Analysis

  • max time kernel
    91s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 08:22

General

  • Target

    6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe

  • Size

    232KB

  • MD5

    6c6ffe6dec9996e509c8b17333d1ed50

  • SHA1

    a1d7fec43b3268afd22cf92f6fb6a4f418c741e3

  • SHA256

    363b9c1d79698e5dfe0dbc430a76c424629420fa7d4bf9399df566855acc0e6c

  • SHA512

    5c5d7968ce74fea3b70a8e21379cd2170519f41450f5adab7d04026eb723e5f6ed3539a8a0fba0ea70a7648050bb36d59c769454a1a254e5f82f60f06d42a9ec

  • SSDEEP

    3072:m1i/NU8bOMYcYYcmy51VRgiFCpCIXUWOLTsEsigcL3P6xxc1VOz1i/NU82OMYcYU:Ai/NjO5xbg/CSUFLTwMjs6oi/N+O7

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3756
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3940
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3940 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3196
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4460
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:4064
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:700
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:4248
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4180
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
        3⤵
        • Views/modifies file attributes
        PID:5048
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3564
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:2732
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:1208
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3300
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\WINDOWS\windows.exe"
        3⤵
        • Drops file in Windows directory
        • Views/modifies file attributes
        PID:2792
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3076
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "c:\system.exe"
        3⤵
        • Views/modifies file attributes
        PID:656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V54QW64X\suggestions[1].en-US

    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

  • C:\WINDOWS\windows.exe

    Filesize

    232KB

    MD5

    e706b502a0445b3694684f6db39fd01f

    SHA1

    b376b23f044d1fb699a4852c0fdc2dd6309a9c4f

    SHA256

    a7853828680ff3550c3b6c556ae5c3fb6caab68126658f3883599592b723159b

    SHA512

    a0a17de6bdabbf4d939e4acf073938496e4128b11face1046d4da7cddcfa06388eb540563831205b8182d96be67fcb39b617d2057ab093879ac61c757ebfa811

  • C:\system.exe

    Filesize

    232KB

    MD5

    c87c9b1345356d243ff802b454e2c9a3

    SHA1

    0a52667ad3290bc50d851245606882b9b10e144a

    SHA256

    ca01a3cdfa36a3ca0e9d2c5924ef3f946f2087b9ec4b8837e9f5051a3814d593

    SHA512

    b126709cb35297c06c37be9592185fb9549716298af430d3a9717a7cfe5a8f543d7aed5c03fda7be8b0e598b40fc4d603f8e33cda3fe7fe0bc545c541ebc7418

  • memory/3756-0-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

  • memory/3756-17-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB