Overview

overview

7

Static

static

7

4c312c136c...cs.exe

windows7-x64

7

4c312c136c...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 00:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c312c136c3d3630e6a7819073151abe2bec245e293fa02c864d455a8c5362f4_NeikiAnalytics.exe

  • Size

    2.6MB

  • MD5

    cd5e3e4dae1c6a68f46963b0feb76770

  • SHA1

    d2bac6409ec52448379093ba990f4edde2624eb7

  • SHA256

    4c312c136c3d3630e6a7819073151abe2bec245e293fa02c864d455a8c5362f4

  • SHA512

    b5c9596501801e896d6a49e8f65d0ecc5a721bfc4e5530d468560a9112c0623175012b7acfe18594fe8d0a647e2b89a9c20380305f14a78f2d824a329cff121e

  • SSDEEP

    12288:qCMYGmkOqYYf01bInqzHWI9WFEeapp3TXn8YoWSXLGzEoqAb8/DjUHhsAennZ5/I:qCmIYSbEDJUrTDw6aZWjvFtta8BuOh

Score
7/10
persistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c312c136c3d3630e6a7819073151abe2bec245e293fa02c864d455a8c5362f4_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\4c312c136c3d3630e6a7819073151abe2bec245e293fa02c864d455a8c5362f4_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3960
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEDol.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2284
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Task Manager" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Task Manager\taskmgr.exe" /f
        3⤵
        • Adds Run key to start application
        PID:2844
    • C:\Users\Admin\AppData\Roaming\Windows Task Manager\taskmgr.exe
      "C:\Users\Admin\AppData\Roaming\Windows Task Manager\taskmgr.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4764
      • C:\Users\Admin\AppData\Roaming\Windows Task Manager\taskmgr.exe
        "C:\Users\Admin\AppData\Roaming\Windows Task Manager\taskmgr.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:432
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Roaming\Windows Task Manager\taskmgr.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2480
      • C:\Users\Admin\AppData\Roaming\Windows Task Manager\taskmgr.exe
        "C:\Users\Admin\AppData\Roaming\Windows Task Manager\taskmgr.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ZEDol.txt
    Filesize

    170B

    MD5

    e612e66a93150f09e419dc23aa6ad30b

    SHA1

    aac69550ea153ff1b4550261675221c144b2da54

    SHA256

    c505222bbd299a60df2b8c9049866bc49e355f117a12f55fb1f5406d882f14ce

    SHA512

    51b236bc6b7c02a7babf61a1918a8f554f3d69762051943c8f712a68a7c1494e0a979efd6ebe49f1b4daae47d0e4c12652dcb16ac3e500565ba2dcbd16764e9f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Windows Task Manager\taskmgr.txt
    Filesize

    2.6MB

    MD5

    85d8ded2d2c0802ddf7d973ec951b1fa

    SHA1

    c12755be8556ca14ffb85fdbd3ae90c452b10d8f

    SHA256

    0680446b4474985652e884c1c4002f55b1970c3343082ba0625f7e10f11425e4

    SHA512

    adf2f8fbd88e276d000b4d3aee289a171aba9072b03f00f9848e088704a8264b37feba6bd5c0a593a34a3f73601fdfa6126c30f35fe9a9ba4e1a94b1364a9787

    Download Submit

  • memory/432-36-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/432-55-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/432-31-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/432-35-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/432-34-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/432-33-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/432-46-0x0000000010410000-0x000000001046C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/432-45-0x0000000010410000-0x000000001046C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/884-37-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/884-40-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/884-41-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/884-57-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3960-1-0x0000000000400000-0x0000000000699000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/3960-30-0x0000000000400000-0x0000000000699000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/4764-43-0x0000000000400000-0x0000000000699000-memory.dmp

    Filesize

    2.6MB

    Download