Overview

overview

10

Static

static

3

7e78203ce5...cs.exe

windows7-x64

10

7e78203ce5...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/06/2024, 01:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7e78203ce5e13e4e9737b26e5db2c8f0_NeikiAnalytics.exe

  • Size

    66KB

  • MD5

    7e78203ce5e13e4e9737b26e5db2c8f0

  • SHA1

    51496bf3704a2ff043660b92191a9d782cc0c0d2

  • SHA256

    e560f73cab96babaaba237a3b5c36f329aba8e4961e441adfc8301db4b7b9191

  • SHA512

    6e41b1a6accd92ed7a2c91ff742b5a4e5bf0f1548fcec13c687c4aa82e4ed7e6510c477d44b0d3d4ba06fe24c653ed3ea61eb04621bfe3fa0d30a792c08eeca8

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiY:IeklMMYJhqezw/pXzH9iY

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7e78203ce5e13e4e9737b26e5db2c8f0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\7e78203ce5e13e4e9737b26e5db2c8f0_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3488
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2940
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3812
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3228
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:624
          • C:\Windows\SysWOW64\at.exe
            at 01:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:1436
            • C:\Windows\SysWOW64\at.exe
              at 01:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:3688
              • C:\Windows\SysWOW64\at.exe
                at 01:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:2568
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:4048

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\mrsys.exe
            Filesize

            66KB

            MD5

            fa11955d3345bab18fa132b288a25b4d

            SHA1

            65f57d09fa0cc5a928b8f126a87bca03f54a6a7e

            SHA256

            52643382d3f09e6dacd5b8d1aff2cd9d58bccd31f73ba0d9c1d5f7924410e0ad

            SHA512

            f01c19ea2143501156c078cbddb7dd23ea8f7e48d8842b0516a75eb325fd3b3ade933eee732e0ae530c33f1ff3049f6f56a283b667fa708d26aa698cd824a07b

            Download Submit

          • C:\Windows\System\explorer.exe
            Filesize

            66KB

            MD5

            e809e9a6875f68d90b26794e7a767e15

            SHA1

            36fb5eab71c92cc64adff6892b47d65317665545

            SHA256

            a940ed8049407e3bcf1178c280f21006ccc4cf339fcc5a1a0a999ac2b2f3a2c2

            SHA512

            7053f1568ec9e296e1f02f6197f10225f56cd93299911bbb8c409ff7bf04c0b31264fefb44e240ee71436afcc855e407900b3ac44b75a6338693c7c745530070

            Download Submit

          • C:\Windows\System\spoolsv.exe
            Filesize

            66KB

            MD5

            a1ba8b6d74a58bc0a1b83a513ae71116

            SHA1

            769bc12066697c48c2ed8327d1f7ac9323c07e0c

            SHA256

            98dee41bea9af33c06fedb10891aa3e7e549e4372798c229ec1dc4958f288e78

            SHA512

            34cfbdc6699090599a41a8370844f2ff3c4f304b321da7d86ce60c91ba03ca0edbfbb298c1e38cdf3e1d4ab27659d1a916be2950ac98d511b275b0fd15becb12

            Download Submit

          • C:\Windows\System\svchost.exe
            Filesize

            66KB

            MD5

            ee096cc00fd0dc5cf78858d86c5105e4

            SHA1

            52bb301e1e3116ab830af691717a0fda32736aee

            SHA256

            de288ea2f66a8c7b13fb867293502160216ab0ed3184c4926795f9c983986e83

            SHA512

            db04cc0444a285a25215b6ab84852e95d7c864fbccef4397a2c47ea8f94c3a8e8525f0aca6c4b65f79eefb15f904cedd05c48bedd35161664250843c2796dbd0

            Download Submit

          • memory/624-51-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/624-46-0x0000000075940000-0x0000000075A9D000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/2940-59-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/2940-14-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/2940-15-0x0000000075940000-0x0000000075A9D000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/2940-17-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/2940-72-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/3228-61-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/3228-39-0x0000000075940000-0x0000000075A9D000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3488-12-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/3488-2-0x0000000075940000-0x0000000075A9D000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3488-38-0x00000000001C0000-0x00000000001C4000-memory.dmp

            Filesize

            16KB

            Download

          • memory/3488-41-0x0000000000401000-0x000000000042E000-memory.dmp

            Filesize

            180KB

            Download

          • memory/3488-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

            Filesize

            16KB

            Download

          • memory/3488-3-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/3488-0-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/3488-4-0x0000000000401000-0x000000000042E000-memory.dmp

            Filesize

            180KB

            Download

          • memory/3488-57-0x0000000000401000-0x000000000042E000-memory.dmp

            Filesize

            180KB

            Download

          • memory/3488-56-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/3812-27-0x0000000075940000-0x0000000075A9D000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3812-54-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/3812-26-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/3812-32-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download