Overview

overview

8

Static

static

3

49ff9d53a7...cs.exe

windows7-x64

8

49ff9d53a7...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    25/06/2024, 08:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49ff9d53a798c36bdc34c13bab7ef793febe7336626653b2e4adf8eacfe550a1_NeikiAnalytics.exe

  • Size

    90KB

  • MD5

    6f37a87b612fc6a8f99d71525dcc4510

  • SHA1

    e1e2bc68d468f04e9d145ccbb410733c3ecc5ca1

  • SHA256

    49ff9d53a798c36bdc34c13bab7ef793febe7336626653b2e4adf8eacfe550a1

  • SHA512

    21f2e2f6be267055789c0d1b67e5a8214911babdd5e7ecc2c01911b1ec0c873a708f1983659dffe9da9b34775dd0e58c5b2e1bb8f3d6a54ccb12b7a907cf1233

  • SSDEEP

    768:Qvw9816vhKQLro34/wQRNrfrunMxVFA3b7glw:YEGh0o3l2unMxVS3Hg

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\49ff9d53a798c36bdc34c13bab7ef793febe7336626653b2e4adf8eacfe550a1_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\49ff9d53a798c36bdc34c13bab7ef793febe7336626653b2e4adf8eacfe550a1_NeikiAnalytics.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\{164C4DD2-FDFE-440d-92EB-BFB96FAA94FD}.exe
      C:\Windows\{164C4DD2-FDFE-440d-92EB-BFB96FAA94FD}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Windows\{4074FF5B-E1AB-478e-98D2-803A71A91CCA}.exe
        C:\Windows\{4074FF5B-E1AB-478e-98D2-803A71A91CCA}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\{379343A7-0D6E-49ac-8597-A9822281E035}.exe
          C:\Windows\{379343A7-0D6E-49ac-8597-A9822281E035}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2768
          • C:\Windows\{84569756-0415-4d83-AA4D-093A79E3EAFE}.exe
            C:\Windows\{84569756-0415-4d83-AA4D-093A79E3EAFE}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2992
            • C:\Windows\{FA1363E7-C903-4236-A72B-DA39935E924C}.exe
              C:\Windows\{FA1363E7-C903-4236-A72B-DA39935E924C}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2080
              • C:\Windows\{995B7C67-9F1D-4a64-A51D-D3D17E6C59E7}.exe
                C:\Windows\{995B7C67-9F1D-4a64-A51D-D3D17E6C59E7}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2860
                • C:\Windows\{DBFA3F00-143C-4963-8495-141457AE21C2}.exe
                  C:\Windows\{DBFA3F00-143C-4963-8495-141457AE21C2}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1152
                  • C:\Windows\{EFD2D845-B7DD-402f-A32E-10AC164255C2}.exe
                    C:\Windows\{EFD2D845-B7DD-402f-A32E-10AC164255C2}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:316
                    • C:\Windows\{F5A71529-79AF-46a5-B9FF-87EE4139AE28}.exe
                      C:\Windows\{F5A71529-79AF-46a5-B9FF-87EE4139AE28}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1828
                      • C:\Windows\{22F7E6DE-4F19-4fcf-9FAA-522BE5F69D17}.exe
                        C:\Windows\{22F7E6DE-4F19-4fcf-9FAA-522BE5F69D17}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2916
                        • C:\Windows\{694057B5-D07E-461f-9FE9-FAFA0AEAB3DD}.exe
                          C:\Windows\{694057B5-D07E-461f-9FE9-FAFA0AEAB3DD}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1304
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{22F7E~1.EXE > nul
                          12⤵
                            PID:576
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F5A71~1.EXE > nul
                          11⤵
                            PID:1180
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EFD2D~1.EXE > nul
                          10⤵
                            PID:1240
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DBFA3~1.EXE > nul
                          9⤵
                            PID:1584
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{995B7~1.EXE > nul
                          8⤵
                            PID:2864
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FA136~1.EXE > nul
                          7⤵
                            PID:1916
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{84569~1.EXE > nul
                          6⤵
                            PID:2064
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{37934~1.EXE > nul
                          5⤵
                            PID:1896
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4074F~1.EXE > nul
                          4⤵
                            PID:2724
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{164C4~1.EXE > nul
                          3⤵
                            PID:2660
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\49FF9D~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:1252

