General

  • Target

    d33d2595b78d26cb42955a9e9cf2b9d0_NeikiAnalytics.exe

  • Size

    2.1MB

  • Sample

    240517-jmhxmage24

  • MD5

    d33d2595b78d26cb42955a9e9cf2b9d0

  • SHA1

    5b8c3d19ba327731b7c50109bd8e4b1947061d47

  • SHA256

    9215eeb668f93639affdeff2945d69c6980c54959ebb71c8a360962b22369f53

  • SHA512

    5f50db78ab4c82fa0851842ed0febe38f20b2dda864112ef32b431acc4caf7b6e9dcf119cc65623f368da43e0bb3de91c13b1dbd72bcbca7633108f797cb22b1

  • SSDEEP

    49152:CnmaHDtym/gdycQBj0D4mcC9NIykMz5iug9:CnmTm/gdycQyHlZzIv9

Malware Config

Targets

    • Target

      d33d2595b78d26cb42955a9e9cf2b9d0_NeikiAnalytics.exe

    • Size

      2.1MB

    • MD5

      d33d2595b78d26cb42955a9e9cf2b9d0

    • SHA1

      5b8c3d19ba327731b7c50109bd8e4b1947061d47

    • SHA256

      9215eeb668f93639affdeff2945d69c6980c54959ebb71c8a360962b22369f53

    • SHA512

      5f50db78ab4c82fa0851842ed0febe38f20b2dda864112ef32b431acc4caf7b6e9dcf119cc65623f368da43e0bb3de91c13b1dbd72bcbca7633108f797cb22b1

    • SSDEEP

      49152:CnmaHDtym/gdycQBj0D4mcC9NIykMz5iug9:CnmTm/gdycQyHlZzIv9

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Modify Registry

1
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

1
T1005

Tasks