Overview

overview

8

Static

static

3

33f9d819fb...cs.exe

windows7-x64

8

33f9d819fb...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-07-2024 04:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33f9d819fbac4666447640038bbb1a0f95051001d2e54b8fd236a5d366fa28ec_NeikiAnalytics.exe

  • Size

    118KB

  • MD5

    b07c37d92fbbd0260dc27363bd099860

  • SHA1

    0f80fe9fafd74a5d61857a0d4a8d034746c15569

  • SHA256

    33f9d819fbac4666447640038bbb1a0f95051001d2e54b8fd236a5d366fa28ec

  • SHA512

    6c35faf191f9b8d79358e349cbd423c38a6f8163126c1976c2233a5def7a59f793ac429529e7c506aeaa21a7936e7a187dabcdbd717df70ba7d27576046eb674

  • SSDEEP

    1536:nEGh0oCl2unMxVS3HgdoKjhLJh731xvsr:nEGh0oClvMUyNjhLJh731xvsr

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33f9d819fbac4666447640038bbb1a0f95051001d2e54b8fd236a5d366fa28ec_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\33f9d819fbac4666447640038bbb1a0f95051001d2e54b8fd236a5d366fa28ec_NeikiAnalytics.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Windows\{0161E694-3DC6-44d6-8ECC-F8A62A72ECD4}.exe
      C:\Windows\{0161E694-3DC6-44d6-8ECC-F8A62A72ECD4}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\{C698A9B4-D949-4c29-A074-B61A1F2EC2AE}.exe
        C:\Windows\{C698A9B4-D949-4c29-A074-B61A1F2EC2AE}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Windows\{5EFD8045-688E-4f9c-B325-47A850A6AB79}.exe
          C:\Windows\{5EFD8045-688E-4f9c-B325-47A850A6AB79}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2636
          • C:\Windows\{6E176AF5-3C6F-4cda-B954-E110563FF5D2}.exe
            C:\Windows\{6E176AF5-3C6F-4cda-B954-E110563FF5D2}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1180
            • C:\Windows\{9CB859F4-9395-4621-8CD2-17F0A142D10E}.exe
              C:\Windows\{9CB859F4-9395-4621-8CD2-17F0A142D10E}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2780
              • C:\Windows\{629F71D6-70D8-497a-A64C-0A57C37DA5AC}.exe
                C:\Windows\{629F71D6-70D8-497a-A64C-0A57C37DA5AC}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:288
                • C:\Windows\{D1859B4D-BC13-468a-A44F-88F7BCB2BABA}.exe
                  C:\Windows\{D1859B4D-BC13-468a-A44F-88F7BCB2BABA}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:872
                  • C:\Windows\{D2CF19A7-FF7C-4bcb-938B-F7D7899C00B9}.exe
                    C:\Windows\{D2CF19A7-FF7C-4bcb-938B-F7D7899C00B9}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:556
                    • C:\Windows\{6BC8B3B5-96F1-4cf9-BB13-C39C09A1586D}.exe
                      C:\Windows\{6BC8B3B5-96F1-4cf9-BB13-C39C09A1586D}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2092
                      • C:\Windows\{E5CE3D72-54EA-4a55-B164-D584511C43F3}.exe
                        C:\Windows\{E5CE3D72-54EA-4a55-B164-D584511C43F3}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1252
                        • C:\Windows\{7BEBEC04-84DE-4043-BD1F-2636544B4804}.exe
                          C:\Windows\{7BEBEC04-84DE-4043-BD1F-2636544B4804}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1028
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E5CE3~1.EXE > nul
                          12⤵
                            PID:1484
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6BC8B~1.EXE > nul
                          11⤵
                            PID:268
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D2CF1~1.EXE > nul
                          10⤵
                            PID:2832
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D1859~1.EXE > nul
                          9⤵
                            PID:1520
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{629F7~1.EXE > nul
                          8⤵
                            PID:2184
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9CB85~1.EXE > nul
                          7⤵
                            PID:2032
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6E176~1.EXE > nul
                          6⤵
                            PID:2912
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5EFD8~1.EXE > nul
                          5⤵
                            PID:1636
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C698A~1.EXE > nul
                          4⤵
                            PID:1868
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0161E~1.EXE > nul
                          3⤵
                            PID:2572
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\33F9D8~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:1852

