Overview

overview

10

Static

static

3

1de0d2f56e...cs.exe

windows7-x64

10

1de0d2f56e...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/06/2024, 22:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe

  • Size

    3.5MB

  • MD5

    e96f5b3730e7b90512efb76120718ac0

  • SHA1

    20e74ac3342fc556a478d5c996532e6f664f3952

  • SHA256

    1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232

  • SHA512

    c65bb48f47d46f954949c65d517d382dd4cea21eb2684a7282fdae36b9afb8d8d5c7e9e933da1709013cf2291b5778e7d285f86fc2921f6412627703943f61f8

  • SSDEEP

    98304:P66Nzf0vCNnowJAHzdZHG6efh3Bbob3+mFiP:7NTD+pZHG6efh3BDm0P

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1676
    • \??\c:\users\admin\appdata\local\temp\1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_neikianalytics.exe 
      c:\users\admin\appdata\local\temp\1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_neikianalytics.exe 
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1868
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1528
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3440
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2872
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4572
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:4976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_neikianalytics.exe 
    Filesize

    3.4MB

    MD5

    4ac6b7f3a1f778bfb9e97bdf7d71c0db

    SHA1

    b6fe449294ddafda2d269200fb9930d1b2e7b5f2

    SHA256

    1a90efb3a89c7ef2795d12de927e3123a30b278234c8c92ff0479767021b92a5

    SHA512

    1e44a65df80e240fb39880d6a8da8d6f815b0ac15ecd2838189f0a73ebc2854be0250b2ddb74b193d6f2225f9e3ea9cbeaf96c131400dc9dc11267fa8afc85ef

    Download Submit

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    135KB

    MD5

    2b9c44ca0504e515ee4cc7dcc33ca5d9

    SHA1

    8fd0aa1a185b05d85ac806fd3c77facf5a8a81c4

    SHA256

    e9a30225e5f76e34e6a8a25112955abaf6010d43906aa626b5980f6eb79cc278

    SHA512

    a2e720c7df907de24e1d0637b98294127d549269b2f91f1a4e0765f4b905f7473c7df314132249527cc706e3384e30b5e7603ebfc7cef389b93873518f1d0733

    Download Submit

  • C:\Windows\Resources\Themes\icsys.icn.exe
    Filesize

    135KB

    MD5

    d932e116a4a1fc19a31d4a03d272cd39

    SHA1

    5375297fe87cba5b634d256622a7cc469391d56d

    SHA256

    1469ad8b900424e6124619b278f3315a4b834ca038a7e3d206e3144a62ed11c1

    SHA512

    a1e56ec7c357e11ea495a6684935ea91b2965995abde1dabd1ba123db54f8422195b4620eefc021cf0c31b1542dd3bacbe90216ea34e2ae851b804dedb911149

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    5daa7ca767e4ab920acbf64f50dd374e

    SHA1

    06b7bde661e174dc29928e77e7ab1d0433161fdc

    SHA256

    1bea11767e80b4746bc057468788285bf906bc16929d88e5138016b909bcd220

    SHA512

    e840ad9337952a8e3819963110408ec2811e3a55103f0c2f4f2f07876c4551a18fa2ce80e18206a8fad094e177aaf2b3153afad479912268387090676574aad1

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    135KB

    MD5

    c390567e821a5d35da22a3e34bd29931

    SHA1

    45856fe27e4fa8d1da1ee5114455a7a99f8c0ce2

    SHA256

    b06550dfdfec08e6ebe5896c1094fd74ffc1ae0efd5d3252b2b491f0709bb3e0

    SHA512

    a915c58d63b39247eb0a60e2e179275de203ccafc1ae19397755fa229c5e6d97c28db1b2d1c5f19d8b1e335c8101c05760ee355af39ce19b8d87e73cabc9b98e

    Download Submit

  • memory/1528-14-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1528-49-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1676-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1676-50-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1868-10-0x0000000000400000-0x00000000007B4000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1868-9-0x0000000002590000-0x0000000002591000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2872-48-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3440-25-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4976-47-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download