Overview

overview

7

Static

static

3

2c819b787a...cs.exe

windows7-x64

7

2c819b787a...cs.exe

windows10-2004-x64

4

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    01/07/2024, 01:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c819b787adb7d4aa9afa047db6f197dedad006601dbcab2e0db899b03c1d216_NeikiAnalytics.exe

  • Size

    86KB

  • MD5

    7f8257f68ab0a12756b9b691dd067430

  • SHA1

    2bb7ab637ed8aae4fc6f54f7ba34ae05d65f9147

  • SHA256

    2c819b787adb7d4aa9afa047db6f197dedad006601dbcab2e0db899b03c1d216

  • SHA512

    6f7bee1027fd7ed515e26334ebfdcc0339479306fa17632369e0c01ffde92d6b8913746cf93dfc3d796f4f723dee1c6ea3482ad998be401c8d81687b7d39f180

  • SSDEEP

    1536:3Gk8BAFEn4lWeogUNwIJj8NWeF9hISBHSCVEwF8DrdMZkWhp:35874DokIJQQeFDIgyCV98DrGCWhp

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 10 IoCs
  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c819b787adb7d4aa9afa047db6f197dedad006601dbcab2e0db899b03c1d216_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\2c819b787adb7d4aa9afa047db6f197dedad006601dbcab2e0db899b03c1d216_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2400
    • \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
      c:\users\admin\appdata\local\temp\\wmpscfgs.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2312
      • \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
        c:\users\admin\appdata\local\temp\\wmpscfgs.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2172
      • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:884
    • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2692
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2376 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1596
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2376 CREDAT:406533 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe
    Filesize

    104KB

    MD5

    f703ccc5f3d53352d8d42d383a4eb070

    SHA1

    7cac9d8a9994cd2bde98f73cf30e12c065013be4

    SHA256

    483c8a4d3ab28b7cd809651f420228d2f234e91acd00b1cfeb99ee333053341a

    SHA512

    3aff3d9675abbebebd9f0a1d51422edc8926d2f6145ee2a04b24afdbbcb9eca45713f97181fca2e3a1127aad03e42eb6763470fdae37f8f5858dda36045346ac

    Download Submit

  • \??\c:\program files (x86)\adobe\acrotray.exe
    Filesize

    131KB

    MD5

    29ac9dff0fbb5839eab5d2d77a762624

    SHA1

    51eccc5765352963d827dd3899fda165f16d33b3

    SHA256

    a81e7c172cc2c1f35aab4a87dcb4812d516f879e16bc699fe3fb4e44e5f6f83a

    SHA512

    f78ebf88b7e0b8112c7eb17ca3f749ae8af7bc67c4a3b851130e1d3452ac98653fed6ec41509d19c51fa594f76ea418b67824160f4d7e788366666675e3199a2

    Download Submit

  • \??\c:\program files (x86)\microsoft office\office14\bcssync.exe
    Filesize

    104KB

    MD5

    661b85508c47c1ae9cc823891d641173

    SHA1

    649101d998f21c5592b61a2b4acb56236e2ff4e0

    SHA256

    3a0539ced33911aa02d6afb141b2fb6e5e865ada68307beec84530856ec2cfae

    SHA512

    4cba808ae4f7e3f6a7169b0bbd1b88421953c9d1b32827cdbdc8cd823f80b0615de7d4f217bb7956030c4c6983863dd940cd5a8f519fc7874f07271738647e4f

    Download Submit

  • \Program Files (x86)\Internet Explorer\wmpscfgs.exe
    Filesize

    121KB

    MD5

    9f5f2278b6752fa4942adf85f8cc4da1

    SHA1

    c4b3cced41f06272cafc2f57da8823e94c2ea035

    SHA256

    8707065dd09e826762791a036d461cee70896a50a0afed3f1d36e407f51908ed

    SHA512

    1c761df9ffe2074f2c80909e15056329ca545c0e9c1269d6bd0b0a4f401cdc20914bbdf485180500253dffc5256743117a56cf7f74b92b57edac8ec7d51eebc8

    Download Submit

  • memory/884-66-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/884-60-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2172-70-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2312-35-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2312-24-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2312-77-0x00000000001B0000-0x00000000001D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2312-61-0x00000000001D0000-0x00000000001D2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2312-29-0x0000000010000000-0x0000000010010000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2312-57-0x00000000001B0000-0x00000000001D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2400-56-0x00000000002A0000-0x00000000002C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2400-23-0x00000000002A0000-0x00000000002C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2400-25-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2400-26-0x00000000002A0000-0x00000000002C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2400-2-0x0000000010000000-0x0000000010010000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2400-0-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2692-44-0x0000000000780000-0x0000000000782000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2692-28-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2692-36-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download