Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/06/2024, 22:09

General

  • Target

    1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe

  • Size

    20KB

  • MD5

    1d2047e2b82e3a6362c9b6b72f405c30

  • SHA1

    78d2e802568f37757c731443a11aea1ca17fc9e1

  • SHA256

    0e90a3fb1722c7dbc684ff259cb2657a84d06c4bc21bce02c372fab639aa6c1e

  • SHA512

    e2a9845c16ff1e49962b86ea580ea79bbd141be0e441c62ead7d8c893f0ed323fa91170bc0990e5b7a30549fb8c4ffda82f9a96583ea8a76a03cb2672e421bda

  • SSDEEP

    384:g58AcUoUQKNRYELxQUHDvmk3E+KDvB77777J77c77c77c72qh59mUhlthLzK:g5BOFKksO1mE9B77777J77c77c77c71W

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • Executes dropped EXE 5 IoCs
  • UPX packed file 38 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Kills process with taskkill 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3324
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3464
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4664
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:752
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2132
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2004
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5112
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3836
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4576
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:436
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1164
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4640
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5056
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4856
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1572
    • C:\Windows\1D6600A.exe
      C:\Windows\1D6600A.exe
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3080
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3996
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM services.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3968
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3880
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1808
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2156
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1052
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5088
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3104
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM services.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3132
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1532
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2656
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2700
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1688
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2116
      • C:\Windows\1D6600ASSQZSV.exe
        C:\Windows\1D6600ASSQZSV.exe
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetWindowsHookEx
        PID:4012
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:216
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM services.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:208
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1584
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3532
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3760
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1292
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3164
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4392
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM services.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4844
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4920
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2408
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2904
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4380
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4148
        • C:\Windows\1D6600ASSQZSV.exe
          C:\Windows\1D6600ASSQZSV.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2524
        • C:\Windows\1D6600A.exe
          C:\Windows\1D6600A.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2392
      • C:\Windows\1D6600A.exe
        C:\Windows\1D6600A.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1268

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\1D6600A.exe

          Filesize

          18KB

          MD5

          80c6d202d1baa4e47c68c299e02a5b83

          SHA1

          a2dce074163bed60d4c9ee548135c3ddd6c39307

          SHA256

          d1cd4f0b72ba3fc5c2e2ef0e42fa080490ef61b195a6a9a927fecd4013b48efa

          SHA512

          07f1f171caed67fe45218b7bbff93ced98d20a8f4222aad829d0b519d2d1855bc054fe90ea78a3fb26873502d9139fb04b90f977a41943df562de4c12f99b1f2

        • C:\Windows\1D6600ASSQZSV.exe

          Filesize

          20KB

          MD5

          d5df33021ae9d196431bbf2f9498ebbd

          SHA1

          07adb50306b248d7f2286ac9efb7a9b298fa5438

          SHA256

          935bdc794957a925b277f57e9bcdea37447d178b7138bc8395122f9850ced70f

          SHA512

          5c2c9b86beb413a77e579866bc35e428e29396cd71e26c4d7d0651e21e038f048d0253c96981ae79087495260e35219ab2909dee52634c6a6fc61286f6a4d4e3

        • memory/1268-35-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2392-29-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2524-24-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/3080-48-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/3080-10-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/3080-54-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/3080-66-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/3080-38-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/3080-40-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/3080-64-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/3080-62-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/3080-42-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/3080-52-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/3080-44-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/3080-46-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/3080-60-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/3080-56-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/3080-58-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/3080-50-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/3324-0-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/3324-37-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/4012-45-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/4012-55-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/4012-53-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/4012-57-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/4012-51-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/4012-59-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/4012-49-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/4012-47-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/4012-61-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/4012-43-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/4012-63-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/4012-41-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/4012-65-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/4012-67-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/4012-39-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB