Analysis

  • max time kernel
    121s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 08:22

General

  • Target

    6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe

  • Size

    232KB

  • MD5

    6c6ffe6dec9996e509c8b17333d1ed50

  • SHA1

    a1d7fec43b3268afd22cf92f6fb6a4f418c741e3

  • SHA256

    363b9c1d79698e5dfe0dbc430a76c424629420fa7d4bf9399df566855acc0e6c

  • SHA512

    5c5d7968ce74fea3b70a8e21379cd2170519f41450f5adab7d04026eb723e5f6ed3539a8a0fba0ea70a7648050bb36d59c769454a1a254e5f82f60f06d42a9ec

  • SSDEEP

    3072:m1i/NU8bOMYcYYcmy51VRgiFCpCIXUWOLTsEsigcL3P6xxc1VOz1i/NU82OMYcYU:Ai/NjO5xbg/CSUFLTwMjs6oi/N+O7

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2516
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:2556
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:2752
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2448
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
        3⤵
        • Views/modifies file attributes
        PID:2588
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:2428
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:2544
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\WINDOWS\windows.exe"
        3⤵
        • Drops file in Windows directory
        • Views/modifies file attributes
        PID:1152
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2996
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "c:\system.exe"
        3⤵
        • Views/modifies file attributes
        PID:1508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b5f3cd501fdae126ab3f3d0a4bd9d14d

    SHA1

    2ef064250979abd52d1b05bae10f86bd838f85c4

    SHA256

    2949914a4d7553223d98b8c6a18b3ef11f1ebdef914c08b5180a640a080b7e71

    SHA512

    f6496c57efb0c093e1414a6de9e87da3d2ccca880c27f56e99e154a2b809d7626baaeff29cfa2726eec4ad5b4802599d076e4d77564933efb41fa863e5547ee3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6083aef146065ac434f1202f021db1ad

    SHA1

    a253682941525ac4c1bde57bed77cc57cb300aed

    SHA256

    a80935e380b96c8d95ef04c4f1d2d333323c6c00fe13aebbafda7ce9bdf01b87

    SHA512

    7b045d96b81fdbd8d0fdc91cef30552a240a1a91f0378030ca92831bcbb8c1acb2e91c24eaa44c9985c45bac7e9984f5c150ef0b8a6c28f0df56bd64d2295a1f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c4431a8d0b226a14db90feab016b9c7f

    SHA1

    0549c39927b55c9042b8c9380e401f11f9366d2c

    SHA256

    35be1941d0732bc04c521bee5cda52987f10f01842869060e15fb1a55a51bfe2

    SHA512

    6654786d08f8f011a564c698306694d9badaa7c7e18370a41b30d52247cb0a66ceb57b4a7189d313fd867c0c04ae04c4603528a1c40f9db614324bc27474537e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    81c5c0d5fa16e71c550d19cbd3642ae2

    SHA1

    8d9305e484de1ad1777f05c582b18d5f3d916810

    SHA256

    61e8ad89a4d7b7e11bbf438647bdc5f5881305033ae5bff3d8fe47847b915f8a

    SHA512

    cf38255527d077dada05c2dc37909b17650be51f55d77f7bd8c7c74f671c9781e85900de1b5ea3507bdc5fddac0f03de7967f9e93a161c242cdd14ac7a55e0e7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f3d2fe150341199dc586c7cdb65aafba

    SHA1

    565e55f5c428c44115c4adaac8f3aefe95cc8f0e

    SHA256

    c3917db21acc72fee71a0c7ae6482db254d972c4a0e7e35b14c2b779a892c05f

    SHA512

    6087174a1a61c7b77edaad941a4f8e7232204d969825ca1373567d29ab52fb2bb3273eee5f559caa35e9a8d2be0491978cd543ac22001f47afd488b355ee79d7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    66b0d42d0fbbdbb91299a0d68e34931b

    SHA1

    13974bb85463af886bd9ee271ad90c54b5e0e7ef

    SHA256

    256b42fd8767c51b263ec71ba9ffd44376d764b43013590b10a09b21602fe9a8

    SHA512

    08b0179ec760b7916c5347f433ae6635820f2c1e6a96f9f0bdf8d1af8651a154d52faadc5b9efe29da155b8ee59bc6ffb92e236a059d0f5b3c4de8d3fa7f9b8d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6380b2b5fc5dcbd6bf46832ee04b5b5f

    SHA1

    d0de4ed877085e987e3a70636fbfd9253a03b571

    SHA256

    1ffefb8f4481e770758def283ff8d41e7a38dbe3f266df9f897f445977df3459

    SHA512

    67e5441dfc4322d05ef512da98925f85761ffb4ab5bf380b1ad77cc8eeb14ff4ea522784dbd7855f1e351b3d6f411fd3c03606de849478e8e94873e320bd4a57

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ada0706f4f9920f28db3ad1eb56fe817

    SHA1

    08e44997d3d20db3f368824ba52fbb53dd038e8d

    SHA256

    89dc38747f5bbc41573461437928dff6e48f52b11d99ebf5e6af957575159598

    SHA512

    90a07106ea5abebeb5271abc053bc5bf1682ddcf1f25acc97ba65e2ff30089dc8a9163e2589f80df48279f7627e8427fb7f40ef3036fd1c0b09e29f02b6a8d83

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b5aa252b2ad671daa25699a86fe09703

    SHA1

    614c5ea86544ea514db7c4bb4f8fb1c062fa0975

    SHA256

    7ed5826424277e32bf09453c3561ef8d43f4e9690822fac6cb840603b50b5672

    SHA512

    d03749101bce62797b73b62f7970b70e736d916296e7cf0413abe8962b032c398d5c8f8fa2ab4a49f309cc6a32bc19d5eecb77fe6ef8acf6d3a35669a7032874

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    edcb170a815261246138e0703fe0fb51

    SHA1

    4e3d52a1a5152f3cc69890e8c9e535139fa97baa

    SHA256

    6cb635b89f7c71df082de09b2e51d15318c497f76b14ba4222808253187bfb59

    SHA512

    5c52933b43c98f35b67376bfcc869d5a70421b66772fe03df24344865d2c914c4466b86b6f809a9a9b795c81da7b89d071767e004db9d8066e47d1b614d50cbd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fcb758c5f85c5b7c3a7cb11d0045dad4

    SHA1

    5e62672ed57470f17c88238ef499877364007d93

    SHA256

    eb1863520f84abb5e7868546d8da076d2752bc18ca211db9a52521eb560dd04b

    SHA512

    261f4301d6901dbf075b91f40db0c93db993c8043885b477708779babb94b187198c6e947e804f273d61756c264ee41eafc6b39b7d65f947ba100c7195218c54

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7edc1488b12b09a0d8360f87b3d9bdc6

    SHA1

    db45454745da8cf5d6ea2b27e448e6d256ce1400

    SHA256

    5b174601681ccdf43f8829c7c09a564f13a7f4051127135cfe14c1bfedadb0d6

    SHA512

    4e10e3afb1d2741f07daa9015cd36711adb7517e762ba0b802747d0fcf1422c33a9ac487f9d02b39e6f7821f5dcd670504b307c38a6bdb4bf34d1e05e6cb31cc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6e1560e4032798006bdaefd039b56d57

    SHA1

    123aa53292504fb784b4a0b77c4430ea7481991a

    SHA256

    f60a1e48a796e87a10570f25e5100a8b09d1200355d3360b6acc892e39a09ac3

    SHA512

    3ae94840a83bef50717de6268083ac2ca28753c800e9b2a5e09020ddd85e0db8752aaf5091ebe1452fe149a06ebe2ba976b234dcd26817c3c3b87a12256ff364

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9d82701c297c67180afe0ea887171f7f

    SHA1

    b44717e99e4af6bad8892fd1e35dd3aabda49513

    SHA256

    46b7152044857dcae7e69c55ac2da444a03bfbf300f55c4c13b11ededdcb0172

    SHA512

    a73eb31869d2d49e47c031043d116919a77104a5c205bd402c14b080de30065067a3342622c3dabad9ad8a796a54fd47798416c38c0e0ce8373708e8b720e660

