Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/05/2024, 22:49

General

  • Target

    2124e51506f793c9ea126540cacc2d70_NeikiAnalytics.exe

  • Size

    145KB

  • MD5

    2124e51506f793c9ea126540cacc2d70

  • SHA1

    ade375bf96fdfd13528d0abac8be1c1202f2f537

  • SHA256

    36f50a5d66dd97d4a4015cf91993cc6434d00896b45bbf6a5b2a26c83c556d33

  • SHA512

    70f2236a305bf29071771b64c94d08b994bf4b747dedffbf6018cbc2a541361efd65b7c0b6d6ef86698d6647e39bec923b0df0e40a6be14b8f88332bc8ce004d

  • SSDEEP

    1536:+fxvtgixq7OstjzjW6ZdjtETzR77i11GAbRp0BGiEA0O0o:+HIa6KTdNAbzSGiN0OJ

Malware Config

Signatures

  • Blocklisted process makes network request 8 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2124e51506f793c9ea126540cacc2d70_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\2124e51506f793c9ea126540cacc2d70_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:228
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 2&c:\obqwkoby.exe "C:\Users\Admin\AppData\Local\Temp\2124e51506f793c9ea126540cacc2d70_NeikiAnalytics.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4024
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:4856
      • \??\c:\obqwkoby.exe
        c:\obqwkoby.exe "C:\Users\Admin\AppData\Local\Temp\2124e51506f793c9ea126540cacc2d70_NeikiAnalytics.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2876
        • \??\c:\windows\SysWOW64\rundll32.exe
          c:\windows\system32\rundll32.exe "c:\leuntkebf\svwtgib.dll",GetWindowClass c:\obqwkoby.exe
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4348
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4124 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4284

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\obqwkoby.exe

      Filesize

      145KB

      MD5

      d74003e515ddfc87a8b426bfac823293

      SHA1

      31be8f2abe3ee05a5517bf249fbbf6cb266b0b46

      SHA256

      552ca0a22fdc9bf94fd23e6b86504f13532df536c8d746ec6ed730ad9202150f

      SHA512

      14eb6fa80def1d74f36d6f770540a8a5c0ad63cb28fef7d266a9e17eedf7a59ea44fd1dfe2c9fc71693caac4a9634f5798168382faadc4fa6cac0495a4f04e96

    • \??\c:\leuntkebf\svwtgib.dll

      Filesize

      63KB

      MD5

      bec93912524f50c6f7c943716c7ef02b

      SHA1

      69ba8f1dd5a7d6cd94d688c691406cbd54be4486

      SHA256

      032570414587af2303431e8db5d5f4223e0147f4b63a2160b97d9a6ea531bd81

      SHA512

      41fb8970e9007c789227740e81a483bda806470ce25476589a3dfceddaaa60b20d890c37b56f8be83defb2a5b774dbd6c2026fc259884e8acf2971b06041f6a6

    • memory/228-0-0x0000000000400000-0x0000000000425400-memory.dmp

      Filesize

      149KB

    • memory/228-2-0x0000000000400000-0x0000000000425400-memory.dmp

      Filesize

      149KB

    • memory/2876-7-0x0000000000400000-0x0000000000425400-memory.dmp

      Filesize

      149KB

    • memory/4348-10-0x0000000010000000-0x0000000010036000-memory.dmp

      Filesize

      216KB

    • memory/4348-11-0x00000000025B0000-0x00000000025B2000-memory.dmp

      Filesize

      8KB

    • memory/4348-12-0x0000000010000000-0x0000000010036000-memory.dmp

      Filesize

      216KB

    • memory/4348-14-0x00000000025B0000-0x00000000025B2000-memory.dmp

      Filesize

      8KB

    • memory/4348-15-0x0000000010000000-0x0000000010036000-memory.dmp

      Filesize

      216KB

    • memory/4348-16-0x0000000010000000-0x0000000010036000-memory.dmp

      Filesize

      216KB

    • memory/4348-17-0x0000000010000000-0x0000000010036000-memory.dmp

      Filesize

      216KB