a1eca432aca74c76e0f66bc0efff30ee0a9b24560f226ece42a33a23b24fe877

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c264675ba10c70a6e331082feffd5bb0_NEIKI.exe
Size

4.7MB
MD5

c264675ba10c70a6e331082feffd5bb0
SHA1

26c7c816b9a937e3a079cbd38531b42c43a6ffee
SHA256

a1eca432aca74c76e0f66bc0efff30ee0a9b24560f226ece42a33a23b24fe877
SHA512

73af47a6c0396ae8f4236b3c68dea94ff883bf4ebb3bee38dde61c28ae2b1bd6e6ed273aa082c03d8b2db7ff07e54175dda5ee9c3efa0dde3f16662518188998
SSDEEP

49152:N/8KkUHbAgK56yWAnbbL3kK2w3hsJUWg3A5Y5OVjHyzeObc0vkn4Rk15BmaFvmy1:NkWbbn5YLdsqWgQ0OVTyzecLg5BmG

Score

7^/10

execution spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2020	c264675ba10c70a6e331082feffd5bb0_NEIKI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2952	powershell.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2848	2020	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2952	powershell.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2020	c264675ba10c70a6e331082feffd5bb0_NEIKI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2952	2020	c264675ba10c70a6e331082feffd5bb0_NEIKI.exe	29
PID 2020 wrote to memory of 2952	2020	c264675ba10c70a6e331082feffd5bb0_NEIKI.exe	29
PID 2020 wrote to memory of 2952	2020	c264675ba10c70a6e331082feffd5bb0_NEIKI.exe	29
PID 2020 wrote to memory of 2952	2020	c264675ba10c70a6e331082feffd5bb0_NEIKI.exe	29
PID 2020 wrote to memory of 2848	2020	c264675ba10c70a6e331082feffd5bb0_NEIKI.exe	31
PID 2020 wrote to memory of 2848	2020	c264675ba10c70a6e331082feffd5bb0_NEIKI.exe	31
PID 2020 wrote to memory of 2848	2020	c264675ba10c70a6e331082feffd5bb0_NEIKI.exe	31
PID 2020 wrote to memory of 2848	2020	c264675ba10c70a6e331082feffd5bb0_NEIKI.exe	31

C:\Users\Admin\AppData\Local\Temp\c264675ba10c70a6e331082feffd5bb0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\c264675ba10c70a6e331082feffd5bb0_NEIKI.exe"
1⤵
- Deletes itself
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 528
  2⤵
  - Program crash
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fYpYTyBm4oTd5M7QNDls00Wwxp9sbU\screen1.png

Filesize
391KB

MD5
8e488005b9080303dc1ba51cd6a6ce20

SHA1
5ededb16d1a38328c2a35cc20fec5cbfac23a1d1

SHA256
1aa2bbd411065b1dadf7d73b27bec769932c178a242e4e135c80c57a0ca80360

SHA512
7563fde033207b327764c0cae020137db7cc6ac824aeb2c6c167978dd3845c9aab32d8c7afd13feb939221183f0b1f5fb339cada40865efa3b567018e5b3aefe

Download Submit
C:\Users\Admin\AppData\Local\Temp\fYpYTyBm4oTd5M7QNDls00Wwxp9sbU\sensitive-files.zip

Filesize
7.1MB

MD5
39c1d26b26016e2448f52e3310089fe5

SHA1
72b3a9b95341ce071b0e89c3837606866023880f

SHA256
7adbce23f5295bc2c479ecf072782e0e06873e2ae8fd8a17969f2954f8927e41

SHA512
527ab0a0a503709e7aa1d0a83a1edd39f7d7e394d640d2c8a04d219faddf1b91750655c24a5f18c61e3be4dbc9a246111de327accdba6cd5dfbcb749b1d17b9c

Download Submit
memory/2020-45-0x0000000001060000-0x000000000150D000-memory.dmp

Filesize
4.7MB

Download
memory/2952-2-0x0000000072EA1000-0x0000000072EA2000-memory.dmp

Filesize
4KB

Download
memory/2952-3-0x0000000072EA0000-0x000000007344B000-memory.dmp

Filesize
5.7MB

Download
memory/2952-4-0x0000000072EA0000-0x000000007344B000-memory.dmp

Filesize
5.7MB

Download
memory/2952-5-0x0000000072EA0000-0x000000007344B000-memory.dmp

Filesize
5.7MB

Download
memory/2952-6-0x0000000072EA0000-0x000000007344B000-memory.dmp

Filesize
5.7MB

Download
memory/2952-7-0x0000000072EA0000-0x000000007344B000-memory.dmp

Filesize
5.7MB

Download