Analysis

  • max time kernel
    150s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 22:52

General

  • Target

    8dd2b1e33f02ca6eeb0f93757e194ce0_NeikiAnalytics.exe

  • Size

    66KB

  • MD5

    8dd2b1e33f02ca6eeb0f93757e194ce0

  • SHA1

    3d99a59556a2271f75c94dab434c4b86fdf112a1

  • SHA256

    b94ba828a6c0b387882445f2bc344a339e1a55c031e173643462f4a95075144f

  • SHA512

    a1856ba512a12e0729fad4400ae6823743da9a46d1fbaafe5b2697975fc4e48a947ed5f686888d5c3a5fede963257c6d07e795e5dfab00805d4c3bdcf65fc529

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiT:IeklMMYJhqezw/pXzH9iT

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8dd2b1e33f02ca6eeb0f93757e194ce0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\8dd2b1e33f02ca6eeb0f93757e194ce0_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1680
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2672
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1060
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3984
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1852
          • C:\Windows\SysWOW64\at.exe
            at 22:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:3904
            • C:\Windows\SysWOW64\at.exe
              at 22:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:4860
              • C:\Windows\SysWOW64\at.exe
                at 22:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:2280

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Persistence

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Privilege Escalation

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Defense Evasion

        Modify Registry

        4
        T1112

        Hide Artifacts

        1
        T1564

        Hidden Files and Directories

        1
        T1564.001

        Discovery

        System Information Discovery

        1
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          1432f37ac10ee2e035ea8fba4bec3f00

          SHA1

          0f7d5bb644fc084c4df8f1d30ed2eb096441bb6b

          SHA256

          0c1e8f438a89004c5d39540f1837453d24db4264dbdc9ecac53ae9166bae43ab

          SHA512

          2191fd8e6347d9e2fdca50e9c6350ac1df94e9f5a00e0863db3e4480bfd153091bf6a18c258c9271d59f5e6150250610d209354672b1a4e7bb548d187cf058f8

        • C:\Windows\System\explorer.exe
          Filesize

          66KB

          MD5

          eb939894e0a3c62c7b2fb6d27d836dde

          SHA1

          36d69cc35a407c66ab834c0da5357ab791284fbd

          SHA256

          2f25f33b47ece38bc0ea6ec3e3875ce730b10a987b59e97fa8d55027be3fd755

          SHA512

          eb2661002bb7d8928323aa98126c2ecbef86a04bb70047909dd78cda120a11c13443bf471dcb97f2c5e6f6ce6057966823a28d19110c371208d7c1242b5aac40

        • C:\Windows\System\spoolsv.exe
          Filesize

          66KB

          MD5

          f7d3abc5c534e5acf1936d1978831989

          SHA1

          17402ea1bee30aff6429d5837d7ae3846389f1dd

          SHA256

          2e3681c54f5cdbc14c78c20cfbe77b2f6722cea39c9fdf92d969faa50bc4f118

          SHA512

          5ba664244bc404029eeb08f27d5638bf45811c0128d0f32d1387a390302c077594ba6b1bb69e9b9d8311e2086c09809a1f61a4109c783f91f26c5856179cdad2

        • C:\Windows\System\svchost.exe
          Filesize

          66KB

          MD5

          84531e79f82d53112cd42be4cfa2a9d5

          SHA1

          e9d5c8ea15c9231a34a9626306979ebe86f5b70d

          SHA256

          e0aef42db09f8029640b11af023181e801e391414d41c32207860bfb2dc9e576

          SHA512

          e4e829768a497cd9c84df474c6bfdc182e10d70f2a5ffbac44d024cd5c80fa1f8d9d0d162b9b23d5449f569a766add49b6a87a49228f995fd06e683c7a1ada7d

        • \??\PIPE\atsvc
          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • memory/1060-53-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

        • memory/1060-25-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

        • memory/1060-31-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

        • memory/1060-26-0x0000000075AB0000-0x0000000075C0D000-memory.dmp
          Filesize

          1.4MB

        • memory/1680-3-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

        • memory/1680-56-0x0000000000401000-0x000000000042E000-memory.dmp
          Filesize

          180KB

        • memory/1680-0-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

        • memory/1680-4-0x0000000000401000-0x000000000042E000-memory.dmp
          Filesize

          180KB

        • memory/1680-2-0x0000000075AB0000-0x0000000075C0D000-memory.dmp
          Filesize

          1.4MB

        • memory/1680-55-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

        • memory/1680-1-0x00000000001C0000-0x00000000001C4000-memory.dmp
          Filesize

          16KB

        • memory/1852-44-0x0000000075AB0000-0x0000000075C0D000-memory.dmp
          Filesize

          1.4MB

        • memory/1852-43-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

        • memory/1852-52-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

        • memory/2672-58-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

        • memory/2672-14-0x0000000075AB0000-0x0000000075C0D000-memory.dmp
          Filesize

          1.4MB

        • memory/2672-16-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

        • memory/2672-69-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

        • memory/2672-13-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

        • memory/3984-37-0x0000000075AB0000-0x0000000075C0D000-memory.dmp
          Filesize

          1.4MB

        • memory/3984-60-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB