffe7d8fcea42061bd

            SHA256

            3d83f57a12772488bb24fca5c4cbbba0b9652b2932877aa5ccac72fd9f7c6928

            SHA512

            648f93392e66dcbb6c20f462434c75a2471021811d91569ca7e9abb2e6b32593d918e5f151e681a12fe62db3cda76c6442e5e9ee63e0c88217eaf80c0113452f

          • memory/4924-0-0x0000000000400000-0x000000000043A000-memory.dmp

            Filesize

            232KB

          • memory/4924-169-0x0000000000400000-0x000000000043A000-memory.dmp

            Filesize

            232KB