Overview

overview

7

Static

static

3

0895daa32c...cs.exe

windows7-x64

7

0895daa32c...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    19/06/2024, 21:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0895daa32c1809e576285f1474f73f63a3b3a3d1415c172abbba04842c1af8dc_NeikiAnalytics.exe

  • Size

    126KB

  • MD5

    a5ca9a1b811122f473ead86aab726e30

  • SHA1

    b8704f61bc0eaa49f61b8e7edf9f8557f568920e

  • SHA256

    0895daa32c1809e576285f1474f73f63a3b3a3d1415c172abbba04842c1af8dc

  • SHA512

    2138f51067281c549c92ef729ec941453c256afcec47a500dfaad2e6345a135f8abebec31dcb8cc13c83a0f7ad46d5796e34f677d149a2954f8b62911a15d481

  • SSDEEP

    3072:LEboFVlGAvwsgbpvYfMTc72L10fPsout6S:YBzsgbpvnTcyOPsoS6S

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 31 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 23 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0895daa32c1809e576285f1474f73f63a3b3a3d1415c172abbba04842c1af8dc_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\0895daa32c1809e576285f1474f73f63a3b3a3d1415c172abbba04842c1af8dc_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\System32\svchost.exe -EMBEDDING 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530405D474A422F565840 0
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2712
  • C:\Windows\system32\cmd.exe
    cmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11D1A\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530405D474A422F565840
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Program Files\Common Files\Microsoft\1D11D1A\KVEIF.jpg
      "C:\Program Files\Common Files\Microsoft\1D11D1A\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530405D474A422F565840
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1676
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\System32\svchost.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530405D474A422F565840 0
        3⤵
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1256

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1A\1D11D1A123.IMD
    Filesize

    127KB

    MD5

    e7be3cb0b32154dad9d66d84dc0a33fa

    SHA1

    2651c5f144b7803ed4160fb0b348a421860ffe6c

    SHA256

    7ec87667eed1f040c48e7d13c8833d484830533f2896370a85f2b0390563c0c9

    SHA512

    d1586140e1a0d116b8d8fad9431b571719be3881217f4b94590302b5400ad737b16f3865f2a1f5eb5302d8538e61836eeab4631de6bd104c002e127b4fd4e90b

    Download Submit

  • C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1A\FKC.WYA
    Filesize

    108KB

    MD5

    f697e0c5c1d34f00d1700d6d549d4811

    SHA1

    f50a99377a7419185fc269bb4d12954ca42b8589

    SHA256

    1eacebb614305a9806113545be7b23cf14ce7e761ccf634510a7f1c0cfb6cd16

    SHA512

    d5f35672f208ebbe306beeb55dadde96aa330780e2ea84b45d3fa6af41369e357412d82978df74038f2d27dff4d06905fd0b4d852b0beef1bcfdd6a0849bc202

    Download Submit

  • C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1A\KVEIF.jpg
    Filesize

    126KB

    MD5

    d7dfc5b12e34ac052056fd79c91c1864

    SHA1

    7b5b8402462e487012463f18aa63880389729be0

    SHA256

    ff135b9b5e82ee14ae70991b26829cd2cd9a4b8beacd0e321ae28fd979d59379

    SHA512

    49a9176418077f5e6d5be2433ffab7e5635c42a2cbad67d845f50bf74e5fba4633629c35653d97e667fdd0fea13f029acb7cf21dd47dd6fbc7311dcf33adcc86

    Download Submit

  • C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1A\KVEIFmain.ini
    Filesize

    711B

    MD5

    edf57a159d89c74d574e64237f5cd3a0

    SHA1

    697952f59abf0a22706ca9f8b5dbd7b76bd3eaf4

    SHA256

    f12dd975342a86b311e3e982a3e37275372272b0c850e7e6823918a7969620b6

    SHA512

    38f4b10b428e2a5799ceed02de83f1a78908e00a1c2b1989ef81f83796965da5ff2700047655a6bc0ae26df52318e6dcdfde561d53673344216913a3a824d16c

    Download Submit

  • C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1A\KVEIFss1.ini
    Filesize

