eac4f2902f8d0756ca00326dc4a53d8b0d3f77dab23d1d05a5fd5257dcf13e7c

General

Target

0cfcbed897db86ab9f29df8d4b576150_NeikiAnalytics.exe
Size

6.8MB
MD5

0cfcbed897db86ab9f29df8d4b576150
SHA1

5984d1601e6d115dd84dcf1e5e9e68c8d083ba9e
SHA256

eac4f2902f8d0756ca00326dc4a53d8b0d3f77dab23d1d05a5fd5257dcf13e7c
SHA512

d1c0086d128d4125d6ac39615adf2fe2a2ba44b0aad1d246a99d056a8f066312e0aa8d9a4fb864d902b359662248ec5f30f0af683403789e02d9fff668d9b5be
SSDEEP

98304:8ZU+4cYV5M6Z17WovexHh+Md+bC1mH4cZUi8SlbWI:8ZUBxsHhWbI5cZUid

Score

7^/10

execution spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
476	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
476	powershell.exe
1728	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	476	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 668	2140	0cfcbed897db86ab9f29df8d4b576150_NeikiAnalytics.exe	29
PID 2140 wrote to memory of 668	2140	0cfcbed897db86ab9f29df8d4b576150_NeikiAnalytics.exe	29
PID 2140 wrote to memory of 668	2140	0cfcbed897db86ab9f29df8d4b576150_NeikiAnalytics.exe	29
PID 668 wrote to memory of 476	668	cmd.exe	30
PID 668 wrote to memory of 476	668	cmd.exe	30
PID 668 wrote to memory of 476	668	cmd.exe	30
PID 2140 wrote to memory of 1720	2140	0cfcbed897db86ab9f29df8d4b576150_NeikiAnalytics.exe	31
PID 2140 wrote to memory of 1720	2140	0cfcbed897db86ab9f29df8d4b576150_NeikiAnalytics.exe	31
PID 2140 wrote to memory of 1720	2140	0cfcbed897db86ab9f29df8d4b576150_NeikiAnalytics.exe	31
PID 1720 wrote to memory of 1728	1720	cmd.exe	32
PID 1720 wrote to memory of 1728	1720	cmd.exe	32
PID 1720 wrote to memory of 1728	1720	cmd.exe	32
PID 2140 wrote to memory of 2864	2140	0cfcbed897db86ab9f29df8d4b576150_NeikiAnalytics.exe	33
PID 2140 wrote to memory of 2864	2140	0cfcbed897db86ab9f29df8d4b576150_NeikiAnalytics.exe	33
PID 2140 wrote to memory of 2864	2140	0cfcbed897db86ab9f29df8d4b576150_NeikiAnalytics.exe	33

C:\Users\Admin\AppData\Local\Temp\0cfcbed897db86ab9f29df8d4b576150_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0cfcbed897db86ab9f29df8d4b576150_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe "Get-Command Compress-Archive"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "Get-Command Compress-Archive"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe "$ProgressPreference = 'SilentlyContinue'; Compress-Archive -Force -Path \"C:\Users\Admin\AppData\Local\Temp\ChromeTemp\" -DestinationPath \"C:\Users\Admin\AppData\Local\Temp\ExomC.zip\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$ProgressPreference = 'SilentlyContinue'; Compress-Archive -Force -Path \"C:\Users\Admin\AppData\Local\Temp\ChromeTemp\" -DestinationPath \"C:\Users\Admin\AppData\Local\Temp\ExomC.zip\""
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1728
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2140 -s 132
  2⤵
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9e02f262fd9f4445e7e67206c63f757e

SHA1
39a8d07ee7a130ca817c7a1af0f13e434dc8194a

SHA256
67e35455aa3c3bb5fa27668297f585b8a3ee9d72dfdb62f53e32aca1f5d5e2cf

SHA512
ae1e3c0355c6c9fefd0b29b22d792a8f5821ac47438f6765fcf6545a544c584b5e86547d57ac07c22121c8eb292e87021785929b8d5babb0af919aff370c9c20

Download Submit
memory/476-9-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/476-10-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/476-7-0x000007FEF565E000-0x000007FEF565F000-memory.dmp

Filesize
4KB

Download
memory/476-11-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/476-12-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/476-13-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/476-14-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/476-15-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/476-8-0x000000001B3F0000-0x000000001B6D2000-memory.dmp

Filesize
2.9MB

Download
memory/1728-21-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/1728-22-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2140-23-0x000000013F590000-0x000000013FB8E000-memory.dmp

Filesize
6.0MB

Download

Analysis

Sharing