Analysis
-
max time kernel
138s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
09-05-2024 15:02
General
-
Target
6a7c1681c4b71dc8f6d751cc249d2ab0_NeikiAnalytics.exe
-
Size
1.2MB
-
MD5
6a7c1681c4b71dc8f6d751cc249d2ab0
-
SHA1
a137509153c5155ae61fa290c48934e2db5f4b90
-
SHA256
3301053c0b35d623a464716e9b24cf9191007b031cab5095df06c24af944e0c5
-
SHA512
ecf871bb67ded8648137f3ccef07278025a8943c2b369e8889a30baaaf211f007104836802b599656dcf45db2d02cc3e021d0163a337691be367fdb5f6cb9a95
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQGCZLFdGm1Sdr36OTcgapChIQM:E5aIwC+Agr6S/FEVy
Malware Config
Signatures
-
KPOT
KPOT is an information stealer that steals user data and account credentials.
-
KPOT Core Executable 1 IoCs
-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Executes dropped EXE 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a7c1681c4b71dc8f6d751cc249d2ab0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6a7c1681c4b71dc8f6d751cc249d2ab0_NeikiAnalytics.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WinSocket\7a8c1791c4b81dc9f7d861cc249d2ab0_NeikiAnalytict.exeC:\Users\Admin\AppData\Roaming\WinSocket\7a8c1791c4b81dc9f7d861cc249d2ab0_NeikiAnalytict.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\7a8c1791c4b81dc9f7d861cc249d2ab0_NeikiAnalytict.exeC:\Users\Admin\AppData\Roaming\WinSocket\7a8c1791c4b81dc9f7d861cc249d2ab0_NeikiAnalytict.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\7a8c1791c4b81dc9f7d861cc249d2ab0_NeikiAnalytict.exeC:\Users\Admin\AppData\Roaming\WinSocket\7a8c1791c4b81dc9f7d861cc249d2ab0_NeikiAnalytict.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD56a7c1681c4b71dc8f6d751cc249d2ab0
SHA1a137509153c5155ae61fa290c48934e2db5f4b90
SHA2563301053c0b35d623a464716e9b24cf9191007b031cab5095df06c24af944e0c5
SHA512ecf871bb67ded8648137f3ccef07278025a8943c2b369e8889a30baaaf211f007104836802b599656dcf45db2d02cc3e021d0163a337691be367fdb5f6cb9a95
-
Filesize
41KB
MD55de035a7db10277100a7232321deb568
SHA1457d7768b85c41d890b856b40c676eed200a87b7
SHA25605339ff2a35e5895164f741f929d9131ab50e2edbd879a15cceeafadc221a0ac
SHA51241d676de988d689520e938e90eb7f352951a08274aa21e8016efd5e9211bd57e82b836e37d7d261ef3fc4ba813232e03d2a124803149d7022f813a72062f565d
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
164KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
760KB
-
Filesize
2.8MB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB