Analysis

  • max time kernel
    150s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 12:14

General

  • Target

    7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe

  • Size

    69KB

  • MD5

    7b514cbb5d3ab728d0f42524bcee1450

  • SHA1

    0acafd7ed7db3c0834a4f0a7fc228adb8ed541bf

  • SHA256

    48407974e0003d9e8654531426efd9860dd89b3c165a45a9516060cc6b029902

  • SHA512

    2d71bc1329106933f50b15af4a7991336e51d35bdf140fe717b65009f30ce8713bbabe05266b0a0a95e0211233ab1796989248f5ac19981dbfce977cf80858f3

  • SSDEEP

    1536:EJrFDMRyriCY/qXfatMp4Q2V6fIMxIpLC:0F8dCY85TE6fIMSRC

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4264
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2368
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3600
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1912
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3968
          • C:\Windows\SysWOW64\at.exe
            at 12:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:1684
            • C:\Windows\SysWOW64\at.exe
              at 12:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:1664
              • C:\Windows\SysWOW64\at.exe
                at 12:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:1908

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe

          Filesize

          69KB

          MD5

          f12114194affd7d2d4e06bd488eedf72

          SHA1

          5b4d5a6f4ad2ae7fd47356d875bb56545cc9fed4

          SHA256

          03e2d4cc7d6f9fb9bd9cbd08fddcc3485d9c073f46035df47c27dcf48470b0be

          SHA512

          4521d9a86c3d62cd17ee26f389535b3e0889ee23c64819d50584f67d75efb6e2fdef82d9af6c1e937f74474e725767e2c9c9fa207b1b0bfa5a6eb2ed030b216d

        • C:\Windows\System\explorer.exe

          Filesize

          70KB

          MD5

          7975570d447a288f16dc0ac9bacef5e7

          SHA1

          adaf4c9505f017cc0918da5878e6caa4a8b8d3b3

          SHA256

          f04860f646bcfaf7d1c5de16455a3835655624ae2010abc28e71cccf85295cee

          SHA512

          a0783ea79b4f8655af8f8d0d6c581bec063d75c81df015e991b69dc4ee23017c19216216388e00adc39c141a71dba021d4c2a2ed21947f9f84f71872c227329c

        • C:\Windows\System\spoolsv.exe

          Filesize

          69KB

          MD5

          5a3260f5a207d98e73501a17417289e7

          SHA1

          52ccac3f760288c9fefa4129de4589c1e756aaae

          SHA256

          20465c8a55b6cf786d58d6605e3ea06e9217feb612b41647dd5420ce111f683b

          SHA512

          eb166f0691b24f1b091eb01c9e4013663e2daf6981d4de35999c31817786aa0b70e90443ecc8dbb45f786ee72ca7bc8cad4a7b6629fe307acd835e800a8fc576

        • C:\Windows\System\svchost.exe

          Filesize

          69KB

          MD5

          18e4f2da1f72699d3393eef054bc2837

          SHA1

          e9e7835381999bdbf3aa12c7581258e95cf47148

          SHA256

          aabe688816f4cb1e74b81ef7d0979932d36b5652ee295918f3c7fa1614925c94

          SHA512

          49723782a4e78d0780933bd199b3361c1aefcb32e01df33924a67882d5bca23371cdb5dbe6f3abee2e00f5719ae3fc102ebf066d12d4bb368030e1901ee754f7

        • \??\PIPE\atsvc

          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • memory/1912-42-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2368-51-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2368-41-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/3600-17-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/3600-38-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/3968-34-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/4264-39-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/4264-0-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB