Overview

overview

8

Static

static

3

33f9d819fb...cs.exe

windows7-x64

8

33f9d819fb...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 04:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33f9d819fbac4666447640038bbb1a0f95051001d2e54b8fd236a5d366fa28ec_NeikiAnalytics.exe

  • Size

    118KB

  • MD5

    b07c37d92fbbd0260dc27363bd099860

  • SHA1

    0f80fe9fafd74a5d61857a0d4a8d034746c15569

  • SHA256

    33f9d819fbac4666447640038bbb1a0f95051001d2e54b8fd236a5d366fa28ec

  • SHA512

    6c35faf191f9b8d79358e349cbd423c38a6f8163126c1976c2233a5def7a59f793ac429529e7c506aeaa21a7936e7a187dabcdbd717df70ba7d27576046eb674

  • SSDEEP

    1536:nEGh0oCl2unMxVS3HgdoKjhLJh731xvsr:nEGh0oClvMUyNjhLJh731xvsr

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33f9d819fbac4666447640038bbb1a0f95051001d2e54b8fd236a5d366fa28ec_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\33f9d819fbac4666447640038bbb1a0f95051001d2e54b8fd236a5d366fa28ec_NeikiAnalytics.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4060
    • C:\Windows\{7ABF06E2-866A-4b69-9663-32664E161AE2}.exe
      C:\Windows\{7ABF06E2-866A-4b69-9663-32664E161AE2}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Windows\{1A208E81-C007-4e5f-A409-3CA56BAFDF28}.exe
        C:\Windows\{1A208E81-C007-4e5f-A409-3CA56BAFDF28}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3460
        • C:\Windows\{D348EAA9-08C5-422a-BF73-7A54B9F57313}.exe
          C:\Windows\{D348EAA9-08C5-422a-BF73-7A54B9F57313}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4660
          • C:\Windows\{20135404-3A61-47f8-BD1B-181CB17C29B6}.exe
            C:\Windows\{20135404-3A61-47f8-BD1B-181CB17C29B6}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1608
            • C:\Windows\{FE86BB34-7489-404b-A7F9-5E15BF1186A4}.exe
              C:\Windows\{FE86BB34-7489-404b-A7F9-5E15BF1186A4}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:5052
              • C:\Windows\{69CB939E-CAA5-488c-A26F-F1A05CF5D100}.exe
                C:\Windows\{69CB939E-CAA5-488c-A26F-F1A05CF5D100}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5060
                • C:\Windows\{BFFC7CBD-6BD1-4320-9464-55D3DBB603A7}.exe
                  C:\Windows\{BFFC7CBD-6BD1-4320-9464-55D3DBB603A7}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2476
                  • C:\Windows\{FDE6F9CC-4668-481f-8116-CF8AB0A1B500}.exe
                    C:\Windows\{FDE6F9CC-4668-481f-8116-CF8AB0A1B500}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4604
                    • C:\Windows\{98187EB9-E44B-448a-83BA-EF331B0A2EC3}.exe
                      C:\Windows\{98187EB9-E44B-448a-83BA-EF331B0A2EC3}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1320
                      • C:\Windows\{D34771F5-FBF8-4305-966C-15DCF39F44A5}.exe
                        C:\Windows\{D34771F5-FBF8-4305-966C-15DCF39F44A5}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3244
                        • C:\Windows\{CEB8AEBD-C4F0-412f-97A1-DB45AEE7FD5C}.exe
                          C:\Windows\{CEB8AEBD-C4F0-412f-97A1-DB45AEE7FD5C}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4320
                          • C:\Windows\{503222B0-35D1-43dd-9FB5-FB2EFA13F0BD}.exe
                            C:\Windows\{503222B0-35D1-43dd-9FB5-FB2EFA13F0BD}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:4804
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CEB8A~1.EXE > nul
                            13⤵
                              PID:2872
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D3477~1.EXE > nul
                            12⤵
                              PID:744
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{98187~1.EXE > nul
                            11⤵
                              PID:980
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{FDE6F~1.EXE > nul
                            10⤵
                              PID:2244
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{BFFC7~1.EXE > nul
                            9⤵
                              PID:3792
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{69CB9~1.EXE > nul
                            8⤵
                              PID:3688
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{FE86B~1.EXE > nul
                            7⤵
                              PID:928
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{20135~1.EXE > nul
                            6⤵
                              PID:4636
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D348E~1.EXE > nul
                            5⤵
                              PID:2684
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1A208~1.EXE > nul
                            4⤵
                              PID:920
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{7ABF0~1.EXE > nul
                            3⤵
                              PID:4476
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\33F9D8~1.EXE > nul
                            2⤵
                              PID:3136

