Overview

overview

8

Static

static

7

5558b5c2ca...cs.exe

windows7-x64

8

5558b5c2ca...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/06/2024, 05:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5558b5c2cae3957d8fd9305eec78a8ad7d9b8bd532656649c3b75c8e868f3c09_NeikiAnalytics.exe

  • Size

    256KB

  • MD5

    56cce82d7876c1d58a6ad74043a7b930

  • SHA1

    ad5ca126d6d37e3cb5ab88bd111dfa22a9a17572

  • SHA256

    5558b5c2cae3957d8fd9305eec78a8ad7d9b8bd532656649c3b75c8e868f3c09

  • SHA512

    88966139975d13c60e0117d213bae2af91b84f4d0204ff9f1daf87b35880b1fff4ba1e813175188a677022b9c60f235f3b2502474fce6a707ca273dcb61bd7f7

  • SSDEEP

    6144:KDLQxoyQ1LpnFyZ+dayL9rvolH8u3ZhGod:yQCyQ1LHk+zR7QHjGo

Score
8/10
persistencevmprotect

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Drops file in Drivers directory 1 IoCs
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies registry class 37 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 62 IoCs
  • Suspicious use of FindShellTrayWindow 52 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\5558b5c2cae3957d8fd9305eec78a8ad7d9b8bd532656649c3b75c8e868f3c09_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\5558b5c2cae3957d8fd9305eec78a8ad7d9b8bd532656649c3b75c8e868f3c09_NeikiAnalytics.exe"
    1⤵
    • Drops file in Drivers directory
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      2⤵
      • Modifies registry class
      PID:4168
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yyyy.bat
      2⤵
        PID:4352
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2412
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
      1⤵
        PID:1548
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:804
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4124
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3612 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:4120

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
          Filesize

          28KB

          MD5

          a7b5b124d1b2833f9f3e9215dd317398

          SHA1

          f7e14c4161c5cce7f0299f2b0b1fff2ce8bfb8a7

          SHA256

          1895fbb67509ba0b87f1d048378214bf7b5cff823c8cdcf85805789b19352aed

          SHA512

          f1d5030e3d2168fb82e8bfc536b5a55ad4d344adb0cf2735ec81e7da8e9c0097cd92b1bbd7a72b642404de3fa17e37e46819771e2d5ee5e5fd0bd62f316626bf

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133639401377529480.txt
          Filesize

          74KB

          MD5

          80dffedad36ef4c303579f8c9be9dbd7

          SHA1

          792ca2a83d616ca82d973ece361ed9e95c95a0d8

          SHA256

          590ca4d2f62a7864a62ccb1075c55191f7f9d5c5304ea3446961bb50f9e3916e

          SHA512

          826b97a4de7c765f8f5ebc520960f68381fd9f4bfe68c2fbe46c6118110c9c14a87dcb8ed8102e60a954b4b3c408f72e7a93fd96317be3d51120a2ddd2faa3ea

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\yyyy
          Filesize

          256KB

          MD5

          fc2009da99e2ae2f2d5dd76e44d2a659

          SHA1

          2d7772fbd9d62610b9721cf66d37966b6e513395

          SHA256

          79f2cfba3b5a1f5169b876319b39a95f7700ce617b0d5b33e827b9303c77bd2d

          SHA512

          dfbe7ef1142afa4e3a1d006eacad10f2a72a167fae8d8b65955d67e9b179ef7bb84cf5e194fdc24d59bd2a82e83cc70120a8be9ed627d4daf84f96fc2e91b183

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\yyyy.bat
          Filesize

          337B

          MD5

          d21b509416aa2e5642b817c57bd44035

          SHA1

          a629185e0409df859881562ab0a103adfae1ef6e

          SHA256

          6361e7d6282c9eea7a2b58bb2ad26a55e77456d8820da4f152ab141f60af0ff5

          SHA512

          3464b7df88ffbf6f9adb6499b1221829ea429a1d500e783c31ba9b208b88f8fe65e06e69d84993d7701e2763f85d5a76597b883de4c733ce1f8419b5301dae74

          Download Submit

        • C:\Windows\System32\drivers\etc\hosts
          Filesize

          2KB

          MD5

          6f332dcaeeb548cceb98beb934ab3d55

          SHA1

          e48872682e514e95dcc14ff9bbdc6e0bef723fca

          SHA256

          7937ea22b6d3b09f8d41afef1371aaee906657aafce6678b0b449931a1a8c4c0

          SHA512

          e695693e246253fa969b57c20c4147009846d7848bc092c97aa830daf2f89e0c1a1850cb0c7e5715a95ebf19cdf58726eec3a9820f0b8820e495234ce22f2844

          Download Submit

        • memory/1972-1-0x0000000000400000-0x000000000048C000-memory.dmp

          Filesize

          560KB

          Download

        • memory/1972-25-0x0000000000400000-0x000000000048C000-memory.dmp

          Filesize

          560KB

          Download

        • memory/1972-0-0x0000000000400000-0x000000000048C000-memory.dmp

          Filesize

          560KB

          Download

        • memory/2412-39-0x0000000004720000-0x0000000004721000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4124-64-0x000001BAE5F20000-0x000001BAE5F40000-memory.dmp

          Filesize

          128KB

          Download

        • memory/4124-82-0x000001BAE6370000-0x000001BAE6390000-memory.dmp

          Filesize

          128KB

          Download

        • memory/4124-47-0x000001BAE5F60000-0x000001BAE5F80000-memory.dmp

          Filesize

          128KB

          Download

        • memory/4124-42-0x000001BAE4E00000-0x000001BAE4F00000-memory.dmp

          Filesize

          1024KB

          Download