Overview

overview

10

Static

static

3

09230f5782...cs.exe

windows7-x64

10

09230f5782...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16/06/2024, 21:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    09230f578281679a9ad3f2cfabb5a2a0_NeikiAnalytics.exe

  • Size

    349KB

  • MD5

    09230f578281679a9ad3f2cfabb5a2a0

  • SHA1

    b88ef94c8c18e08a1a66eeec7bc62e02e3e7f91b

  • SHA256

    b1da6aa045c82bc993a5d81f6c723f7565b8209e7a3439a69786d8fde775de2d

  • SHA512

    333e9b8e42213bb3fd0b535b7d731764095fabc2f9450237e9cfdaa833315abe036115d5ac0e67fa3e4899bb4c5dab09c0e2077a1f1651d01b3e967bde0830c5

  • SSDEEP

    6144:1VTQTSiexKAK4y6UvcZSeNH49qQQOH+ym4LLIoTqHSMaxzL:2SiOK4yjNQOGzoTCSMG

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09230f578281679a9ad3f2cfabb5a2a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\09230f578281679a9ad3f2cfabb5a2a0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in Windows directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:292
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1560
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 504
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2456

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Windows\AppPatch\svchost.exe
          Filesize

          349KB

          MD5

          88dc4329464d5f3109820945047830d3

          SHA1

          da30399d15e17b46ad8176ea39c0cccc69c50f23

          SHA256

          8bbf72c23492cb94303c894be3116bd24773fb9d68ec051e03c45d4500838144

          SHA512

          a60f9973b76080affb2bee90df99ef9e8cb7d405d68cb50745fb18c0c3aa67bc60273927eb6f928f8b5257d538666af367ab7601937aad2ea19e1ec3bfa90b85

          Download Submit

        • memory/292-13-0x0000000000BC0000-0x0000000000C29000-memory.dmp

          Filesize

          420KB

          Download

        • memory/1560-22-0x00000000001D0000-0x000000000021A000-memory.dmp

          Filesize

          296KB

          Download

        • memory/1560-18-0x00000000001D0000-0x000000000021A000-memory.dmp

          Filesize

          296KB

          Download

        • memory/1560-16-0x00000000001D0000-0x000000000021A000-memory.dmp

          Filesize

          296KB

          Download

        • memory/1560-20-0x00000000001D0000-0x000000000021A000-memory.dmp

          Filesize

          296KB

          Download

        • memory/1560-14-0x00000000001D0000-0x000000000021A000-memory.dmp

          Filesize

          296KB

          Download

        • memory/1560-23-0x0000000000C00000-0x0000000000C58000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1560-25-0x0000000000C00000-0x0000000000C58000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1560-27-0x0000000000C00000-0x0000000000C58000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1560-34-0x0000000000C00000-0x0000000000C58000-memory.dmp

          Filesize

          352KB

          Download