Overview

overview

10

Static

static

3

034813d065...cs.exe

windows7-x64

10

034813d065...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    09/06/2024, 22:56

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    034813d065a875ea8c6a4d1377218d20_NeikiAnalytics.exe

  • Size

    65KB

  • MD5

    034813d065a875ea8c6a4d1377218d20

  • SHA1

    9e4d3ceaaf6dbc90fc7d622aaaf8e931f604c154

  • SHA256

    9f484b61af15bc382c753462cd4aaa95d54badc68b54a5ad3b21be923a13fdc9

  • SHA512

    8154e35031ced967bf0cc208d0a67e417e2dba26fd610eeb0ae574ae1894f9bb86519ae92611670228cfa0530d067024aebd395b482d96b1d81549450d310114

  • SSDEEP

    1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Ouo111111111111111111R:7WNqkOJWmo1HpM0MkTUmum

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\034813d065a875ea8c6a4d1377218d20_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\034813d065a875ea8c6a4d1377218d20_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1844
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3040
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2724
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2936
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2576
          • C:\Windows\SysWOW64\at.exe
            at 23:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:1568
            • C:\Windows\SysWOW64\at.exe
              at 23:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2304
              • C:\Windows\SysWOW64\at.exe
                at 23:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:2100

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\mrsys.exe
                Filesize

                65KB

                MD5

                65402a19e52b7fc41170d62f0ed76e85

                SHA1

                cf5b6a73e02c9403f465d9d09d06ca00f55c9634

                SHA256

                ccd661a6077a46c387747489016a79709ade24d62e5f0410547baf7f9d3e7c77

                SHA512

                d94cec0fe0a077a5e14e5f528c7b1c34f0e8ee9b4a3f91e135a455867877ddfc66025838fb323438544640d9fcb274dc7949819edd28c02cc44d1a1b60e601ee

                Download Submit

              • C:\Windows\system\svchost.exe
                Filesize

                65KB

                MD5

                d134c14f8d1ba391c40a8cdd3fa39258

                SHA1

                887c90d402a48a7a660d02640a684f6da8453507

                SHA256

                a6c23390de3b2dc663621561bffd059060eb5ff523a0c7010645806b4dddd933

                SHA512

                06f993aee38c777d409b0a8e1ba4c9e3caf9e20afbf0adab918512d38210c9fb7273b0610f6133d52df01d7bcb2e13c143ddb2182e2a58c4cd41e8ee20c3404b

                Download Submit

              • \??\c:\windows\system\explorer.exe
                Filesize

                65KB

                MD5

                db0c092eea3cad6c18cd8685c17e6f2e

                SHA1

                719ad5c230d1096e1b565673cdd2186f81082132

                SHA256

                956bef08d1868381f2fac6afe20667a2737a03dd5c40d41353f9f7d2ea63bce9

                SHA512

                eef8b033d32ca33d435c4755f85eca4d6be8efe539105288aaf651bdc4a28ff28d1324701b858b40d9559e1e4984e956e877a2d55f6f103ea186b2e3a159fd6a

                Download Submit

              • \Windows\system\spoolsv.exe
                Filesize

                65KB

                MD5

                4d061d76d954c4b346a82b1f50312d9b

                SHA1

                b466a260287aaf045c4e692a159e3dfeca32b9d6

                SHA256

                c7b628bcbc6029a543b85f1e56d1a2e1f1c7179786d3e06d5ba38a346f529d4f

                SHA512

                879838d953ffaf224d1dc932b44e059addd2c866ae22275a0bd94934e4a55b74467e54e0e37daa9f54a8c30c5862af8c96bc5a7c3706d2da158fbcd5801a5ee0

                Download Submit

              • memory/1844-3-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/1844-2-0x0000000072940000-0x0000000072A93000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/1844-4-0x0000000000401000-0x000000000042E000-memory.dmp

                Filesize

                180KB

                Download

              • memory/1844-0-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/1844-81-0x0000000000401000-0x000000000042E000-memory.dmp

                Filesize

                180KB

                Download

              • memory/1844-80-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/1844-1-0x0000000000020000-0x0000000000024000-memory.dmp

                Filesize

                16KB

                Download

              • memory/1844-18-0x0000000002C40000-0x0000000002C71000-memory.dmp

                Filesize

                196KB

                Download

              • memory/1844-17-0x0000000002C40000-0x0000000002C71000-memory.dmp

                Filesize

                196KB

                Download

              • memory/1844-56-0x0000000000401000-0x000000000042E000-memory.dmp

                Filesize

                180KB

                Download

              • memory/2576-69-0x0000000072940000-0x0000000072A93000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/2576-75-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2724-77-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2724-54-0x0000000001C40000-0x0000000001C71000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2724-49-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2724-39-0x0000000072940000-0x0000000072A93000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/2936-84-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2936-57-0x0000000072940000-0x0000000072A93000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/2936-60-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2936-68-0x0000000002A60000-0x0000000002A91000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3040-67-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3040-19-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3040-32-0x0000000002650000-0x0000000002681000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3040-21-0x0000000072940000-0x0000000072A93000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3040-25-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3040-20-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3040-83-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3040-38-0x0000000002650000-0x0000000002681000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3040-93-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download