Overview

overview

10

Static

static

3

798354959e...cs.exe

windows7-x64

10

798354959e...cs.exe

windows10-2004-x64

8

$PLUGINSDI...sh.dll

windows7-x64

3

$PLUGINSDI...sh.dll

windows10-2004-x64

3

$PLUGINSDI...ge.dll

windows7-x64

1

$PLUGINSDI...ge.dll

windows10-2004-x64

1

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    798354959e95dc35440eb858765cf22e9e16b7577bba1b637b554aeb27fe86dc_NeikiAnalytics.exe

  • Size

    639KB

  • Sample

    240629-hkab2awcll

  • MD5

    0609cbf05b1169cd11a37910df2d74c0

  • SHA1

    7d2dd3c50535783bd6d2755c3fa9b9f810c12f13

  • SHA256

    798354959e95dc35440eb858765cf22e9e16b7577bba1b637b554aeb27fe86dc

  • SHA512

    d1874d83b1b1f6765af5806564cd039cdd0ea03d149c58bff9deccc8d7c1587c46e8681ca00c3ec14801bab23a9b984f9fc1e8438608d415571dadc7ab3de576

  • SSDEEP

    6144:z9KOQS4B4GMSGJpFhaI27ySqUawlTFEHhq9/GtGOzx65MTOjbpUYpVslMDRkQZI:zsB4GOaJ6UrFh/GtGOzQ5MTOjb9pWeA

Score
10/10
guloaderdownloaderevasionexecutionpersistencetrojan

Malware Config

Targets

    • Target

      798354959e95dc35440eb858765cf22e9e16b7577bba1b637b554aeb27fe86dc_NeikiAnalytics.exe

    • Size

      639KB

    • MD5

      0609cbf05b1169cd11a37910df2d74c0

    • SHA1

      7d2dd3c50535783bd6d2755c3fa9b9f810c12f13

    • SHA256

      798354959e95dc35440eb858765cf22e9e16b7577bba1b637b554aeb27fe86dc

    • SHA512

      d1874d83b1b1f6765af5806564cd039cdd0ea03d149c58bff9deccc8d7c1587c46e8681ca00c3ec14801bab23a9b984f9fc1e8438608d415571dadc7ab3de576

    • SSDEEP

      6144:z9KOQS4B4GMSGJpFhaI27ySqUawlTFEHhq9/GtGOzx65MTOjbpUYpVslMDRkQZI:zsB4GOaJ6UrFh/GtGOzQ5MTOjb9pWeA

    Score
    10/10
    guloaderdownloaderevasionexecutionpersistencetrojan

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • UAC bypass

      evasiontrojan

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/AdvSplash.dll

    • Size

      6KB

    • MD5

      6def2cf3daf850acdc1a3e7340a439c4

    • SHA1

      95d0d26f60cd5af697502cd5e53a54913ab188fb

    • SHA256

      3ec3cf21a99ab0533ec2c451df3b5542733f70b972089d5c321ad7ae3b87d175

    • SHA512

      16b1cf4783284d4a1282c569f5c416c713b4b339efcd4d3948bdf7da2194c597bd732d07ba9fabafcab323ba8c8da68845d4435ab9d1916b1810087ee1f5c413

    • SSDEEP

      96:bNcIcmLEjNev3O2obNnNlXUjDftqlqCstWpFwoS:yIpLSG3O9XX+qlqntWpF

    Score
    3/10
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/BgImage.dll

    • Size

      7KB

    • MD5

      2bb17d45e5ad92053ce1e500408dd8a9

    • SHA1

      f5d3a7ee6e28df532e9ce33976c92ff30a5665e4

    • SHA256

      71ce676703dad028e4083e6b960b1ed89885877079d46d5021506eaa6d99db53

    • SHA512

      efdcb476b9b9b5691fe6b9cd77ecbe48d50c6683da01fd51c6b428cc262528fb3dcd295abe28718321b2307b0e032fcb599588f1eb00a93fd9e6a1f7b322b41f

    • SSDEEP

      96:8eXR0AKTIfv7QCUsthvNL85s4lk38Eb3CDfvEh8uLzqkNnLiEQjJ3KxkP:tvBfjbUA/85q3wEh8uLmsLpmP

    Score
    1/10
    behavioral5behavioral6

    • Target

      $PLUGINSDIR/UserInfo.dll

    • Size

      4KB

    • MD5

      8ef0e4eb7c89cdd2b552de746f5e2a53

    • SHA1

      820f681e7cec409a02b194a487d1c8af1038acf0

    • SHA256

      41293b9f6588e0fbdc8fcf2a9bd8e2b244cd5ff038fc13033378da337219c9dc

    • SHA512

      a68533e8a19637d0d44219549b24baba0dc4824424842f125600fda3edcafc4bb6bb340d57a00815f262d82373b440d58d6e4e5b2ceb29bb3f6bc4cbde66c3c5

    Score
    3/10
    behavioral7behavioral8

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      c129bc26a26be6f5816a03520bb37833

    • SHA1

      18100042155f948301701744b131c516bf26ddb8

    • SHA256

      d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

    • SHA512

      dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

    • SSDEEP

      96:y7GUaYNwCLuGFctpiKFlYJ8hH4RVHpwdEeY3kRlDr6dMqqyVgN738:8ygp3FcHi0xhYMR8dMqJVgN

    Score
    3/10
    behavioral10behavioral9

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks