Overview

overview

10

Static

static

3

7e78203ce5...cs.exe

windows7-x64

10

7e78203ce5...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    08/06/2024, 01:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7e78203ce5e13e4e9737b26e5db2c8f0_NeikiAnalytics.exe

  • Size

    66KB

  • MD5

    7e78203ce5e13e4e9737b26e5db2c8f0

  • SHA1

    51496bf3704a2ff043660b92191a9d782cc0c0d2

  • SHA256

    e560f73cab96babaaba237a3b5c36f329aba8e4961e441adfc8301db4b7b9191

  • SHA512

    6e41b1a6accd92ed7a2c91ff742b5a4e5bf0f1548fcec13c687c4aa82e4ed7e6510c477d44b0d3d4ba06fe24c653ed3ea61eb04621bfe3fa0d30a792c08eeca8

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiY:IeklMMYJhqezw/pXzH9iY

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7e78203ce5e13e4e9737b26e5db2c8f0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\7e78203ce5e13e4e9737b26e5db2c8f0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:992
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2808
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2600
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2728
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2460
          • C:\Windows\SysWOW64\at.exe
            at 01:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2232
            • C:\Windows\SysWOW64\at.exe
              at 01:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:1252
              • C:\Windows\SysWOW64\at.exe
                at 01:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:3036

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          41edf94a3fbc55487ed710598179f0d4

          SHA1

          c2112bbc9c321b73bf8c45fd4a41f6794f623b51

          SHA256

          2e491e2011c7b69dfde1f434ad70f6605055c49bb5cf73ecbafc25d059827b38

          SHA512

          b7cdc79dfea2098d7a0ff95b0ca25ac1f0293da0bcbff27dcb5a035930e816d2395402dd4878d06884165ea0917a3f5462a12a8f4015af0ef58e32ab05be1a8c

          Download Submit

        • \Windows\system\explorer.exe
          Filesize

          66KB

          MD5

          ea270f14fe9003da7978852066b0e001

          SHA1

          e600772e5073599613afb8f2adf440bafd8159b2

          SHA256

          f0865f3136a7c8c0a024583e51e316866ee68e1d186582bb9697500702715fbb

          SHA512

          6ff82a32a2252b52abcebf2de9d3878b71ebb17034496eb03662daded8e28c484d1e6b9f819e347d079bf531538542b962d2d6e33df51d7440edd7767b2ef6e8

          Download Submit

        • \Windows\system\spoolsv.exe
          Filesize

          66KB

          MD5

          13dd148d1bbfd864702715fd474d590d

          SHA1

          5fbc7cc7c6008a26bbd2237483545e5440c8ef7b

          SHA256

          8215a01896212c92cd910763a40ea4215fd32a03a17c4fb774d271ae7831f83d

          SHA512

          2887c4a8402f47d775968cb95688da26a1e7936a7dc18bf8aba288b557a4e94b6ed74dc92848aae0e4deb4d4499a17cfe4ab1f6fffa2941e3d785c69c1f07db8

          Download Submit

        • \Windows\system\svchost.exe
          Filesize

          66KB

          MD5

          27ad1c30dd4ed668a9bfcdee3b6650cd

          SHA1

          a06d274e81f2388cf4c9582d4bb4a051036b7ea0

          SHA256

          1f4df19ec36332efae0990dcb11013104cd9e323bc3aba95b3f5def1dd268e89

          SHA512

          888af059b49b9e8215c3251dda216751c6b7deeabf345d29faf844fd122d10e9cb9ff61cc97df949bab1dc8e6ff2ce67a31dd5b25ab057a57d0c346459af583b

          Download Submit

        • memory/992-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/992-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/992-2-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/992-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/992-80-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/992-16-0x0000000002CB0000-0x0000000002CE1000-memory.dmp

          Filesize

          196KB

          Download

        • memory/992-60-0x0000000000020000-0x0000000000024000-memory.dmp

          Filesize

          16KB

          Download

        • memory/992-81-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/992-1-0x0000000000020000-0x0000000000024000-memory.dmp

          Filesize

          16KB

          Download

        • memory/992-63-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2460-74-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2460-68-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2600-51-0x0000000002480000-0x00000000024B1000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2600-78-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2600-35-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2600-52-0x0000000002480000-0x00000000024B1000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2600-39-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2728-53-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2728-67-0x0000000002500000-0x0000000002531000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2728-64-0x0000000002500000-0x0000000002531000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2728-61-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2728-54-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2728-85-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2808-29-0x00000000032B0000-0x00000000032E1000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2808-20-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2808-18-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2808-83-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2808-94-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download