Overview

overview

10

Static

static

3

09230f5782...cs.exe

windows7-x64

10

09230f5782...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/06/2024, 21:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    09230f578281679a9ad3f2cfabb5a2a0_NeikiAnalytics.exe

  • Size

    349KB

  • MD5

    09230f578281679a9ad3f2cfabb5a2a0

  • SHA1

    b88ef94c8c18e08a1a66eeec7bc62e02e3e7f91b

  • SHA256

    b1da6aa045c82bc993a5d81f6c723f7565b8209e7a3439a69786d8fde775de2d

  • SHA512

    333e9b8e42213bb3fd0b535b7d731764095fabc2f9450237e9cfdaa833315abe036115d5ac0e67fa3e4899bb4c5dab09c0e2077a1f1651d01b3e967bde0830c5

  • SSDEEP

    6144:1VTQTSiexKAK4y6UvcZSeNH49qQQOH+ym4LLIoTqHSMaxzL:2SiOK4yjNQOGzoTCSMG

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09230f578281679a9ad3f2cfabb5a2a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\09230f578281679a9ad3f2cfabb5a2a0_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon
    • Drops file in Windows directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • Suspicious behavior: EnumeratesProcesses
      PID:412
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 828
        3⤵
        • Program crash
        PID:4276
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 412 -ip 412
    1⤵
      PID:4464

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\apppatch\svchost.exe
            Filesize

            349KB

            MD5

            9d3959d0428312651163a10472a6f1ad

            SHA1

            e3519e28506d61f2bcff8393cd36ac996e267bbe

            SHA256

            a971ee3b2b254418468ba7e35e9c16ca5949e7838c555e9e64cdd7f5f1f10449

            SHA512

            5b8527804847ab07d06a6a8a2d2df351209c4223fe88f8959ca5488715ffcbfa52a2e8c7afbe3c1465c2041ee96b3f0cb1ff9e53264cb56c8288456feebc527c

            Download Submit

          • memory/412-10-0x0000000003430000-0x000000000347A000-memory.dmp

            Filesize

            296KB

            Download

          • memory/412-11-0x0000000003800000-0x0000000003858000-memory.dmp

            Filesize

            352KB

            Download

          • memory/412-15-0x0000000003800000-0x0000000003858000-memory.dmp

            Filesize

            352KB

            Download

          • memory/412-13-0x0000000003800000-0x0000000003858000-memory.dmp

            Filesize

            352KB

            Download

          • memory/412-18-0x0000000003800000-0x0000000003858000-memory.dmp

            Filesize

            352KB

            Download

          • memory/412-19-0x0000000003800000-0x0000000003858000-memory.dmp

            Filesize

            352KB

            Download

          • memory/2632-7-0x00000000005F0000-0x0000000000659000-memory.dmp

            Filesize

            420KB

            Download