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5fcd9d66ce940cf46c2a72462f5e80aa

    SHA1

    b61bd0c5cec27603aa02c2ad61905ff9c582d428

    SHA256

    3063c8a268a06d3ba9e1b1285ade5157a88a237924c0d2535da693090bcbc20c

    SHA512

    01eba2a02f6b8bcf0fa2bdf4c2fe0ef241e78c2b03b4e2ec3d2460fbaa5698df92ef4f0fa0b95ea109697652de060a92b5370a03cc1c527318a3f5f71fb20325

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0f349589e3ebbacaf664e3e3ec97283e

    SHA1

    edb0090fc0f85808c665cdaa6e27e15d474296d7

    SHA256

    f5900ff2119ae8d7a7085cf35a7ffeb9886556b80813cc4cd0aeee08a03533c3

    SHA512

    616bdcd7b03393a6439bdf740972400afefb953d07000daf79ae6cc640ad01d5f6623c4593283147bdaa81f8d084cd0e68494798b2840e3c381a8dab3e826e84

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3c014dc374540dcd1406c6ec56364b24

    SHA1

    4821db6e41d325fbf6592d0139e65e8228f9d11a

    SHA256

    22200c21602d44de27fd7d82a515aa020905b80628fbe2fc60082de4599b5da6

    SHA512

    97255a2f6abab6f91e5b536cedcad99de2a8c40f047f09e53a1ef66363a9ed2421637a66bcb2f489eefff4467c152c862570bb0a1a80ffe46ecfbd41a3160fa2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    80f41712519ab4e1687634fcaa10fcac

    SHA1

    891eeb669872e8aa0b8a02ee1cb0af030376592b

    SHA256

    83aa136e960cd87ea3cbfbbdea52bd89ef06c01ccd0995248817b50a2ebb0ee6

    SHA512

    83cdf4e5a0781c9c5f2d298c35a138b76c953df77c20eed9f0dd56fde887420f8aca5de8714e6cd062e123502028ddb5b3a0385c80a938cac772a49078cb12fb

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7d1c1a2f8bfdb9d2d88ec4e2c883b769

    SHA1

    65e3f1876d61a1f43fc7eb11bf76a5b42ca1917a

    SHA256

    b47c5af495be60442385feba6f00c12f684d18b17719163f398fd14149a79152

    SHA512

    5b771318e13209e947a8ca7435d05e0e77d6df21b8aa2b3fd4b63986a40130c92241cb6c38c890bd24f7fa73c64f1fe8b9512678a5112a99dc81e71dd74000c1

  • C:\Users\Admin\AppData\Local\Temp\CabDDB5.tmp

    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\Local\Temp\TarDED5.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\WINDOWS\windows.exe

    Filesize

    232KB

    MD5

    0a7646ec3b42de8f1d20859722186b7e

    SHA1

    965789c39ef97b038abf4e7c09e5c24031730466

    SHA256

    ecb26fd5c7d0cbd707bcef90dd8d1d3c401eaf3e2e65343659240b860fcfd8dd

    SHA512

    cb558a290c2f4339ed45344fc107f0556c653d8e14a41b19cbb26c4bef01e0cdfa2ec022dd4d394552d7a9d4a77d20aad78e2290a84a0a46dc0791a48c748e81

  • C:\system.exe

    Filesize

    232KB

    MD5

    69a912ca464521e0816fdc115df5097f

    SHA1

    867d0cb5c60e14b3e049a335d38f688850ef5d47

    SHA256

    33b5d7598d756f7b567e7278e12bf1a76b27ac4fa232e1122d25bbb787916f1c

    SHA512

    19553fc417e663a521377fe59ce3da9af1f6a492692ae3f78e49ce7731f4d3e727709134b960e32d7047e4c9b6f45105bb5c1de1bba72dfa67cbd7b454cada0b

  • memory/3000-0-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

  • memory/3000-12-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB