Overview

overview

10

Static

static

3

37cafec88e...cs.exe

windows7-x64

10

37cafec88e...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/06/2024, 11:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37cafec88ef43c1466e375348a25ca40_NeikiAnalytics.exe

  • Size

    200KB

  • MD5

    37cafec88ef43c1466e375348a25ca40

  • SHA1

    3bc12b95e3c5f2ed1dbc20b09cbc79c4badb4958

  • SHA256

    a8faf39a76ff711323dbce85117f3d33e4cfacf6975867cc232762345fc6ffe7

  • SHA512

    f2193e8773e85134746c6f60eb02a3a1cccd93938488fd3c65056094e39bec1c85b4361e5557735e4babf011a2a72e3779f43b22c215c9be7c580699521e4792

  • SSDEEP

    3072:7vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6uBL9i6:7vEN2U+T6i5LirrllHy4HUcMQY6C9i6

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\37cafec88ef43c1466e375348a25ca40_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\37cafec88ef43c1466e375348a25ca40_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2020
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5032
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4072
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4916
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4328
          • C:\Windows\SysWOW64\at.exe
            at 11:48 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2440
            • C:\Windows\SysWOW64\at.exe
              at 11:49 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:364
              • C:\Windows\SysWOW64\at.exe
                at 11:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:4856

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          216KB

          MD5

          b569b8a3e7ae9412189eb5cc3fc40f81

          SHA1

          d10cfe580edbffa2874c1dae4b4508328c94b75d

          SHA256

          21a85761fee3808a1ea0c31b788b311404d84d4ec48f5bb3632f460033906c16

          SHA512

          e67ed33e68a2a8e176d63fd0f7f5dc8478cbbd928a89c1bea4762476574e19be4cfbcc8f4a29019771ad07b1db43af9a461ecae1c61ba5ecd5130bb3cacc082e

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          216KB

          MD5

          b4d9c68da54734eb4e8e7a999a9f5af1

          SHA1

          791bfdba4fa74bf2e3a3096b68fd2807ac0142a6

          SHA256

          dd1cf92145da7c07d4da5d1a2ff4a9153a762073b7695d65d44aa8d8d2fc38a9

          SHA512

          1e16ff574092005aaff8fa39bad344a5a6b990a910562d170c05d63639bf8424ef38ee714c52527bbaade0878afb6b746a31ec4b015f6b6ef586a204fbf06519

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          216KB

          MD5

          9e66df374dbfa9c662e74f52ddf06857

          SHA1

          dd448bb7f76e0b95e1fe7467c92d7c94281f75db

          SHA256

          ae4ae4d94f5230c78cd35a169dd5b868c652e420109fc358c7697d1bec94eff5

          SHA512

          2ea12fb0f723e88f7a704153a830c3223a0533314697fd11a06bcc0e6ca9c939823856774a61dff2011580cbcadbd7edcba89ce6bf2e7b4f0bb6f1f05250918e

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          216KB

          MD5

          d0a44dea401bc50cd06032e762a58203

          SHA1

          04c73950488132ae2127642bb4c8ae431f738026

          SHA256

          8aeff12620a15b44b94dfa5515b8e0d298b0b1090ada8fa9b4a4b689de8d090e

          SHA512

          303410afd9e7ba9bfdf46747a2ade62fe67128e2ca08b960139137f01a3c3151866347fc14c16b04c7074c2e4fef4d8c15b1e6e746612e5e11185e1003f6f632

          Download Submit

        • memory/2020-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2020-37-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4072-36-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4328-29-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4328-35-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download