    22B

    MD5

    2056c975629bc764596c2ba68ab3c6da

    SHA1

    35e3da93ce68d24c687e8c972f8fa2b903be75b8

    SHA256

    8485a6ec9ad79a1ed2331a428944711c4064f0c607017dae51c7e7f65fe70ff7

    SHA512

    c4d4932e81956578e505ac454d964ccd1d7d123e8393d532db15ba42e456ceff8394baba021e8ae7ae2f9aef0e51840aecef12252cf9c6766e8b247eb08e86ae

    Download Submit

  • C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1A\ok.txt
    Filesize

    119B

    MD5

    14a2147c07a06de588498de745852a15

    SHA1

    9b089a7716f2d07d9f1de98bc30c4d532eebd418

    SHA256

    47424d9c3361d7b47b9d71a62dd2a5c078a9416aeb712cc6e9453102b7f6c555

    SHA512

    821383cbdb3d3e033970f5a8b9995e6e89047727f7bfeb83319487f6f83f329f2dbec06b7621cd9d37465017f89219de24bd6fee3e8d7ec025f87d1694feaff5

    Download Submit

  • C:\Program Files\Common Files\Microsoft\1D11D1A\KVEIF.jpg
    Filesize

    126KB

    MD5

    ff76d635c9db08ff6b2a816d378f5e16

    SHA1

    8f909ad13bc8d77b3080e957cbe5d6c8ae3bd621

    SHA256

    9d4ed75cb112acd568ccf7a33f3fd6c499d59871d303895f3889c645804132fe

    SHA512

    e02d54522fd7feb2151fa0f97bd6bce9922447edcf44d35f646b26a8aebd1fe325ea8f384e33dd7e6c6257ab7ab13b3b6e82b0aebbcd0cfa3dfb312237321f04

    Download Submit

  • \Windows\SysWOW64\kernel64.dll
    Filesize

    1.1MB

    MD5

    9b98d47916ead4f69ef51b56b0c2323c

    SHA1

    290a80b4ded0efc0fd00816f373fcea81a521330

    SHA256

    96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

    SHA512

    68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

    Download Submit

  • memory/1256-172-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1256-219-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2008-19-0x0000000000220000-0x0000000000275000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2008-29-0x0000000000220000-0x0000000000275000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2008-21-0x0000000000220000-0x0000000000275000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2008-17-0x0000000000220000-0x0000000000275000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2008-25-0x0000000000220000-0x0000000000275000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2008-15-0x0000000000220000-0x0000000000275000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2008-32-0x0000000000220000-0x0000000000275000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2008-27-0x0000000000220000-0x0000000000275000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2008-33-0x0000000000220000-0x0000000000275000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2008-23-0x0000000000220000-0x0000000000275000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2008-31-0x0000000000220000-0x0000000000275000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2008-5-0x0000000000220000-0x0000000000275000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2008-7-0x0000000000220000-0x0000000000275000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2008-9-0x0000000000220000-0x0000000000275000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2008-2-0x0000000000220000-0x0000000000275000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2008-11-0x0000000000220000-0x0000000000275000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2008-13-0x0000000000220000-0x0000000000275000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2008-3-0x0000000000220000-0x0000000000275000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2712-75-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2712-98-0x00000000002D0000-0x0000000000325000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2712-96-0x00000000002D0000-0x0000000000325000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2712-94-0x00000000002D0000-0x0000000000325000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2712-92-0x00000000002D0000-0x0000000000325000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2712-90-0x00000000002D0000-0x0000000000325000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2712-84-0x00000000002D0000-0x0000000000325000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2712-82-0x00000000002D0000-0x0000000000325000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2712-80-0x00000000002D0000-0x0000000000325000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2712-88-0x00000000002D0000-0x0000000000325000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2712-77-0x00000000002D0000-0x0000000000325000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2712-100-0x00000000002D0000-0x0000000000325000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2712-86-0x00000000002D0000-0x0000000000325000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2712-78-0x00000000002D0000-0x0000000000325000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2712-74-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2712-73-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2712-70-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2712-69-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2712-217-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2712-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download