Overview

overview

8

Static

static

3

422568ff8f...cs.exe

windows7-x64

8

422568ff8f...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    27/06/2024, 03:03

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    422568ff8f4136550d1cf128f7ecc1ae445ec4f909130f9d78fa2002607ceaeb_NeikiAnalytics.exe

  • Size

    89KB

  • MD5

    fad7c493906bae1384218917ca67ba50

  • SHA1

    db66f3efd4cff9726bfe1b0a6d6e2de5fa7701f7

  • SHA256

    422568ff8f4136550d1cf128f7ecc1ae445ec4f909130f9d78fa2002607ceaeb

  • SHA512

    1d8a1abde4e4e67761bc44bacd36874d231363cce5d6499de4f56fd1111afa47685e4f10bf192b24f6c6fc72de4617fe1db96c6cd72ad8942ef45380a5506069

  • SSDEEP

    768:Qvw9816vhKQLroM4/wQRNrfrunMxVFA3b7glL:YEGh0oMl2unMxVS3Hg9

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\422568ff8f4136550d1cf128f7ecc1ae445ec4f909130f9d78fa2002607ceaeb_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\422568ff8f4136550d1cf128f7ecc1ae445ec4f909130f9d78fa2002607ceaeb_NeikiAnalytics.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\{A0187CBC-81E6-4064-9FFC-BAEDE95A1B46}.exe
      C:\Windows\{A0187CBC-81E6-4064-9FFC-BAEDE95A1B46}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\{58BE1E19-C899-4ee2-BE46-0D8F1E6259D1}.exe
        C:\Windows\{58BE1E19-C899-4ee2-BE46-0D8F1E6259D1}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2524
        • C:\Windows\{0D98A387-76B9-479e-87E0-42AFF703D6B7}.exe
          C:\Windows\{0D98A387-76B9-479e-87E0-42AFF703D6B7}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2420
          • C:\Windows\{0C0CFB91-B659-4803-A710-53A482119B45}.exe
            C:\Windows\{0C0CFB91-B659-4803-A710-53A482119B45}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:360
            • C:\Windows\{93ED0473-8B56-42d5-A6F3-B38430456A0B}.exe
              C:\Windows\{93ED0473-8B56-42d5-A6F3-B38430456A0B}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2644
              • C:\Windows\{4BEE1809-3917-4860-9257-17C69029C1A4}.exe
                C:\Windows\{4BEE1809-3917-4860-9257-17C69029C1A4}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1560
                • C:\Windows\{4C343D8A-7C1C-47ac-BC2C-A5791AA12509}.exe
                  C:\Windows\{4C343D8A-7C1C-47ac-BC2C-A5791AA12509}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1640
                  • C:\Windows\{8E76F0DF-5367-46ea-AA1E-B7CB6438CA24}.exe
                    C:\Windows\{8E76F0DF-5367-46ea-AA1E-B7CB6438CA24}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2020
                    • C:\Windows\{6F840BC5-2342-41ae-AEDB-278FCD7330FC}.exe
                      C:\Windows\{6F840BC5-2342-41ae-AEDB-278FCD7330FC}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1940
                      • C:\Windows\{272497CA-97FB-410a-A2ED-711C6F809E3A}.exe
                        C:\Windows\{272497CA-97FB-410a-A2ED-711C6F809E3A}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2240
                        • C:\Windows\{3E36AED8-5A91-4068-AF1D-061CD1FEED0A}.exe
                          C:\Windows\{3E36AED8-5A91-4068-AF1D-061CD1FEED0A}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2748
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{27249~1.EXE > nul
                          12⤵
                            PID:2768
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6F840~1.EXE > nul
                          11⤵
                            PID:688
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8E76F~1.EXE > nul
                          10⤵
                            PID:2224
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4C343~1.EXE > nul
                          9⤵
                            PID:2880
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4BEE1~1.EXE > nul
                          8⤵
                            PID:2372
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{93ED0~1.EXE > nul
                          7⤵
                            PID:2124
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0C0CF~1.EXE > nul
                          6⤵
                            PID:2756
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0D98A~1.EXE > nul
                          5⤵
                            PID:2384
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{58BE1~1.EXE > nul
                          4⤵
                            PID:2664
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A0187~1.EXE > nul
                          3⤵
                            PID:2684
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\422568~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2508