                      Network

                      MITRE ATT&CK Matrix ATT&CK v13

                      Initial Access

                      Execution

                      Persistence

                      Boot or Logon Autostart Execution

                      1
                      T1547

                      Active Setup

                      1
                      T1547.014

                      Privilege Escalation

                      Boot or Logon Autostart Execution

                      1
                      T1547

                      Active Setup

                      1
                      T1547.014

                      Defense Evasion

                      Modify Registry

                      1
                      T1112

                      Credential Access

                      Discovery

                      Lateral Movement

                      Collection

                      Exfiltration

                      Command and Control

                      Impact

                      Resource Development

                      Reconnaissance

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{0161E694-3DC6-44d6-8ECC-F8A62A72ECD4}.exe
                        Filesize

                        118KB

                        MD5

                        e7c9d4ea9f7614120ac62dafbea79c25

                        SHA1

                        82a424ac348e161fd6f5e5cfd5030e29b759e54e

                        SHA256

                        af2e6b1a74906a4ea9d5239d8ad60dbb786a5c60241a5730b027e845a80ea30e

                        SHA512

                        9ec0dcd8a66174acfdc99bb8b641467a49c70e586587eb058e1095aff2305e2f90c9b6872d5430232a3683f0eb4bcf7e96d48c0d1ec394984490703b449e7e29

                        Download Submit
                      • C:\Windows\{5EFD8045-688E-4f9c-B325-47A850A6AB79}.exe
                        Filesize

                        118KB

                        MD5

                        b92bb8dfa536afd50a2ab48a1b55940c

                        SHA1

                        edd4bb15ae58c05528b5b66e8af4c8b53eaef997

                        SHA256

                        cce13b0204b170a2ddc6bf4e14e6e64a3fa97221ef614b586bad3d43999bcc64

                        SHA512

                        a3b2a2f3fe56f364fc58d13330e760e4c0d001251f1517a57cef83b88e3738ebb6f4316b0e1547070241be28185c4256ca775d1e72ce598654415d91b3fdd63a

                        Download Submit
                      • C:\Windows\{629F71D6-70D8-497a-A64C-0A57C37DA5AC}.exe
                        Filesize

                        118KB

                        MD5

                        d590794c6fa09b8000700e5927f26c8c

                        SHA1

                        d0a1d2e111dec588dadfa85f4ab3930f684d29c2

                        SHA256

                        0be14104418e2d37dd1ff2ac2debac0dcc4cfdba638d4d4c5d24f037dff1e734

                        SHA512

                        d97f19590069304544944bf4d1f5fb0c1c85321a835ddf0c03cd2a5739bf369de9197c64b30f0027525a884dacb5f809c20132b74eb5dbdc0d608dc1ee74ca6e

                        Download Submit
                      • C:\Windows\{6BC8B3B5-96F1-4cf9-BB13-C39C09A1586D}.exe
                        Filesize

                        118KB

                        MD5

                        2a2b1dfbbba0998c0a2244456676c1e6

                        SHA1

                        5e7166e8d1f47a9a5328d3711919e06db88d7b2a

                        SHA256

                        2d6a407251c540b7fc19ecb8dae7d0a50a7b4652eb06652982fbbfde7b47d3f6

                        SHA512

                        b01d759be8fafed6ecdb0e2ef9a4f1ffeb25221a28640861c2dae213c7c427757fe9a305bfdece8a7f866269f122789b7de265c8a62af02672e638c8e9086e76

                        Download Submit
                      • C:\Windows\{6E176AF5-3C6F-4cda-B954-E110563FF5D2}.exe
                        Filesize

                        118KB

                        MD5

                        9c64a3ff338fa93ab8994e8dfd97297b

                        SHA1

                        c222ebb9630f171cf7b21cb59a9baee62222f69d

                        SHA256

                        a989b5773ee73b1cce5818f0acae29c00e2063ef2288801f6ebd1797acd9cca5

                        SHA512

                        27541c0b390d17834f23f26d9864061943fb399df1d5431935721ed01334d93d096257c1a334924296f04c29e41c2ef82245eafe01ce2066bcfe00413b0d1be4

