Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
09-05-2024 15:49
General
-
Target
7ae4e793ae0a33ff832216bd3c1bc730_NeikiAnalytics.exe
-
Size
1.6MB
-
MD5
7ae4e793ae0a33ff832216bd3c1bc730
-
SHA1
3ad1f1489b4a3eb326e0672db7af498f789ca00e
-
SHA256
718ca10177bc8b8e0fecc68eb78674e3797ebfd0ced9ecbc7373169981aed092
-
SHA512
3ac9b6cf6fc8448b275415d54c0147a752e87327ff0311e2c41b51c9698ddf53b616207c949cc3eedda2c177ec955b6b8decb75006c938b6c18b5cf37caf6103
-
SSDEEP
24576:g+/QoiZMrCxuYigXe4i7ojhsP5Lgrk1TWb4AN5:RmMriuee30jaNf1TWbdz
Malware Config
Signatures
-
Executes dropped EXE 17 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 26 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ae4e793ae0a33ff832216bd3c1bc730_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7ae4e793ae0a33ff832216bd3c1bc730_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5ae7e9939975742fa79a009543c6c676a
SHA1fff1b38946df7ee858a883ad80028444f30f48e3
SHA256ed2b6106f894a054ff76ac841f30cc180ca110ba2c57ac9ab80ee9ccdb9e5df1
SHA512cda5d5c72319cb0cb089fd151ff7a5ad972c8d1c964108015fb0d48c5ee3d7c5120d8fe25f2a611c0b41954d01332843962cc662eb300d4fa535d1868d1b5500
-
Filesize
1.6MB
MD525ad6009e3d58a2ed48c46c3c039d768
SHA11548fb130a93539707fbe80f4cac1878795db2a1
SHA256178b485004c8bcf952f51b4deee988c4f4714b4f5ecc8a486d22ab176b74cae7
SHA512dfae310653c8ea1383c85c659174da5d9658fa20bdd645c3620e8c0d31e77c81e8f9d0ce8d1a5dac09806a4e262ceba592430c2f49ead55564fed674d8195d3c
-
Filesize
1.7MB
MD5f275d35cc2191732c9f114850dfc1246
SHA1107a632c45d0c775dc7c63e5866cb392a7149296
SHA256635447b80680e94db4411986021f56961f62948190e773ad2cb2710c5ccbc816
SHA512c42f905e4c92bf35f063887d22ee2679e8bfe8da45a002aa5ba9c489505d6c25c01698d0d8c67baa64527c74e0aa4ec726428b1e26e7c06f0ceff27a64ed7d39
-
Filesize
2.1MB
MD54a53dcd9563d0e719c77b456c8490918
SHA1f3808c9ffc705cddd41cada0d936d6e19cd3cd0d
SHA25622258bd992762be6fcc7cde63cf7202c5504da3686b864ced5389a372c6ece14
SHA512b885acfd0fccf4bdc23b585c38e475aec2a5f61bfd457a010f0676eefd2ed4b023825c37ebdbd1cf8ad7a433b8ab486067fb3584ad440d59caf7fb6d310a93bf
-
Filesize
1.4MB
MD5ce67575688553cad24155a25a1fe60ec
SHA19f80c557c98aa74388799f47de8bb4a0d3b6d422
SHA2563e89e98bdeda075767efcc2555616ed0e8a42757dcbed1ea907160a5ae0c5b03
SHA51296226151415b09b793cf8064dc7989304379f7b0d53d473cc31c41a91411028854e07b7a3716b74a09570b6aef8beda8362d68045dcc478f9a3ed68ad8ac8420
-
Filesize
1.7MB
MD5b278ab4b7334dc69b41d95cfe19e1356
SHA16b7c403733adac19eddd48ac57034ab4db64054f
SHA2564f339f93fda961269d196e54e72cde1a26552017fed7571068391c4879e16e81
SHA512af50a6f27600f47bc95e374307bc0521947ee0530ce2d2a844a87e1f71e7908fb0b18930efd2ae790f8051a05835051a860019f285913ba2225b16cc4a0269a3
-
Filesize
1.5MB
MD5906a4cc494b89cbbb032eb19120970c7
SHA156591de569e9c0210787d08504eb2b604bc93b63
SHA2565590805c3ff52c16fcd173427a02c044c3f572e65366fee51726d346e818ef0d