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{0C0CFB91-B659-4803-A710-53A482119B45}.exe
                              Filesize

                              89KB

                              MD5

                              bb51f218d1fb9c3912fc47e4bc272adb

                              SHA1

                              8c093d5021b262d0df37cd7186139a52832c45ea

                              SHA256

                              fb443ab05af5dc29a30ef8cc8874b7a8694a6e9433c84ae3907930c686098696

                              SHA512

                              2a2ce30744e1b951b658346547fc1d8df419f4d716eea1aa13f6f97914f70a45163376ba4b2729716d08cd0f0d128e2ee4cef7a51f99e877f1026986d9b11f03

                              Download Submit

                            • C:\Windows\{0D98A387-76B9-479e-87E0-42AFF703D6B7}.exe
                              Filesize

                              89KB

                              MD5

                              78c0e6ad4a5f61ba95bd8a660fac429e

                              SHA1

                              d980eafce5f5be7cf5c4e66568d9198917377553

                              SHA256

                              46ecc5af762518ba565745001cb69fbc36de11178c9d35496572912b6d93652e

                              SHA512

                              00f312d45672ad173e8cd6f8ab17863b4385cf2428a3880a1285f54062f230aa4ecaf2f894c92693cd351aa59ac2a870be783908fe97900ce3c2b0055e918f1c

                              Download Submit

                            • C:\Windows\{272497CA-97FB-410a-A2ED-711C6F809E3A}.exe
                              Filesize

                              89KB

                              MD5

                              09b540617236e810901ceec9cb9859c9

                              SHA1

                              5265ac200b1cf03081b4f4ef72b1df6259a34b7e

                              SHA256

                              d686aff79045819deffb0d640ed4e4869a2cc7ff7ba89bf0d7aca177dcc871af

                              SHA512

                              e9123391a172643a6f9290ccd476408450b40fa0a226f783b270dc56fad49754b529b2e1e24d1eacbb2bdc55bb31dffe5acd72a59243e7efb9154ffd38ed5fb7

                              Download Submit

                            • C:\Windows\{3E36AED8-5A91-4068-AF1D-061CD1FEED0A}.exe
                              Filesize

                              89KB

                              MD5

                              4e51c682800ba89f8128e1abea386f97

                              SHA1

                              4f8cc2e59f51891ea66f182725db4cb91dfe6dcb

                              SHA256

                              3cd3f28dbdfb90eb5dc3170934b41fece117808e491cba989cb1e12ed6630d32

                              SHA512

                              b1fbd7c3ad5f71d0e9761d54f0f2800891ec3942deb94f24f15161ef2561dc57754a5593efe5a9e83a04b0e4325c2f364efc961129b625b738dd55c787259f72

                              Download Submit

                            • C:\Windows\{4BEE1809-3917-4860-9257-17C69029C1A4}.exe
                              Filesize

                              89KB

                              MD5

                              3db74503c4e3f0592e839373f5c546a6

                              SHA1

                              bbbfe2fff57bdcc45153da14379d2837423fa852

                              SHA256

                              b24e5fd21e841fc7431c3745ba9fa20dc4b2ff9fa4973be56b03e4af05324ec3

                              SHA512

                              e8d874665389390fc22dcdc5d3eda9149a330a6729a1006a1407a0c7c21a50be3584dc325cedaa6a08df790b2785c0242a7fb3c99702ad3f150e1c2a597aeaca

                              Download Submit

                            • C:\Windows\{4C343D8A-7C1C-47ac-BC2C-A5791AA12509}.exe
                              Filesize

