Overview

overview

8

Static

static

3

1336225b18...cs.exe

windows7-x64

8

1336225b18...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/06/2024, 22:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1336225b1887939b08767f3466eac707251f5869db2b7575715e301b904dcbe5_NeikiAnalytics.exe

  • Size

    124KB

  • MD5

    827806b0db3be1c2b9a0d2fbc89cf1d0

  • SHA1

    b294292235a931ba3841c8081786171ad42f8bcc

  • SHA256

    1336225b1887939b08767f3466eac707251f5869db2b7575715e301b904dcbe5

  • SHA512

    69b60f613dfd8f8ca992aedaa38b5929c9e6177156cdfaf0f360b0b1356d6b8803ea25a95e418fd39ff18a0a117c73c7ce4735e8506405261acef1f0af2144a7

  • SSDEEP

    3072:X1i/NU8bOMYcYYcmy5cU+gTn6HOjDhWrzvvQwlgOts5YmMOMYcYY51i/NU8:li/NjO5YBgegD0PHzSW3Oai/N

Score
8/10
defense_evasionpersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 2 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 7 IoCs
    defense_evasion
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\1336225b1887939b08767f3466eac707251f5869db2b7575715e301b904dcbe5_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1336225b1887939b08767f3466eac707251f5869db2b7575715e301b904dcbe5_NeikiAnalytics.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:788
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4640
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4640 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1324
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
      2⤵
      • Modifies Internet Explorer settings
      PID:4612
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:1092
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:3100
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4148
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:2132
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
        3⤵
        • Views/modifies file attributes
        PID:3560
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:4584
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:752
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:1412
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4844
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\WINDOWS\windows.exe"
        3⤵
        • Drops file in Windows directory
        • Views/modifies file attributes
        PID:1432
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4812
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "c:\system.exe"
        3⤵
        • Views/modifies file attributes
        PID:3740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\windows.exe
    Filesize

    124KB

    MD5

    5ef69fbb393310db6b5fbb23c9ce42a2

    SHA1

    fa5253a71e50bdcfaff144e8a12f27a05f890ee8

    SHA256

    1d148ac7dd5f933671e01016a1cc592a46222430b2f73ce6c76bbee44a6389b4

    SHA512

    a4e0b4e7415fa7f8f60bafe3e77e074eea4596f5f9aa37eaa859350846b29e5d3a2f57eb5bad67eff5e4d6c362d2c0a0a40bcaf551daccad747392e87dad3635

    Download Submit

  • C:\system.exe
    Filesize

    124KB

    MD5

    70525d04457d22b77114e6504e095d01

    SHA1

    f86a22657dc2b5c1371fe8ae5e8b053066ad8c81

    SHA256

    c7b2b0eb3f36d696c10d8a9053ac411b64c5f9f832e6d662811b4789db2a736e

    SHA512

    d5642a895e2f1b07a445a3d21e5a040c4be01469c0a4c06bd2495a3b0c77aefc785e5e07df14dd1a3b4e866cd31b2f914c3aebd8d75aa6e5b363e56aea9361ac

    Download Submit

  • memory/788-0-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download