SHA512121c882a8d020604e25b29243f0eae85d01a79f0a9eb3d236b18d86475a0eb799bdc1a8545ce3d2530f474949439ed0b7d6f3c9f405e5a6cfe8d82f18eef1c65
-
Filesize
1.2MB
MD5003d707df2dc6db16b8df0f72247c121
SHA1af7edc9752a58216b712f9cc687e3776ad3da884
SHA256b7fa36df6c483597b8dc310c47b32b7770fb6410d82b52052abefd6193a171e2
SHA512a6edf4751d6dcd0a84351b0c46137342fa32ba74509732ef82d13a3dc0cea7e69aa025d6c0e9116485f072dae0a6416af43d10f3f7009dffde6edadcfcdd2f04
-
Filesize
1.4MB
MD5acfe32a756b23e902e571e9fc84bc6ea
SHA1a6f6af5e3645705f4695bfeee81b66f1cf54cacb
SHA256a75cdadfdef0af41582609831fdf9c512851e419962c6fd6746f48991e7ff383
SHA512a8d633aa5e1b8aa21d53babe49995217b8ee2c85acec4ca8326a2f19f73c8a85262283edc4aea5e9e91b47a6f50fc0212fed05d2ab5fc1921c975f70211ddd74
-
Filesize
1.8MB
MD5c115cbb76c0b5f6698b157d251dea8b3
SHA14bf40f529618c81077a0880b0f89b3c15daa11c7
SHA25637095298c0901c5d8ef200a359a9dfbd79dd3832602f8720f42448c10c44af65
SHA512c595e7b83d1ce1a703cc503910e568a1c812d125f47a0d33248193117357bbd35d80e191df950f48a937962c8311065814f7e45fcec8a8657219e817b5c9df7f
-
Filesize
1.5MB
MD59c03e6ee1fa309dcee36826e05ea2e71
SHA1d28db36b1375da00eec68b5d6799dd0ff9d4dc2a
SHA256a093d25bb07ebc28e85467fdc52e9d9849418fffd0f99afc65019029ddc54958
SHA512450cb0b637388e75d4c7017288eef43c1a23e5713a72a497be5d317b41162decb499f73751da933d477a576c0d18543ea2b22799d3dfe7e1cf2e8ef814107ecf
-
Filesize
128KB
MD55a4807891473be3d3094e48f25e5ecf8
SHA15d5556b720e79cde34d373c2d035dc5626f2fd6f
SHA25637c08c3faf876c794e3f03b08b31c63e14f8d48003ef1cbf5cf56420c55c04f8
SHA5126c010c5b6baf370d31cc20c93810472df04bfc387bab0750d4f846ecc56b9d825ed0eaca566fc14fe032337ede1a8f46feaa59e291cefca754b1113874c695f3
-
Filesize
1.8MB
MD5faa7df785c582657f67af0d5dbb28dd2
SHA1be25be4dda4f71db188532334f029af66e6a59cd
SHA256b2469d76d037bbb425c5c9d32ece865211d9e54af84a5a2c0968beda9bd4f2e4
SHA51235fc8e0b00a5bf8c0eaeeb0c97ea3d3fc5f3ee15560a5da046a2e39dcd2a5be3b39c04fbbd99fb30184193df1a94be514de3da3a7fdc06bfdc04d871a1ea07d6
-
Filesize
1.4MB
MD5cc8808540fd884b8ef478d81fa678c7e
SHA16c8652ea396d3f0b568a9666ec7d3dfc841640a7
SHA256ca9a4b50cc84616df9e8018152ed6df8e3e989db6cfa2c2732cbd0bcda5f8880
SHA512fc9f032864f5f468374e6950a6d18f018753489774baef60256dfa032046ee3ca9985113760504bf632a6ac4a35c082e31d5052bd44f5d31638f6f9054769d76
-
Filesize
1.7MB
MD52c2991a83635820a31df3d4af05e9abf
SHA11d0e3e2e7f14d89e4b0c79b3cc0fd87bd7926659
SHA2569a325770da6293c924d9b0ff6e1081272b07c372c5fb168afb4efea11909b4b0
SHA51215c1783609cbe32cc55692b8d38b377cfb982061088ccb1c1a43ff1aa8311f8f6940a4fa870aab386e5f9364ca12606451b27afdbbe054f8efe1f9a6c0fa58a7
-
Filesize
2.0MB
MD555e99c466f67c37d7efd3d7d588d5c5f
SHA1c5de819905947dbe803b11bd48b8dcd35ac19bc5
SHA25639d2aa809a6fa3e101cacc66f2df4e9053691adead9e89100e030df1a348cf7e
SHA51256f32c1484e2b04f9fc1ee66b8a0af3eaae8eb6d3e4d016c4ab6dad31ed48e7146665daa4fdf42e63aa1f4b35c8e7ca134499eeb9bcbded96715733bbe5a585d
-
Filesize
1.5MB
MD514b19d77da406c86aa92f1740c01775f