                        Download Submit
                      • C:\Windows\{7BEBEC04-84DE-4043-BD1F-2636544B4804}.exe
                        Filesize

                        118KB

                        MD5

                        61b5591820d51643be26b97171c06fdc

                        SHA1

                        3d52ba0998db3a5ef655d8e6021f1c85d8464f2a

                        SHA256

                        78bab34fadb22556c0d9578dca88be9b369fe60fdfc3d93ac6899ec427b7fe40

                        SHA512

                        d552d95f6fb8f20c7af59e1bc95a8336d990700ec8961989d8e0df706c14a751a0af440ef9788409dd2098ebca8da7978e71e22deb5beab76cfe1e9bcfab9468

                        Download Submit
                      • C:\Windows\{9CB859F4-9395-4621-8CD2-17F0A142D10E}.exe
                        Filesize

                        118KB

                        MD5

                        a33a889e4e2503826658d20d95d732d5

                        SHA1

                        895ee5264302d6d98f0d6dd7f93d7b6b1ea951c2

                        SHA256

                        d3dc7cdf5f98dbecf90737cabd243bf9a5139c87433e325b9e45ab0a50aeaacc

                        SHA512

                        873effbc2f3eef6b21014f58e6a6bcc36a55c8b00d6ca686493e5de799c9881b9097b0e27cc17d233e6ced0736d9661105e903b60a3e7ebd2e1daede87d4eabf

                        Download Submit
                      • C:\Windows\{C698A9B4-D949-4c29-A074-B61A1F2EC2AE}.exe
                        Filesize

                        118KB

                        MD5

                        d2a0b4e7f2f95aea4900af13588d9aaa

                        SHA1

                        391a44d32ad29a59956d663976c4fdd9b6751f01

                        SHA256

                        f4bc8e96f10b8daaddb73caffc50d9250644113926dca0a80253651293d287b1

                        SHA512

                        9c1b214c41ee0e8b88d7b49fb6f3c81e15c7869ce76a1e49f729e4755e7379c02284c68e7e192fad3fc41dcf8e708de47213e9d59c03253e8272d902a0119902

                        Download Submit
                      • C:\Windows\{D1859B4D-BC13-468a-A44F-88F7BCB2BABA}.exe
                        Filesize

                        118KB

                        MD5

                        771ea192c9aa6733810ac8fadc0be11e

                        SHA1

                        03a6236002480d47d9750f3ae0b5021b74154ffc

                        SHA256

                        8c33ff7678c71a528cd56aa553fbfbf9a97308f78ab0b5d666dd30bef5c24352

                        SHA512

                        42b6c2d523dd5c0f7c2548be873c1fb78533531df223bbae4775226a2d3f9c9857e948e3ef5292fc77c7a2af0efbc6565ce864dcdd1293476933b5a550d4bc57

                        Download Submit
                      • C:\Windows\{D2CF19A7-FF7C-4bcb-938B-F7D7899C00B9}.exe
                        Filesize

                        118KB

                        MD5

                        6b8fc5c520b6da8bf3a474f3a7843e2f

                        SHA1

                        94b8304a5fbaf8df8b9af760227ad80b1008b0d0

                        SHA256

                        3f7b450355a6e7a220f42b859bb3ad278afcf3a900611aa7a043061383ef4b48

                        SHA512

                        8ef57b2efe4fef9636cd13da0be6feba8ac94c5050ff279bcbbb55664832b10c2cace3664e88e4f0d7f6555bef8ed71030500c455d5501e49fec06d438b34309

                        Download Submit
                      • C:\Windows\{E5CE3D72-54EA-4a55-B164-D584511C43F3}.exe
                        Filesize

                        118KB

                        MD5

                        a65fc60e65c46ff8badc0282da16f704

                        SHA1

                        59c1a6823479e44fe638198c7812241e218ed43c

                        SHA256

                        31a298f50e030577f1a523ff0643aa560f32c719515d2b65140b97948b71e64e

                        SHA512

                        ccc481263b605d132eb49f63efc22fcc5ee391572e28efe4103928b6c6577891e21509ebff061803a64e5c3909aff545462b993f2d3dcca22715b44cc595d1a5

                        Download Submit