                          Network

                          MITRE ATT&CK Matrix ATT&CK v13

                          Initial Access

                          Execution

                          Persistence

                          Boot or Logon Autostart Execution

                          1
                          T1547

                          Active Setup

                          1
                          T1547.014

                          Privilege Escalation

                          Boot or Logon Autostart Execution

                          1
                          T1547

                          Active Setup

                          1
                          T1547.014

                          Defense Evasion

                          Modify Registry

                          1
                          T1112

                          Credential Access

                          Discovery

                          Lateral Movement

                          Collection

                          Exfiltration

                          Command and Control

                          Impact

                          Resource Development

                          Reconnaissance

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{1A208E81-C007-4e5f-A409-3CA56BAFDF28}.exe
                            Filesize

                            118KB

                            MD5

                            f11e36a4cab2eff21454e76d4e0da2d6

                            SHA1

                            7967c48c432a6e0a498411b861d8d5a806f20dfd

                            SHA256

                            c1bb021563193de7642e19f98490e10a5d573e8d1ea6b5628224496547e221e7

                            SHA512

                            c1f61a204b424b2a79bfb303c251ed5b36a5587d9ad013f86a788cd8a67126693310ce80f36f3052cbcffdbbdda628c00aec8c8226ed363ce00a4f62c2b542ce

                            Download Submit
                          • C:\Windows\{20135404-3A61-47f8-BD1B-181CB17C29B6}.exe
                            Filesize

                            118KB

                            MD5

                            129933cdd6a6cd3f06692e4cee6d4bd0

                            SHA1

                            3b82cfbc42a6e8ec3adef3b99117eb396e8a678c

                            SHA256

                            f90a2db88dab98b9312af730b29fa02980a289f5587044018ddbc5872a3dd1d1

                            SHA512

                            01555cd323053c29b72eb18000bdb2c348abc68185e0ef9a2cd49f8eb655665d39bd20fbbae79bbf71af18407cfac78f9cd6f5393cb43217ca42bfbb7169fce6

                            Download Submit
                          • C:\Windows\{503222B0-35D1-43dd-9FB5-FB2EFA13F0BD}.exe
                            Filesize

                            118KB

                            MD5

                            7606657fc20ddcf9b54b5e6fbd1c7d98

                            SHA1

                            906842f04d769992888b2e22db58990bb0a4b66f

                            SHA256

                            1c1c6c39dc4f6997cd296f3299b5a1b085c298b8f5f96d066800a831f57eba8f

                            SHA512

                            e51bc10e572b0e3ec4eb8d601e44c3f0a0a4bab971960b04c1e4c7e931e1fffe6baa140894d8e127c63537ccb8ec7c6203bb1723d9b67074b696314fee6bda26

                            Download Submit
                          • C:\Windows\{69CB939E-CAA5-488c-A26F-F1A05CF5D100}.exe
                            Filesize

                            118KB

                            MD5

                            90750f88efea6ae91032ac90b1e51659

                            SHA1

                            c6261e89ffa8f50d01313b8ea21534fc8d5506a3

                            SHA256

                            577968af078b64dfe681204028e05ccbe6611014ce60060573a095075bb0e0db

                            SHA512

                            d52a855ba8b76650659d472ef4c284d9536f281b92b5d552db147806010015d10bf5b1fb7fa673ea709c563e5efb7d9fd90b9e503e31a29d58d988922f54b742

                            Download Submit
                          • C:\Windows\{7ABF06E2-866A-4b69-9663-32664E161AE2}.exe
                            Filesize

                            118KB

                            MD5

                            1e7db37368605b0be0340cb85e1e9b26

                            SHA1

                            342bb390ba59fc25576dd4cdbb90b6048b5c3b2d

                            SHA256

                            0d9cb11ffa2bcb3cc2db9eab951b8afaf4175e5d489c129aae5822e1c322d083

                            SHA512

                            b443cd6e329796a5ded17b7db85719a4f015ef6f97e6863f5e32e635d081189a0bfcc045acdeeabaecab9d9f9d3771d3a9326e9456b83c73bfd0110a563f919f

                            Download Submit
                          • C:\Windows\{98187EB9-E44B-448a-83BA-EF331B0A2EC3}.exe
                            Filesize

