Analysis

  • max time kernel
    150s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    10/06/2024, 22:09

General

  • Target

    1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe

  • Size

    20KB

  • MD5

    1d2047e2b82e3a6362c9b6b72f405c30

  • SHA1

    78d2e802568f37757c731443a11aea1ca17fc9e1

  • SHA256

    0e90a3fb1722c7dbc684ff259cb2657a84d06c4bc21bce02c372fab639aa6c1e

  • SHA512

    e2a9845c16ff1e49962b86ea580ea79bbd141be0e441c62ead7d8c893f0ed323fa91170bc0990e5b7a30549fb8c4ffda82f9a96583ea8a76a03cb2672e421bda

  • SSDEEP

    384:g58AcUoUQKNRYELxQUHDvmk3E+KDvB77777J77c77c77c72qh59mUhlthLzK:g5BOFKksO1mE9B77777J77c77c77c71W

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • Executes dropped EXE 5 IoCs
  • UPX packed file 32 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Kills process with taskkill 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2100
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1988
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2188
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2676
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2580
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1920
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3044
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2684
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2696
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2868
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2728
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1152
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2748
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2852
    • C:\Windows\1D6600A.exe
      C:\Windows\1D6600A.exe
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2104
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM services.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2956
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1648
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1804
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2548
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2784
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2780
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2776
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM services.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2792
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2820
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2944
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1608
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:532
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:480
      • C:\Windows\1D6600ASSQZSV.exe
        C:\Windows\1D6600ASSQZSV.exe
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetWindowsHookEx
        PID:1320
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2088
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM services.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2092
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2864
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2880
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2028
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:564
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1984
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:772
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM services.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3048
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1900
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:908
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2316
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2336
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1040
        • C:\Windows\1D6600ASSQZSV.exe
          C:\Windows\1D6600ASSQZSV.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1968
        • C:\Windows\1D6600A.exe
          C:\Windows\1D6600A.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:284
      • C:\Windows\1D6600A.exe
        C:\Windows\1D6600A.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1704

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\1D6600A.exe

          Filesize

          19KB

          MD5

          0727f639efb9f92749d6aef08ae2d902

          SHA1

          43097640d04a07228c1d52d376a122fa185d65f9

          SHA256

          c2ccbae0a961a025f103f59768dde94149d3c5d8f80ae4dbe0b2d1fe3c8fa955

          SHA512

          547ebc7674d7a4ce0751a5d6f6ece4878873a5e8fcf90ef82ec309216bca0e90024fecd0d29c19ef37f0602abba57253534e152270416dacd556b8e2cd09c610

        • C:\Windows\1D6600ASSQZSV.exe

          Filesize

          16KB

          MD5

          dd8458aedbbd4a0ef1cc0030fe232d87

          SHA1

          425ce52efeed2db6d81d39b7c56555597578ab48

          SHA256

          11dce98da4350436be3a2bd90d320839d418c832883dc81e9f421ba0a9c4919b

          SHA512

          acf84e6a83eaefeea5beda5c000b878e662052964f1a2ec1e755cc3e4cef3b1db4f46c58b3e5939e5428ab9aa8363e8bea1ffdd1fd7c9d6806419f61faf29f72

        • memory/284-35-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/1320-63-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/1320-69-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/1320-65-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/1320-45-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/1320-71-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/1320-49-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/1320-53-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/1320-29-0x0000000000360000-0x000000000036F000-memory.dmp

          Filesize

          60KB

        • memory/1320-73-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/1320-51-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/1320-61-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/1320-59-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/1704-43-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/1968-30-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/1968-26-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2200-48-0x00000000002B0000-0x00000000002BF000-memory.dmp

          Filesize

          60KB

        • memory/2200-62-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2200-50-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2200-74-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2200-52-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2200-46-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2200-56-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2200-58-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2200-44-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2200-60-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2200-72-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2200-47-0x00000000002B0000-0x00000000002BF000-memory.dmp

          Filesize

          60KB

        • memory/2200-19-0x00000000002B0000-0x00000000002BF000-memory.dmp

          Filesize

          60KB

        • memory/2200-64-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2200-20-0x00000000002B0000-0x00000000002BF000-memory.dmp

          Filesize

          60KB

        • memory/2200-68-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2200-14-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2844-13-0x0000000000260000-0x000000000026F000-memory.dmp

          Filesize

          60KB

        • memory/2844-41-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2844-12-0x0000000000260000-0x000000000026F000-memory.dmp

          Filesize

          60KB

        • memory/2844-0-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB