Overview

overview

10

Static

static

3

034813d065...cs.exe

windows7-x64

10

034813d065...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-06-2024 22:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    034813d065a875ea8c6a4d1377218d20_NeikiAnalytics.exe

  • Size

    65KB

  • MD5

    034813d065a875ea8c6a4d1377218d20

  • SHA1

    9e4d3ceaaf6dbc90fc7d622aaaf8e931f604c154

  • SHA256

    9f484b61af15bc382c753462cd4aaa95d54badc68b54a5ad3b21be923a13fdc9

  • SHA512

    8154e35031ced967bf0cc208d0a67e417e2dba26fd610eeb0ae574ae1894f9bb86519ae92611670228cfa0530d067024aebd395b482d96b1d81549450d310114

  • SSDEEP

    1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Ouo111111111111111111R:7WNqkOJWmo1HpM0MkTUmum

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\034813d065a875ea8c6a4d1377218d20_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\034813d065a875ea8c6a4d1377218d20_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2184
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3676
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2204
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:880
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3940
          • C:\Windows\SysWOW64\at.exe
            at 23:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:692
            • C:\Windows\SysWOW64\at.exe
              at 23:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:4172
              • C:\Windows\SysWOW64\at.exe
                at 23:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:4308

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          65KB

          MD5

          d560b143ac5ca5416b86a16779d3ff41

          SHA1

          d02edabe342791a0f73e8580c4af816a47670b2d

          SHA256

          99543f9fdcc132d407dcc5bf7e4fc919e9d47fa70626c75c0738165f7cc0199b

          SHA512

          4721ca0693af1e13dba353e6a125e1f83a84f2be1409eddb137c3e9b08f3edffe77eb572eb2934650552956f53ba8755294c38e68f469af69c2c0facce0ea16c

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          65KB

          MD5

          42a1ceb7419188c9af3b9b71cc2fd2d4

          SHA1

          6ba5b529c9e4635231d154f5f83a3a6696cd40ff

          SHA256

          c222b00884f03f72b7fd75eb0ca2367bf7613687b25c9ec4e9ec5d986715f259

          SHA512

          624ad3d160f2b3f90632f2ba8e15db8aa969b9e1af8925866e3c747c8acf9a7cfd9105b8cb94b656fa6dfcf5b957d3e18fa5036aac90aa4311b3d41f16966912

          Download Submit

        • \??\c:\windows\system\explorer.exe
          Filesize

          65KB

          MD5

          b9b714cec2b7da1bebe97932522236c0

          SHA1

          52c6c1edf70ad9aa08ced6fd61cbe4016c5b3013

          SHA256

          5b7fa10c085fd89783b415dce1cd1d54d9f722e0ba1d988a8043d62d77a8e4e9

          SHA512

          f8a03c8ff2f15eb065226f0163c675d5c3cfe282b843e0b5486cadaa4123fb784c67bccee6da4cd6347524faceb9880231d1c57132d1b6711993e1949d3ebc9a

          Download Submit

        • \??\c:\windows\system\svchost.exe
          Filesize

          65KB

          MD5

          7653fa6496fceaf6572aec2008ece050

          SHA1

          8082e244f1abc0852e3e86779100d06e87764bed

          SHA256

          4274a5f5bbc020df754d129d2caede5300873c096cd372a7994f6598cb4c9245

          SHA512

          cfb4cbb24beca008ed810a580eb9ee3f79ac6e542d955ea957c9ea5e9c4333be79bb6e052a3c65961b57cf6758ea32d619156bf49b46b267051c35ec9ce43ecf

          Download Submit

        • memory/880-36-0x0000000074BD0000-0x0000000074D2D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/880-40-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/880-59-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2184-55-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2184-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2184-56-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2184-2-0x0000000074BD0000-0x0000000074D2D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2184-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2184-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2184-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2204-52-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2204-25-0x0000000074BD0000-0x0000000074D2D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2204-27-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3676-13-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3676-68-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3676-58-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3676-18-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3676-14-0x0000000074BD0000-0x0000000074D2D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3940-44-0x0000000074BD0000-0x0000000074D2D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3940-50-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3940-43-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download