Overview

overview

7

Static

static

3

4f7d550b95...cs.exe

windows7-x64

7

4f7d550b95...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 11:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f7d550b956a50e5717c8d1e56aa2a7df446357b08e89e536a6c32d539365afb_NeikiAnalytics.exe

  • Size

    488KB

  • MD5

    d127ed0c2cdf183dfc24ad293e480eb0

  • SHA1

    65fe1a5c246d6312ce6a3d76845f32cac7152c69

  • SHA256

    4f7d550b956a50e5717c8d1e56aa2a7df446357b08e89e536a6c32d539365afb

  • SHA512

    4659af718e23a673006a3f062174b9fd3435bcc22dce5d6bebea2982e5c467e102d871bcd77f46f8a1b1760cd3644a3f1452dc303d269432bbbfb23aac4f834d

  • SSDEEP

    12288:VZlc87eqqV5e+wBV6O+8Q+52yyB2zwDrhB7LPvUUy:VZSqqHeVBx/XZ6PXv7Ti

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of UnmapMainImage
    PID:3500
    • C:\Users\Admin\AppData\Local\Temp\4f7d550b956a50e5717c8d1e56aa2a7df446357b08e89e536a6c32d539365afb_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\4f7d550b956a50e5717c8d1e56aa2a7df446357b08e89e536a6c32d539365afb_NeikiAnalytics.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1608
      • C:\Users\Admin\AppData\Roaming\Certstnm\poqeasks.exe
        "C:\Users\Admin\AppData\Roaming\Certstnm"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1376
        • C:\Users\Admin\AppData\Local\Temp\~42D5.tmp
          3500 499720 1376 1
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2240
  • C:\Windows\SysWOW64\hhrver.exe
    C:\Windows\SysWOW64\hhrver.exe -s
    1⤵
    • Executes dropped EXE
    PID:3596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\~42D5.tmp
    Filesize

    8KB

    MD5

    86dc243576cf5c7445451af37631eea9

    SHA1

    99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

    SHA256

    25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

    SHA512

    c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Certstnm\poqeasks.exe
    Filesize

    488KB

    MD5

    4e9f0996787fa4fcc0d3fcc3170d4bc3

    SHA1

    35f5f276ae1e7a3c3dd8145647f9a5ce3842a4b5

    SHA256

    4967ee3dc3a64ca825b4cae3d9fdfd084744c1982a8f237d4123aefe343b3564

    SHA512

    80d50c0bda5de7bcade29ad3691f9e98f9a5ed5f20d4c6eb6fb1252c0376bc4c02e769abe2b358c922f4145808a3cc5b3be2bf49bc5505c1550d28609204b174

    Download Submit

  • memory/1376-9-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1376-11-0x0000000000550000-0x00000000005D3000-memory.dmp

    Filesize

    524KB

    Download

  • memory/1376-12-0x0000000000750000-0x0000000000755000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1608-0-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1608-1-0x0000000000480000-0x0000000000503000-memory.dmp

    Filesize

    524KB

    Download

  • memory/1608-26-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3500-18-0x000000000A540000-0x000000000A5CA000-memory.dmp

    Filesize

    552KB

    Download

  • memory/3500-20-0x0000000004820000-0x0000000004826000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3500-17-0x000000000A540000-0x000000000A5CA000-memory.dmp

    Filesize

    552KB

    Download

  • memory/3500-21-0x0000000004830000-0x000000000483D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3596-24-0x0000000000550000-0x00000000005D3000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3596-25-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3596-14-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download