                              89KB

                              MD5

                              832d862932d2042648e7012b3d67badc

                              SHA1

                              90fdc7697c45e2883d2b2794234da04e0d1599c5

                              SHA256

                              4a7f97aa28f2860b29ddad55b6aedb6a9981755ff9154d4b894f8ac5a9e19001

                              SHA512

                              cd5d0a933cd8b6914270f309928b6da39f15adca85c43ea4821d1cb1a8b035dde1935bb4e677b2a03c46ad0cfa0d87b8ff4564c64564f6e3c5c6c840d8aa39c1

                              Download Submit

                            • C:\Windows\{58BE1E19-C899-4ee2-BE46-0D8F1E6259D1}.exe
                              Filesize

                              89KB

                              MD5

                              2dfbfe136f01caf318a6d331e5d4807f

                              SHA1

                              d2bc08284c20de8919c1051e2e05e4f2ad17230f

                              SHA256

                              f2466e372e9ba89e0d403e126f25011698a51efb7dbbda29a1a649a53072b635

                              SHA512

                              d3e1c6ed61538cb0e775a3a78704fb6c02b0b6db5ebfe485ec3688db9b952367c54f0392cd401e19814d8640adedad5fc21e6a11226514d2b9f6b940738c46e1

                              Download Submit

                            • C:\Windows\{6F840BC5-2342-41ae-AEDB-278FCD7330FC}.exe
                              Filesize

                              89KB

                              MD5

                              2a4229cf945dbfaa5a24b13eb961a010

                              SHA1

                              5aead06fe886ed6de27da59bc49ca1ee4cf095a4

                              SHA256

                              df0eb9aaec34b499f8457b7bab7a4edeca602d07a3e45db785831af51f3a6c04

                              SHA512

                              5be3b145e5771da01c613d0f812be449ae56407ca77be896734be17a6fbf85f616bfda2d151c7301e0180f8614ada36a0cc55435ace9ce410fc54e80b7c17957

                              Download Submit

                            • C:\Windows\{8E76F0DF-5367-46ea-AA1E-B7CB6438CA24}.exe
                              Filesize

                              89KB

                              MD5

                              224e4e5f3d28e7b913138210da0d44f1

                              SHA1

                              a966f3c0d2f345cb4c09cce9dbfaa80f80081e53

                              SHA256

                              ccb1cb654e5c2ba227ee1b79669ce95e14f55f9f67a3b40db92a99f3c1203aa7

                              SHA512

                              a1d779713521f0c8e8cad0838ee699377d94c5881f481210127bf4bd149fe751cdb0965e06dbc8842c56289568ac94bdd604e44aa9b7127f0d77b718f92d9905

                              Download Submit

                            • C:\Windows\{93ED0473-8B56-42d5-A6F3-B38430456A0B}.exe
                              Filesize

                              89KB

                              MD5

                              23778e13db7e0a8b23da47e53d68c92b

                              SHA1

                              0fbaab35fea2ed236fa2354b76bbc72a7cf8712f

                              SHA256

                              50a4d84f78d337adae082b4d3f770c9a8f0e3855734cf9fef6c8abd40ca1cc95

                              SHA512

                              f85832e3218b930113c48a6672fd38790ba7dc65ed34c28d991c3669c0e3c06b7ad4286db31749a81395c198fb5cbfeb03f88808e91a3b6262773f2f47e30c8d

                              Download Submit

                            • C:\Windows\{A0187CBC-81E6-4064-9FFC-BAEDE95A1B46}.exe
                              Filesize

                              89KB

                              MD5

                              9e774ec114561dd93c2e21826029f0b0

                              SHA1

                              448d0411c13874affcba487b7f74091281776350

                              SHA256

                              1740d93c90b55fbf448d24e649e824bca05bbe4d7d35df2c59e64141683b181c

                              SHA512

                              51f19ba33b6b85841fc7483b4ff123b5e997602b407ef2f53d518738a5c95d79eb57588b2bb304faf1632e2b9d76ff7c67f280830f1f62d26727e244622fc3e5

                              Download Submit