Overview

overview

10

Static

static

3

663aff4200...cs.exe

windows7-x64

10

663aff4200...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    13/06/2024, 06:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    663aff420066f660104e1c5981b8b970_NeikiAnalytics.exe

  • Size

    65KB

  • MD5

    663aff420066f660104e1c5981b8b970

  • SHA1

    4e62c216d4c375c28d6cb7727179df2adad1a9a5

  • SHA256

    138e7770a2ed04e277b683d74089cee64a5795047dbad79ec0deffec66f77560

  • SHA512

    940b5fbc15d8e798fe922399092f5850b74db935859afbfd98a39d74d08f5db68fe40067df87b58c70e5eeb0557a674a0dd7b227afa2d2988b502c9192026754

  • SSDEEP

    1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Oud:7WNqkOJWmo1HpM0MkTUmud

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\663aff420066f660104e1c5981b8b970_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\663aff420066f660104e1c5981b8b970_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2108
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2352
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2708
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2736
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2564
          • C:\Windows\SysWOW64\at.exe
            at 06:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:836
            • C:\Windows\SysWOW64\at.exe
              at 06:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:1520
              • C:\Windows\SysWOW64\at.exe
                at 06:40 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:1280

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          65KB

          MD5

          761c78ca2c94c32b85c190f25b89e10d

          SHA1

          dc1cb413f871fb950913f6c8c297a27133b56108

          SHA256

          a9fa9b0075970f4d8abcb13511dd14bb60c91571f107731bf861017085282fcc

          SHA512

          6ff19cf134606b84aac7fc04398540ef05e551e303b8863251ecf96400e3421dd168f563e70ca1b5a7247509df716f8cd2a478820958ba1cb689cd6ad80066b6

          Download Submit

        • \Windows\system\explorer.exe
          Filesize

          65KB

          MD5

          4472d46ec6fa443957da330df9d8e778

          SHA1

          cd26fc556a89f6ef6132458404fe40807c524cec

          SHA256

          c6ee952286aab272bf9835e30359e2f32cd7d5c70e200e7c404c03a71487984b

          SHA512

          adbde6b5d4df6d8dc22d02703efb5f4743a64245d95686361444e2b57ac0da9c7c8d2d8c46328f13b11895a69abe48f5d4d63f1b151249cb95de228c9b79d84f

          Download Submit

        • \Windows\system\spoolsv.exe
          Filesize

          65KB

          MD5

          1578cb88e4480829ccd5c0ffdff86415

          SHA1

          463323857abce4a5b38bf9fd514cee464095a5db

          SHA256

          06e07a1aafc10c0b749748f0f783c415903c310269b59b5d3e01c26454ee5917

          SHA512

          efdcdc783cdb78f5ec984bad140122af1b7d3d585a7eb543ef0942061f1ec7f00e4219b278bc47ac7d2a269e3a36a538b5516df54bf8d36e110cd5d7a598b22a

          Download Submit

        • \Windows\system\svchost.exe
          Filesize

          65KB

          MD5

          cbcd724a28ffd5786a047c05249c29a1

          SHA1

          b2e2f8671a40d3c1376b89f2ff3095011013e4bd

          SHA256

          34ef97700892d1796937ba12f330d49c4b2b7a2bab53c3fdb6b35f37f3ec1c8e

          SHA512

          d5e8810f3d5e8b67ceb6adf1f99a6e5a0a35482f47876e4e0a1b8be83407840f7f883c5e3d4bdd200a740d17fe3c0ba2d68e0bb4690098ed0b12db350a57d867

          Download Submit

        • memory/2108-2-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2108-13-0x0000000002C20000-0x0000000002C51000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2108-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2108-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2108-52-0x0000000000020000-0x0000000000024000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2108-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2108-78-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2108-77-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2108-55-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2108-1-0x0000000000020000-0x0000000000024000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2352-18-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2352-35-0x00000000025B0000-0x00000000025E1000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2352-19-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2352-91-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2352-80-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2352-21-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2564-72-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2564-66-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2708-40-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2708-76-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2708-36-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2708-53-0x0000000003170000-0x00000000031A1000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2708-54-0x0000000003170000-0x00000000031A1000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2736-65-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2736-56-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2736-82-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download