Analysis

  • max time kernel
    140s
  • max time network
    52s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/06/2024, 09:23

General

  • Target

    2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe

  • Size

    125KB

  • MD5

    2fe57c000d1920bc35b8aa0163a9e5f0

  • SHA1

    60870441ea2d3d1174e07a79c61b0045dbce006a

  • SHA256

    4f5de6cb9593a2ddd762da83476ec5d33d3b7641f02e87991e6826deb7faf2d3

  • SHA512

    f5e6d6c8ed35fa9aeb3a972db1979960b8aebf1d1f21d712d593bbb82278020254031c71c569e31edd6820c72a74bdf153aaa8403bd3433f18b8ddd49ea7886f

  • SSDEEP

    1536:RkAHDp/3yZhxjjaDswjvLzVCMnIqTMhTYLg5tqf70LJZmh82vP/6UT:j3sXj2sevLzVCM86+00LJZi1vP/6M

Score
8/10

Malware Config

Signatures

  • Sets file execution options in registry 2 TTPs 6 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Modifies registry class 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4848
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      2⤵
        PID:4444
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\123.bat
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4824
        • C:\Windows\SysWOW64\reg.exe
          reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\ZhuDongFangYu.exe" /v debugger /t reg_sz /d "ntsd -d" /f
          3⤵
          • Sets file execution options in registry
          PID:1968
        • C:\Windows\SysWOW64\reg.exe
          reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\360tray.exe" /v debugger /t reg_sz /d "ntsd -d" /f
          3⤵
          • Sets file execution options in registry
          PID:4196
        • C:\Windows\SysWOW64\reg.exe
          reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\taskmgr.exe" /v debugger /t reg_sz /d "ntsd -d" /f
          3⤵
          • Sets file execution options in registry
          PID:1932
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c assoc .txt = exefile
        2⤵
        • Modifies registry class
        PID:2064
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ftype comfile=C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe
        2⤵
        • Modifies system executable filetype association
        • Modifies registry class
        PID:3528
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ftype zipfile=C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe
        2⤵
        • Modifies registry class
        PID:880
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ftype jpgfile=C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe
        2⤵
        • Modifies registry class
        PID:2192
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ftype txtfile=C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe
        2⤵
        • Modifies registry class
        PID:4652

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\123.bat

            Filesize

            443B

            MD5

            70170ba16a737a438223b88279dc6c85

            SHA1

            cc066efa0fca9bc9f44013660dea6b28ddfd6a24

            SHA256

            d3674f4b34a8ca8167160519aa5c66b6024eb09f4cb0c9278bc44370b0efec6a

            SHA512

            37cc8c954544374d0a1ca4d012c9bd0b47781bc9bb8d0c15a8a95b9934893db3bedee867b984c20edabe54c39574abf7250de433aade6c0d544b8dd2c972c6da

          • C:\Program Files\7-Zip\7zG.exe

            Filesize

            125KB

            MD5

            32cda2390a78f107235fe2dfba13feaa

            SHA1

            8a8836d4fdc042a2d5613fa2a1b85bd8e099f972

            SHA256

            0325c385934c9160da3821c87bbd55a4f8dc6c48a93e498b7dc4d09ebf430d3a

            SHA512

            d9848f83ea1f05ca22ead3f994453ad875cb4e5bb208bf8e091cf37fde9a89dd36dbe5cb92ea1b947ebd6031f8510624a9cf9604c9c46edda705261c8943ed16

          • memory/4848-0-0x0000000000400000-0x000000000042D000-memory.dmp

            Filesize

            180KB

          • memory/4848-1016-0x0000000000400000-0x000000000042D000-memory.dmp

            Filesize

            180KB