SHA1c09d6fe9582b11ba12bf43fe09b11401c7e1a714
SHA2563fbfb36879ff26ffca6f82b34ae0b9d72cbb6b022df3d56ff853dccd53b6987d
SHA5122b589298463d4598b9d79c7be90378d09f5ee7e887e6a15d1d63c81ee092bf6b6ed29a0d97f1cf39dcf50c9e6f0631d4dc632394ee2b17c25af0462f5bd4c623
-
Filesize
1.6MB
MD54527a3259f8abae4c1ad8d6fa3f2e401
SHA18525229c6d46148d5bf7aef742f6d4a5485016cb
SHA256058d5f20880e849070e9a3892c100d63d2a944fd136751ba55dbe990010d3711
SHA512d43406b890a5f81ae4887c21856f2579b33cd6f3574d9f5237f07f8c5ff1557cf2785304ee526f649b3b101d6f6532c37371e50cfc934ded1fcae008a52f4e14
-
Filesize
1.4MB
MD59f4e95e1ec907ded189b717e5ee118bc
SHA1d8b827d4d2ca3ad276235e5c8bc4e8f9e4e64fc3
SHA256e7dcb88244c71ea39ee4240885db5f7e536d5c3c5d997244bfbf27d18073b408
SHA5123826f0a48765ad58388f20f157e5aa49f1f3f37b3954c1587e0c4b593e1a7891c8eab39ed8994b5f431af9fc41e20d64cfbe0d4b96a95a08dd625502bca3a3a1
-
Filesize
1.3MB
MD55bfe21bd91d3bf9f043ca072fb408d24
SHA1a5949f9a0f8818046336e09dd7b565eec885d1c5
SHA25689bb9ba442108d247bde04bd20b961765e9fe2869929295ada0f5c6193e3f63b
SHA512481e7684b6f9fc101337ba830b6eb188bc6a7607e3b4cdcc94c4112a1b4debb84fc9576340853c435d009a174355cd962122801d633f3934eed6a4a0a8d18926
-
Filesize
1.6MB
MD57364f9146086034b46fc8546eb5d290c
SHA121fe54ab84c28106830b41a9b977b8aad7f6b476
SHA256f64a666313adf26d151fa5212774a5553c021988202be6e2ba4b76cee24dae86
SHA51277ca986e6070eabe6ac48e3c79559674af51b47af9087d0d55ec4749a00a14e993035663d5231528e66ccab6423fe8961c0f01c6d799092f663867fcf42383d5
-
Filesize
2.1MB
MD57fb1443717f78f38b8563a2327a7c2b9
SHA1b20171f190b5acd4d30f39c1d0faa62b3e0cc03a
SHA256ab49a88a806a8e7ff3fa071e5fa0ce5ba7dd65631a306f569abc77e7954fdcd9
SHA512d06bdc3419c9cbed460c6148abba02923ed2a882e700b6a9416f2f9c24af2316ce4ff92f10f42e8f2f03bcb078350353b967050965daea64266d56f6f1b2ee07
-
Filesize
1.3MB
MD555a184bd7f1acabc5094f1b1335d3885
SHA12726148dadf068623bfb2713877ed2cbddb2a90d
SHA25621cb288a1286f915106cfcb42de7f75b187a937e58593d817fd4d094ddd914d7
SHA5125fef8b9e50c33c60858bf6e915f351c7176f61db79f3e2292ad13e8aca334e763c533a87f63f08e415edbecc36a1c59feb8b8ea573719f119eb7c9ed16f5149b
-
Filesize
384KB
-
Filesize
1.7MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
1.7MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
384KB
-
Filesize
1.7MB
-
Filesize
384KB
-
Filesize
1.7MB
-
Filesize
1.5MB
-
Filesize
412KB
-
Filesize
1.5MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.9MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
2.1MB
-
Filesize
1.7MB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
384KB
-
Filesize
1.5MB
-
Filesize
384KB
-
Filesize
1.5MB
-
Filesize
1.8MB
-
Filesize
1.4MB
-
Filesize
1.6MB
-
Filesize
1.3MB
-
Filesize
384KB
-
Filesize
2.3MB
-
Filesize
384KB
-
Filesize
2.3MB
-
Filesize
384KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
384KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
2.2MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
2.2MB