5a3b3e309ec247722ec6205e64794b1ab2ee2a4d0dfb7696a92782f055b5de96

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9c8ca8599dda52bf6f03d49cd41ebc0_NeikiAnalytics.exe
Size

118KB
MD5

a9c8ca8599dda52bf6f03d49cd41ebc0
SHA1

796455e14476936eaf8e10c41de874c78f6e6731
SHA256

5a3b3e309ec247722ec6205e64794b1ab2ee2a4d0dfb7696a92782f055b5de96
SHA512

08486232080057ef91269366b675b35f524d2dd37b807503aa32ffe2f4c88634e6a026527ad5aca95b6cbf7a06f9b5d4f0edd209262d5f39c379380a33109952
SSDEEP

1536:pcNjQlsWjcd+xzl7SMQQFQul9H932nJ17XdwT3AjyTRDRvWHxE+m:kjr87SHQpHtw7X+TQ+TPiLm

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1856	w9IoBja2Fc6J3Qu.exe
3024	CTS.exe

Loads dropped DLL 1 IoCs

pid	Process
1040	a9c8ca8599dda52bf6f03d49cd41ebc0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	a9c8ca8599dda52bf6f03d49cd41ebc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	a9c8ca8599dda52bf6f03d49cd41ebc0_NeikiAnalytics.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1040	a9c8ca8599dda52bf6f03d49cd41ebc0_NeikiAnalytics.exe
Token: SeDebugPrivilege	3024	CTS.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 1856	1040	a9c8ca8599dda52bf6f03d49cd41ebc0_NeikiAnalytics.exe	28
PID 1040 wrote to memory of 1856	1040	a9c8ca8599dda52bf6f03d49cd41ebc0_NeikiAnalytics.exe	28
PID 1040 wrote to memory of 1856	1040	a9c8ca8599dda52bf6f03d49cd41ebc0_NeikiAnalytics.exe	28
PID 1040 wrote to memory of 1856	1040	a9c8ca8599dda52bf6f03d49cd41ebc0_NeikiAnalytics.exe	28
PID 1040 wrote to memory of 3024	1040	a9c8ca8599dda52bf6f03d49cd41ebc0_NeikiAnalytics.exe	30
PID 1040 wrote to memory of 3024	1040	a9c8ca8599dda52bf6f03d49cd41ebc0_NeikiAnalytics.exe	30
PID 1040 wrote to memory of 3024	1040	a9c8ca8599dda52bf6f03d49cd41ebc0_NeikiAnalytics.exe	30
PID 1040 wrote to memory of 3024	1040	a9c8ca8599dda52bf6f03d49cd41ebc0_NeikiAnalytics.exe	30

C:\Users\Admin\AppData\Local\Temp\a9c8ca8599dda52bf6f03d49cd41ebc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a9c8ca8599dda52bf6f03d49cd41ebc0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Users\Admin\AppData\Local\Temp\w9IoBja2Fc6J3Qu.exe
  C:\Users\Admin\AppData\Local\Temp\w9IoBja2Fc6J3Qu.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\CTS.exe

Filesize
80KB

MD5
ec704028ad7125c2fa52e04dc68c0ca3

SHA1
2a63f27d0138696c9c27a9ea2534e8f2ca11ddc4

SHA256
5f77a5d7c9eac3b004820646dece450e315a6e3ed320dc183ae68d59cd2318bf

SHA512
a008a08c980583b8698431ca44fa45d5565fdc5316dc3e58c47ae523e7a7a776162979b0c79f9c64f0b71e0d98fb49102679378354f76c270d0c99207c15d160

Download Submit
\Users\Admin\AppData\Local\Temp\w9IoBja2Fc6J3Qu.exe

Filesize
37KB

MD5
371627fd939bb54ed26f473ca54e718f

SHA1
3a6910295ae9d1fe388b7572736b8bdfc6e0d111

SHA256
b5481e424246a174456add0132427df3a7cd4105f5769835cdf597966c7c0b61

SHA512
ff7ea5ae445089ffa808c97e23c620313dd267994b343176c0cb9f8098aace1d12d9212b96611fdf97c974ef94f866b817aed9c0e5f4f195234e7d8d4ec3f8cd

Download Submit
memory/1856-12-0x000007FEF5A13000-0x000007FEF5A14000-memory.dmp

Filesize
4KB

Download
memory/1856-14-0x00000000008D0000-0x00000000008DE000-memory.dmp

Filesize
56KB

Download
memory/1856-15-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads