Overview

overview

8

Static

static

7

379788dfe1...cs.exe

windows7-x64

8

379788dfe1...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    80s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/06/2024, 05:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    379788dfe178bdecc5ff7159ed8729eae34b5183f19a045bc7b265d572f89907_NeikiAnalytics.exe

  • Size

    232KB

  • MD5

    a820ce94b607ab36c7b039bafe047610

  • SHA1

    dd55eb9e729433d661a9e0f8c78df1648f8d7bc9

  • SHA256

    379788dfe178bdecc5ff7159ed8729eae34b5183f19a045bc7b265d572f89907

  • SHA512

    60cdaf8158e0a587af87d6e0b17aa6ecdead795a1bda9d5710cec030431b437735816beefd5ab4563c544f56ff5c733552469bbb5429dd0b72c47f5a6ee2f122

  • SSDEEP

    3072:p1i/NU8bOMYcYYcmy51VRgiFCpCIXUWOLTsEsigcL3P6xxc1Vne1i/NU82OMYcYU:ri/NjO5xbg/CSUFLTwMjs6wi/N+O7

Score
8/10
defense_evasionpersistenceupx

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 7 IoCs
    defense_evasion
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 23 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\379788dfe178bdecc5ff7159ed8729eae34b5183f19a045bc7b265d572f89907_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\379788dfe178bdecc5ff7159ed8729eae34b5183f19a045bc7b265d572f89907_NeikiAnalytics.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3552
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4640
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4640 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4864
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:3180
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:4908
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:2448
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:4480
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4744
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
        3⤵
        • Views/modifies file attributes
        PID:5028
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:4488
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4812
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:1648
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:448
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\WINDOWS\windows.exe"
        3⤵
        • Drops file in Windows directory
        • Views/modifies file attributes
        PID:1328
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:3720
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "c:\system.exe"
        3⤵
        • Views/modifies file attributes
        PID:4976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\windows.exe
    Filesize

    232KB

    MD5

    0ee754bdcdf92f7ccfeb8d075439bdda

    SHA1

    acf667f68805cfdfdf99aed4b7c8379f5109ee40

    SHA256

    0532da7ce0eb19fb736d5183e261595bf0f2b82668aecf834a42cbfddd051fb8

    SHA512

    5b41acbc1f3fb7e58c7445025782019e7c4c69cba17916df5be96c1b65fd8e1e1c865bb30893c96cfe4b8570c90f145a29c4685c365539448f1fa348d5ab3300

    Download Submit

  • C:\system.exe
    Filesize

    232KB

    MD5

    4a918eafe19c55abd2b97df5eb34103c

    SHA1

    f41278f503c6b49f17943bab9428fb5ee731613e

    SHA256

    40f202204fc2a74e325c9510cba6f6d7ec9bc32fb71c28fe871b45e60a67a3c0

    SHA512

    6773f80d5e8d3eb2060435fe36cb651d94ae775080e2a74f6da659d92be96107d78aab773016edd5ec7eeaafd9202241b054d509c9187cc4f84aea248c2872c6

    Download Submit

  • memory/3552-0-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3552-12-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download