Overview

overview

7

Static

static

3

a7d713b5c5...cs.exe

windows7-x64

7

a7d713b5c5...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/06/2024, 05:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a7d713b5c5afd331d0f61a235e72cd40_NeikiAnalytics.exe

  • Size

    464KB

  • MD5

    a7d713b5c5afd331d0f61a235e72cd40

  • SHA1

    944b379de5feb71c58b6ef47d1f4f7d001aff5bc

  • SHA256

    a7c3917d9a373260010ad28f74786005155daec97dde20abc21cf3e489e8c332

  • SHA512

    e956111ff631647cc956749f7e47890d4a6b855d204089ccae5aed51e44de99d094812ce70ab2369855f46b9b39f37797f332c35fad31577c1fecd07fa9c9e06

  • SSDEEP

    12288:Qslc87eqqV5e+wBV6O+Yx8yy9jB+/TZ8ZCBgS67X:QsSqqHeVBxlxR61+d7j6D

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of UnmapMainImage
    PID:3500
    • C:\Users\Admin\AppData\Local\Temp\a7d713b5c5afd331d0f61a235e72cd40_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\a7d713b5c5afd331d0f61a235e72cd40_NeikiAnalytics.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4112
      • C:\Users\Admin\AppData\Roaming\iexpywiz\notekill.exe
        "C:\Users\Admin\AppData\Roaming\iexpywiz"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1660
        • C:\Users\Admin\AppData\Local\Temp\~4AE4.tmp
          3500 475656 1660 1
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2960
  • C:\Windows\SysWOW64\certdial.exe
    C:\Windows\SysWOW64\certdial.exe -s
    1⤵
    • Executes dropped EXE
    PID:60

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\~4AE4.tmp
          Filesize

          8KB

          MD5

          86dc243576cf5c7445451af37631eea9

          SHA1

          99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

          SHA256

          25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

          SHA512

          c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\iexpywiz\notekill.exe
          Filesize

          464KB

          MD5

          e7ff839e99122a9655a1f8e41526ec98

          SHA1

          e1dbebec720f4ab393e1e800ebf2c5fd60cac698

          SHA256

          b3b741ec340370b15c6437362c4e9e1924fec7bebf3c17bb89baa90d8ef7d244

          SHA512

          d769d6fcf8fc9bf1bd6c75a2e904233a4f1ff801b95e10cba4b37cbfc3755b1e836645eb145256d176f22a49aeb8fd3f476be17efeca7d59d280cc4c33d606ec

          Download Submit

        • memory/60-14-0x0000000000480000-0x00000000004FD000-memory.dmp

          Filesize

          500KB

          Download

        • memory/60-18-0x0000000000400000-0x000000000047B000-memory.dmp

          Filesize

          492KB

          Download

        • memory/60-13-0x0000000000400000-0x000000000047B000-memory.dmp

          Filesize

          492KB

          Download

        • memory/1660-11-0x0000000000640000-0x0000000000645000-memory.dmp

          Filesize

          20KB

          Download

        • memory/1660-10-0x00000000005C0000-0x000000000063D000-memory.dmp

          Filesize

          500KB

          Download

        • memory/1660-9-0x0000000000400000-0x000000000047B000-memory.dmp

          Filesize

          492KB

          Download

        • memory/3500-23-0x0000000004860000-0x000000000486D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/3500-22-0x0000000004850000-0x0000000004856000-memory.dmp

          Filesize

          24KB

          Download

        • memory/3500-20-0x00000000047C0000-0x0000000004844000-memory.dmp

          Filesize

          528KB

          Download

        • memory/3500-19-0x00000000047C0000-0x0000000004844000-memory.dmp

          Filesize

          528KB

          Download

        • memory/4112-0-0x0000000000400000-0x000000000047B000-memory.dmp

          Filesize

          492KB

          Download

        • memory/4112-1-0x0000000000670000-0x00000000006ED000-memory.dmp

          Filesize

          500KB

          Download