Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
08-05-2024 10:16
General
-
Target
5e35f5434e9cdfd4a827bbe241fbf520_NEIKI.exe
-
Size
1.6MB
-
MD5
5e35f5434e9cdfd4a827bbe241fbf520
-
SHA1
402ae470d4bcbbcb36dd62ec0468477c35c400b3
-
SHA256
ffa7f0b955e42bdcc07730ba6468a6605cd4614e9a1f2a0e8ff5c23b00a2d0ae
-
SHA512
b59d1645a31c8d94ee833fe5a1e540e68c0757912bfdda65038632cecb993ace03ef400e2abec3410b00000beb1cd57f24f75107b0db39ffa96922396ebd54f6
-
SSDEEP
49152:7kTq24GjdGSiqkqXfd+/9AqYanieKdsI:71EjdGSiqkqXf0FLYW
Malware Config
Extracted
stealerium
https://discord.com/api/webhooks/1236766417727262752/FZOV11M1fjoLR4WnczxZKrX-g_v-VDKt6qaLWx656lTKl91yaMPLXY68g9mDH1EKLOrD
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e35f5434e9cdfd4a827bbe241fbf520_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\5e35f5434e9cdfd4a827bbe241fbf520_NEIKI.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5479.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 46323⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5479.tmp.batFilesize
57B
MD5b9ad840a10adea46f66484e1ca154859
SHA18ebac629da932e24db6cfd75d02a2e6bc1c9e260
SHA25684e30e00bfefd06d3798488bb13199f182e9ca68215e1b38607e79ecb6789fe4
SHA51279d7a490a4ae0147091744eda2dbdc009d05889668d4f600207a0f3a5380577d8b6ce28859eb6f069e43b55e7178d2aa3eb9a24e7bba50b85acf21096dfce108
-
memory/4632-0-0x000000007464E000-0x000000007464F000-memory.dmpFilesize
4KB
-
memory/4632-1-0x00000000008D0000-0x0000000000A62000-memory.dmpFilesize
1.6MB
-
memory/4632-2-0x00000000052F0000-0x0000000005356000-memory.dmpFilesize
408KB
-
memory/4632-3-0x0000000074640000-0x0000000074DF0000-memory.dmpFilesize
7.7MB
-
memory/4632-6-0x0000000005840000-0x00000000058D2000-memory.dmpFilesize
584KB
-
memory/4632-8-0x0000000005900000-0x0000000005908000-memory.dmpFilesize
32KB
-
memory/4632-7-0x00000000058D0000-0x00000000058F6000-memory.dmpFilesize
152KB
-
memory/4632-13-0x0000000074640000-0x0000000074DF0000-memory.dmpFilesize
7.7MB