1093d454744c2fadb8f8744fdc03f9b8f70575deee13c162d7a5e76225c3c60f

Analysis

max time kernel
138s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b46a12991a9135f8cfeeb503aadaa850_NeikiAnalytics.exe
Size

118KB
MD5

b46a12991a9135f8cfeeb503aadaa850
SHA1

6ccd9d6ab1d3315c05f84091ead34d55f297943f
SHA256

1093d454744c2fadb8f8744fdc03f9b8f70575deee13c162d7a5e76225c3c60f
SHA512

77152f905bd6707aac42851c430909136de7b174bad76b70c5f1cc4fc3b4655a64a1c37bf085c226b99e4edabb22687297fa357c23a958830da1e7723a8f4957
SSDEEP

3072:qJO248B0EMlISxbHPwYV/wlmNie0ROfOlX:qTLSzISxMYV/9i1b

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3448	winlgon.exe
3816	rgsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlgon.exe = "c:\\users\\admin\\appdata\\local\\temp\\winlgon.exe"	b46a12991a9135f8cfeeb503aadaa850_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlgon.exe = "c:\\users\\admin\\appdata\\local\\temp\\winlgon.exe"	b46a12991a9135f8cfeeb503aadaa850_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3092	216	WerFault.exe	84

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
216	b46a12991a9135f8cfeeb503aadaa850_NeikiAnalytics.exe
3448	winlgon.exe
3448	winlgon.exe
3448	winlgon.exe
3448	winlgon.exe
3448	winlgon.exe
3448	winlgon.exe
3816	rgsvr32.exe
3816	rgsvr32.exe
3816	rgsvr32.exe
3816	rgsvr32.exe
3448	winlgon.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 3448	216	b46a12991a9135f8cfeeb503aadaa850_NeikiAnalytics.exe	85
PID 216 wrote to memory of 3448	216	b46a12991a9135f8cfeeb503aadaa850_NeikiAnalytics.exe	85
PID 216 wrote to memory of 3448	216	b46a12991a9135f8cfeeb503aadaa850_NeikiAnalytics.exe	85
PID 3448 wrote to memory of 3816	3448	winlgon.exe	86
PID 3448 wrote to memory of 3816	3448	winlgon.exe	86
PID 3448 wrote to memory of 3816	3448	winlgon.exe	86

C:\Users\Admin\AppData\Local\Temp\b46a12991a9135f8cfeeb503aadaa850_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b46a12991a9135f8cfeeb503aadaa850_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:216
- \??\c:\users\admin\appdata\local\temp\winlgon.exe
  c:\users\admin\appdata\local\temp\winlgon.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Users\Admin\AppData\Local\Temp\rgsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\rgsvr32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 600
  2⤵
  - Program crash
  PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 216 -ip 216
1⤵
PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RCX4B9F.tmp

Filesize
116KB

MD5
0ed853e9d912905f001be6fdf45a8bda

SHA1
9ba59b82e72431d10cf4c95c0000c6976531ee1f

SHA256
ac89d20368b3438c5f8c0a3c4dd702ad600568e1c57d16a10c014924f60d2652

SHA512
c5a983aee812620d871a8b979fab0bcd4f51efdf0953a57db9a853fed3080f085954fd46393b2f667f62090499385cc6af4213f4290d0b877360d37e2e042de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgsvr32.exe

Filesize
32KB

MD5
a22518e8a73ec19da806817d825d8a9c

SHA1
6f99e1591e1ce68ac44cd760729b2aeb2cba3559

SHA256
1ab5d2ea45fbff4444eabb45a3a31538730ce56f2b9c041bcab958e3c69db97b

SHA512
8f56ea79eab4b2e1d6b81981a9cd4f9652821b1cf17337ff3abf5796654fef08859fe4fa186015507b00ac606eefade1541235fcc6202ebf5257a1311638511e

Download Submit
\??\c:\users\admin\appdata\local\temp\winlgon.exe

Filesize
118KB

MD5
3c1682b44391d4d3b5fe139adbe591de

SHA1
dcef82a3610e783616d3355db58fb2432848ebad

SHA256
27df47b138b55782eccaa73689141ac01c5b36d548c7c2559565f9cca504cd42

SHA512
7f191016bfb32a3c9a0d9b1bd36ec634287000c0e152451570a081b449914a7f78dfe87f1f6eaf306ecb29f4f04def97177c6fe8293edb266bd7a260e8c1a962

Download Submit
memory/216-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/216-16-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3448-23-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads