Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    14/06/2024, 00:58

General

  • Target

    9559100eb61dc46e50ffd51978d9dce0_NeikiAnalytics.exe

  • Size

    206KB

  • MD5

    9559100eb61dc46e50ffd51978d9dce0

  • SHA1

    fcf6be090da5d05f2426f230ae992c2838861139

  • SHA256

    8a91cca756e95a86c9bca31ff06d42a255b27f12563a626e316ee6d9bf57c45d

  • SHA512

    17e9e12234cda406d0c49b5f624283556b3bc0334368b410e407f07e98f0e789a9fdf44671584cbef699ac8a3035537026cd8cf843efdb97545216823588db78

  • SSDEEP

    3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unL2:5vEN2U+T6i5LirrllHy4HUcMQY6K2

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9559100eb61dc46e50ffd51978d9dce0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9559100eb61dc46e50ffd51978d9dce0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2072
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2812
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2368
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2732
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2728
          • C:\Windows\SysWOW64\at.exe
            at 01:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2700
            • C:\Windows\SysWOW64\at.exe
              at 01:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:268
              • C:\Windows\SysWOW64\at.exe
                at 01:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:2012

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\mrsys.exe

                Filesize

                206KB

                MD5

                7cc57684577b5ef0cd8ec0e253ef184a

                SHA1

                2116957c6bd3946940722542fde702a82d01b362

                SHA256

                986ddbc96bc1e28234e5ebf5dfc3bf07f6623a027741345dacb37cff24eb1919

                SHA512

                d5de24b473a214e89da165313821aef03553e0a3ffc9e85888e1b8cbf883af172abc70c79eb3fd10559f14fbd3cf1777091b9689ddb56059e584208a8055ad7f

              • \Windows\system\explorer.exe

                Filesize

                206KB

                MD5

                52d557c6407f680081d04c43e3b1c6c6

                SHA1

                8b87c26245414cd6e82c07100d55293b6b07354c

                SHA256

                da6ad3ba52d68f4ba8fb1e7ff6d8813d324515e264f119ff6299f1e041b58666

                SHA512

                8f87d5afc093f0fe639ba9456d0a827f6602d2b708d09968c779366e262c8b44cd525c1e81e1123654a976586c7f411d13763dd180e23c9c76e6d89766da7429

              • \Windows\system\spoolsv.exe

                Filesize

                206KB

                MD5

                2f9e5c5b2ff47d23830011a73fd15510

                SHA1

                4a52457a8928b69f3b5d1025b948f7ec506e38a9

                SHA256

                8815fac5890635c04523b56742825f588fa6b4f02d951e785de284646a4b89ee

                SHA512

                26335a5955695c93d6ed559c43ab63369adcc3b801046a6e8699af558eacdee231cc9208a0fd8c7673aeeb992ea22bfc64a5ee5709eeb6fcb14e83267b8e70d1

              • \Windows\system\svchost.exe

                Filesize

                206KB

                MD5

                616b5059ad2efd20e47bd80447d703d6

                SHA1

                179d00ed10a7ffc3cb1fc7f8d1ed619200e09edf

                SHA256

                9a44acac0780602ff9bde41a9f21faba801c35cc8786e82efa4925ed8c95a2f2

                SHA512

                15ad35bddb42fe643b7c0f291e1582bd79e7f602e2263dd1730d61283583fec381a47ca56001e99d938226c834fb51c6dfb02b0daea95897e20f7b36ee771392

              • memory/2072-0-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

              • memory/2072-14-0x00000000032A0000-0x00000000032E0000-memory.dmp

                Filesize

                256KB

              • memory/2072-13-0x00000000032A0000-0x00000000032E0000-memory.dmp

                Filesize

                256KB

              • memory/2072-56-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

              • memory/2368-55-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

              • memory/2728-52-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

              • memory/2812-23-0x0000000002500000-0x0000000002540000-memory.dmp

                Filesize

                256KB