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{164C4DD2-FDFE-440d-92EB-BFB96FAA94FD}.exe
                        Filesize

                        90KB

                        MD5

                        44a267ec628ec515be64573dca3d6685

                        SHA1

                        2b81a2223f5f8eaa42ce073b2536f1e0d3054375

                        SHA256

                        54d6aec8966e7863131812f7283dd7a58de3867546519ab1e463c9fabd78de34

                        SHA512

                        bea28382eb23b36acc0676baa1ccc25f4aaeded12c3fdc3eccfef5578da90b0c2eddd68faaff3df15b7dfe31326a604f33360aef4b71e3dcb4e72c9dbb407720

                        Download Submit

                      • C:\Windows\{22F7E6DE-4F19-4fcf-9FAA-522BE5F69D17}.exe
                        Filesize

                        90KB

                        MD5

                        3bdea9b5479ef9e89debc0ee4576f291

                        SHA1

                        c631fa139738a338904b54afd2a56e2c32168029

                        SHA256

                        37d98267031f0299a79832eddd1833bc12df55546b02bd7395da0e12a66973ae

                        SHA512

                        745d3465fee5ee85c8644ef97204a9023c6c50a48483db593ed1b392b8da746335cd3ef3e36f37098b5bfe94aa924777e87d2bb05205781d0cd31cdfb49191e8

                        Download Submit

                      • C:\Windows\{379343A7-0D6E-49ac-8597-A9822281E035}.exe
                        Filesize

                        90KB

                        MD5

                        02d4e7fd74d7a342acab3cd3c4e41be8

                        SHA1

                        8e2f6dd9b97ec383d2b4b59fcbeda053d08170ba

                        SHA256

                        1b2d08fb8dd053d72e470599142ed63d19a30fc78cb28503aba12b3b4084163d

                        SHA512

                        1374a84c2dcfaf526972ce8602910ebd3db390b8b5e78e2283208884bbec60b71f4b3324a17de78769c5b549205c1c9afa252306a57ea272ee489cf8db592147

                        Download Submit

                      • C:\Windows\{4074FF5B-E1AB-478e-98D2-803A71A91CCA}.exe
                        Filesize

                        90KB

                        MD5

                        0f35c9f03572aeb647d1cc04570a04c3

                        SHA1

                        cafe80bbb2977b008e095a9365c1417e122d6353

                        SHA256

                        843160eda14fe38edf067c6e2ff723dcaf0703e2479f6d6bf65bc1d6af07cb6a

                        SHA512

                        75299d076ab775b32b26bd5600e198bae7ec96089f21332ba116e1cd1c7320003e6f28594cfabdadf2d77dcf8e693aa5e5883899bd969866a8582824781c333c

                        Download Submit

                      • C:\Windows\{694057B5-D07E-461f-9FE9-FAFA0AEAB3DD}.exe
                        Filesize

                        90KB

                        MD5

                        8f569fcece1f6719f3ecbeaa1c7d4946

                        SHA1

                        cc64d8b0943f8d9127de7fb482d178331bba9518

                        SHA256

                        f9a2dd35d09f6d2ae624fe6e08f276ff0e2306a8068d8331da27ddad8e9059df

                        SHA512

                        bf0bc4397b1776219751fbed775a21cccdc8b6c9b52b879b2ef4db2d660ec911e0b80da7493ef577274f7f6b01db99f2578259ea381a87e8adf941daf2948ef0

                        Download Submit

                      • C:\Windows\{84569756-0415-4d83-AA4D-093A79E3EAFE}.exe
                        Filesize

                        90KB

                        MD5

                        c165cf3ef22504cf9bd492720a6e0281

                        SHA1

                        feacfc12e380028390347046744546e3195778c2

                        SHA256

                        8a434d1a04769ff24c7223ae71384ce730e0f150e472f547bc646c55ee728c50

                        SHA512

                        ccae46fbdb284a7afb931079e4afa9043396a6d8a2b51d925b72f7aa5a10a5f0dfec381d1855a7e862d66a16c877be7acf39bdd0a3644ea65a43f1ec2aee00a9

                        Download Submit

                      • C:\Windows\{995B7C67-9F1D-4a64-A51D-D3D17E6C59E7}.exe
                        Filesize

                        90KB

                        MD5

                        d067c8ec9e68061a038ace61925a6be4

                        SHA1

                        3fab0f7b3ffa276ef2e522c19450def73149a617

                        SHA256

                        9457fa6bc1e4f4fbf7a71252cd8b3ff3aa50cccd0f2de8054dbe936e22c4fa60

                        SHA512

                        382dd457deef6fc5ddf505649d96d2888462b34959ed73a72eb6907141808e9175dbdd17391ad656c636fe547a2702d704c7c9e30f75715fd22004e1eb207199

                        Download Submit

                      • C:\Windows\{DBFA3F00-143C-4963-8495-141457AE21C2}.exe
                        Filesize

                        90KB

                        MD5

                        ec5f9e62babff0c1019319680f14fdd2

                        SHA1

                        3564ec7d57b8b67fe2d07cc812936db9f0a783f0

                        SHA256

                        79727858ae83b555753f3cbf45abc27dbd65dd721e27599c0cc049ac05397832

                        SHA512

                        d71b2f74929179d4808782bf60969f62982ae013bd40a04f69586d5ec6d36b5489a172a236943b585665c04fc050d42ca5b8f6ce012d629b04282001dfd43b1e

                        Download Submit

                      • C:\Windows\{EFD2D845-B7DD-402f-A32E-10AC164255C2}.exe
                        Filesize

                        90KB

                        MD5

                        10cdeea38e666e0cdf286da8cb4ed9e5

                        SHA1

                        84b381c2b60e9cdc5ea172f40903a4a006c5b61f

                        SHA256

                        52459a5bcf84c0f4a0e02b5f7429d2dac12d5966407e43fca155dca1027b182f

                        SHA512

                        0bfa17644a20f73b1a342e608cc0cc2d7993a9b5dab4d5545e745bc9dd6cd86c375d6f76c5358089a54669845a6adc0ecadb4f9d3ec8f36538e9161e6e44cd98

                        Download Submit

                      • C:\Windows\{F5A71529-79AF-46a5-B9FF-87EE4139AE28}.exe
                        Filesize

                        90KB

                        MD5

                        44b49c2fd12eded909c9fa9a5bdd682e

                        SHA1

                        23f48fd531771165554120a4eda455c295112dba

                        SHA256

                        c4cf2b04109ac4091247adc1e3def23f887fd29912ae5319bc6dfe31fa58fae9

                        SHA512

                        d39b28cba8fe27a822e4b69ddb039786756e13a5f974251b6226dd78dfe52cdf63d9465a29906b401c774aae054d4fd0c42f5f31113cd41bdeefa1c9f2a0b364

                        Download Submit

                      • C:\Windows\{FA1363E7-C903-4236-A72B-DA39935E924C}.exe
                        Filesize

                        90KB

                        MD5

                        c5cbbccf2993aa76de1eba8df727ed1a

                        SHA1

                        b39366b0879b3f87191d8053ab9d8d90cef3d01d

                        SHA256

                        3468a48517398cdbf2ad6317df55c10ca58f955d2a484ebf93877663f6e5437f

                        SHA512

                        199d84553613abe58a2ded0155c99d4de3798d6339019357e02f824453d08539d73052cd26455750aea09dd6b2a6c6e1ad7cecf56400cc9a7bd607e49ede787a

                        Download Submit