                            118KB

                            MD5

                            a8d2782945c16f2dd096aea0152f87db

                            SHA1

                            313f2267b6c4575c97c176c45364904de7b6277d

                            SHA256

                            72f6697ff30b9cba588bdc3295b62c6477715a8a275ffc125f6690797fa7191c

                            SHA512

                            8e999c7b2eec706bfc2b13b01dcf0d9961dcc334457f23831e76714d7489c9fe50200faa13d7983341e4326412fe1e174664d7fd081eaeb8f91bcdb90dd7792f

                            Download Submit
                          • C:\Windows\{BFFC7CBD-6BD1-4320-9464-55D3DBB603A7}.exe
                            Filesize

                            118KB

                            MD5

                            5cb4a6bac1997a2a8274f270fa3e9ffe

                            SHA1

                            5f2c116441cd8a39021614bee92a85a2645a06fa

                            SHA256

                            81a4c051a4da6d79ae2772f2064e0d4d81472b52223d8ab5857aa6cb7539d318

                            SHA512

                            ed112b7ca0cae0f6aec81024d588f05b2d8dde1f891c87b2f081e9cf404d850beef91af4bd8d8b8ac1cc21461aaacd520734509a446270fb75f1bdbed65cd981

                            Download Submit
                          • C:\Windows\{CEB8AEBD-C4F0-412f-97A1-DB45AEE7FD5C}.exe
                            Filesize

                            118KB

                            MD5

                            4f89c6a16277a16423b4820219d0d26f

                            SHA1

                            ad5e07cfaad00f791856b2b8d06a8e117a02dcfb

                            SHA256

                            e7161f74b19a3d384988d32c2fa82eedaa4bc8c656f29a35cc4452a4673e868f

                            SHA512

                            4b07c71c6daeae6d506ea04f284fd27069fb9e950679ac862f36399ffe3d6b8f799dcb43193a61e3728b6ebc9dcf76664242719a768d52677e31ecc94360f03a

                            Download Submit
                          • C:\Windows\{D34771F5-FBF8-4305-966C-15DCF39F44A5}.exe
                            Filesize

                            118KB

                            MD5

                            c158498f97fa582af7fa0b0cee062d0b

                            SHA1

                            9b5aba69fb0886fd75ddbe911e827be4c89e741e

                            SHA256

                            6d8b5c7ba122b1dab91a802d1964a1c15731447f0f88d6a897d20bf15f5b96c2

                            SHA512

                            7296ec98fed796377d7a632bf66df98ca1b82a8bed21a43ae803772a31dc8c28da1f0df1b3553365f5a313f30fffba9a9a4d7f7e1b8714e8df2b5c171fa74fd5

                            Download Submit
                          • C:\Windows\{D348EAA9-08C5-422a-BF73-7A54B9F57313}.exe
                            Filesize

                            118KB

                            MD5

                            67883a4fe5cc15b7b57eda2b15505604

                            SHA1

                            4705b22512fe5c6490167cac9c6ec3a991740a37

                            SHA256

                            66cf2fe7477f9d16aea94525eb40d2083af30ac73efb4b0ba07747f3d3bb26ce

                            SHA512

                            d6488d810cb91fe9b384f9d6d2153a8988f837cb7190ee9d2ce6b82cd45289042a4b2c5a868184261e59b4eb62a26d34da21d0caaccda403d23ec5225f0e931f

                            Download Submit
                          • C:\Windows\{FDE6F9CC-4668-481f-8116-CF8AB0A1B500}.exe
                            Filesize

                            118KB

                            MD5

                            714ecbb4f6e7845cc5fdf3bdd125e2cc

                            SHA1

                            46a71f639a6aa27fa65eeb20f69ffd40c1b72fbf

                            SHA256

                            c8080325ff23d3039125f20c098db44d756cbedc345d1af7bc3941190279529c

                            SHA512

                            469ae3cd10bca4a0986ef9fdeffc6b858506a4e5f9b29a347efe4a319db71e366e5485b389fce1c14029e1ec05d17ca9d0282acea8018d0de53b5cd62a81c4a9

                            Download Submit
                          • C:\Windows\{FE86BB34-7489-404b-A7F9-5E15BF1186A4}.exe
                            Filesize

                            118KB

                            MD5

                            2ae87d53b4f25d523c3d0a99ed184e34

                            SHA1

                            e7326fe43b4971416ee22de6fa21f95483e6cee3

                            SHA256

                            028ceb1f56bcd765ab6908853a64f56eae2efb2f1b6221e523db9a8e0ad0d55f

                            SHA512

                            9a68cead10422230fe778b9c145d92a0f8aa5fd76834ee3945e97a03f1d813a35ca3878ca705b077d5149ad8690606ba599da01c76538d5f5e02c56d34e11402

                            Download Submit