Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 22:51
Behavioral task
behavioral1
Sample
4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe
-
Size
256KB
-
MD5
4be2f9bbaa57368b43ce9424bc3e7fd0
-
SHA1
1bf9a4748328cc5aa2a43efbe7d8c21047b9954c
-
SHA256
65a947038ce1565127fa77b13bfc9a21d55e3a6226af2e352693d79bc4fc34c9
-
SHA512
b83cc3e8a9ec6e3a32abc2adcf9ce965691eade4ab7233cceb7e4ecac45ed6d23d48835e998a0448bbdec5c2b088e9f27ab765336f0c6579972128906aed0ae8
-
SSDEEP
6144:lf4/sJYWd+ZO+oTcboiSLhCGnFo7ksYKFn3DqFn9Wp:lf4QlqMT0oignsd3rp
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x00090000000235bb-4.dat aspack_v212_v242 -
Deletes itself 1 IoCs
pid Process 3648 avrby.exe -
Executes dropped EXE 2 IoCs
pid Process 3648 avrby.exe 2792 ofdov.exe -
Loads dropped DLL 1 IoCs
pid Process 2792 ofdov.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\flate = "c:\\Program Files\\wwdkdo\\ofdov.exe \"c:\\Program Files\\wwdkdo\\ofdov.dll\",inflate" ofdov.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\j: ofdov.exe File opened (read-only) \??\l: ofdov.exe File opened (read-only) \??\o: ofdov.exe File opened (read-only) \??\q: ofdov.exe File opened (read-only) \??\h: ofdov.exe File opened (read-only) \??\k: ofdov.exe File opened (read-only) \??\n: ofdov.exe File opened (read-only) \??\t: ofdov.exe File opened (read-only) \??\w: ofdov.exe File opened (read-only) \??\e: ofdov.exe File opened (read-only) \??\i: ofdov.exe File opened (read-only) \??\m: ofdov.exe File opened (read-only) \??\r: ofdov.exe File opened (read-only) \??\s: ofdov.exe File opened (read-only) \??\u: ofdov.exe File opened (read-only) \??\v: ofdov.exe File opened (read-only) \??\x: ofdov.exe File opened (read-only) \??\b: ofdov.exe File opened (read-only) \??\z: ofdov.exe File opened (read-only) \??\y: ofdov.exe File opened (read-only) \??\g: ofdov.exe File opened (read-only) \??\p: ofdov.exe File opened (read-only) \??\a: ofdov.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 ofdov.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification \??\c:\Program Files\wwdkdo avrby.exe File created \??\c:\Program Files\wwdkdo\ofdov.dll avrby.exe File created \??\c:\Program Files\wwdkdo\ofdov.exe avrby.exe File opened for modification \??\c:\Program Files\wwdkdo\ofdov.exe avrby.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ofdov.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ofdov.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1108 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2792 ofdov.exe 2792 ofdov.exe 2792 ofdov.exe 2792 ofdov.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2792 ofdov.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2272 4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe 3648 avrby.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2272 wrote to memory of 3472 2272 4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe 91 PID 2272 wrote to memory of 3472 2272 4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe 91 PID 2272 wrote to memory of 3472 2272 4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe 91 PID 3472 wrote to memory of 1108 3472 cmd.exe 94 PID 3472 wrote to memory of 1108 3472 cmd.exe 94 PID 3472 wrote to memory of 1108 3472 cmd.exe 94 PID 3472 wrote to memory of 3648 3472 cmd.exe 96 PID 3472 wrote to memory of 3648 3472 cmd.exe 96 PID 3472 wrote to memory of 3648 3472 cmd.exe 96 PID 3648 wrote to memory of 2792 3648 avrby.exe 98 PID 3648 wrote to memory of 2792 3648 avrby.exe 98 PID 3648 wrote to memory of 2792 3648 avrby.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\avrby.exe "C:\Users\Admin\AppData\Local\Temp\4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:1108
-
-
C:\Users\Admin\AppData\Local\Temp\avrby.exeC:\Users\Admin\AppData\Local\Temp\\avrby.exe "C:\Users\Admin\AppData\Local\Temp\4be2f9bbaa57368b43ce9424bc3e7fd0_NeikiAnalytics.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\Program Files\wwdkdo\ofdov.exe"c:\Program Files\wwdkdo\ofdov.exe" "c:\Program Files\wwdkdo\ofdov.dll",inflate C:\Users\Admin\AppData\Local\Temp\avrby.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3760,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:81⤵PID:4300
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
256KB
MD5f2722a709fe210b556598a4f33125839
SHA1d96c4b8c1d4c83f62353970d0bb4ea8adc87f92c
SHA2564d10e77adb85b199395fe44afbd90d0ce228e8062ccbc60abd5b4e8d1bcc5ce8
SHA51279f995c170539e3d38601aab2bdc677bf9df24ff9a2eb59848a4f7565b5ece7a73c0c8f458f947891f9dccf610b5f911eca637db0e94be09cb7c9d09a59736de
-
Filesize
184KB
MD52876a1e964b815ca511f6fe4e97df24d
SHA1240710045a1284050dcf15ce7a35eb7c163a5990
SHA256630ee4ea7ac9dbad821e46f6f8262701c8de26b2b6da105b0d4eaa9170e83caa
SHA512d15fadd8336f02c0d52b964d290a496c48bed449097af8929ed10cd73222dfc34afb06c9f69a7c8719edf60288d93ba378e4ebd7c8d863c7f01fc71c7a9ef346