Analysis

  • max time kernel
    149s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17/05/2024, 17:52

General

  • Target

    11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe

  • Size

    2.6MB

  • MD5

    11d5d0e3b01a9af1db9a5f9e653b2ef0

  • SHA1

    bb533f397c8fbe7f61f58d162f875d78b74034af

  • SHA256

    aaa6e04bbbc7b6df02648da93524a190bd796dc17b2160a5e10a94b24b7d8e5d

  • SHA512

    20c6621d184db520bba367815fc90480cc2e2bcd5143704c37ec7abb2d2c7c412d6b546aafed92878cac25b2cb3c9238a35a1268706666825491c81e1466fc70

  • SSDEEP

    24576:ObCj2sObHtqQ4QEfCr7w7yvuqqNq8FroaSaPXRackmrM4Biq7MhLv9GImmVfq4ei:ObCjPKNqQEfsw43qtmVfq4/

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.mail.me.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    RICHARD205lord

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 25 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 4 IoCs
  • NTFS ADS 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2944
    • C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
      C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2356
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        0
        3⤵
        • Suspicious use of SetThreadContext
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2664
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp8BCB.tmp"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2448
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp8C49.tmp"
          4⤵
          • Accesses Microsoft Outlook accounts
          • Suspicious use of AdjustPrivilegeToken
          PID:2976
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpA04F.tmp"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2856
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:2752
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:3004
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:1476
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:1116
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:2620
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:1852
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:1156
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:2132
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:1012
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:1788
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:916
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:768
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:2312
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:884
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:1948
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:2116
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:280
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:1632
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:2636
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        0
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2460
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpFD14.tmp"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3004
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpFDE0.tmp"
          4⤵
          • Accesses Microsoft Outlook accounts
          • Suspicious use of AdjustPrivilegeToken
          PID:2712
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpFE10.tmp"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2816
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:2456
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:1440
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:1396
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:1724
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:1848
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:808
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {F077E9DC-6E8D-479B-92D3-FB2B942A3C40} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\ProgramData\winmgr119.exe
      C:\ProgramData\winmgr119.exe
      2⤵
      • Executes dropped EXE
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      PID:1732
    • C:\ProgramData\winmgr119.exe
      C:\ProgramData\winmgr119.exe
      2⤵
      • Executes dropped EXE
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      PID:1624

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\khaxFMfI\009276b996b04917a9a60a951037d8a6

          Filesize

          16B

          MD5

          1f5946c8f04bb34f9ab08514002d3b2c

          SHA1

          2bcedf7c848953711b03e32d9c8d64399fcb2c2e

          SHA256

          43438697b4eb8b708068b454efc8d4f5d452d2966c1f314630ad1bf4ee325f60

          SHA512

          ac3326e915dff6db5ee3b7e8a9aa9a8b453ee45fb4e3e2397a38376c7c64b2d47e4ad9573e3ae5401d266dcc160caf59e929b4910ca3b566a0638c9df295f9a8

        • C:\ProgramData\khaxFMfI\189d625f98324bab87032800e1e7f084

          Filesize

          8B

          MD5

          bf7db567ebf50a863401d43a5705bff1

          SHA1

          66a6e1e516c4774dbfafc013eb0aa398b37b0bd8

          SHA256

          58758ee9a59edb45d73a9737f652605d4178bfea2d3d1f4dc776e94980cfbd66

          SHA512

          212df73685f6d2806104d314db6bd8da260500e33071277dec7791503a656d752894ddffa4810e5d282ba5ca35088daacf419d1079bdbcc043d94147b1b3fa8e

        • C:\ProgramData\khaxFMfI\2c945db753d341ef9b0f02d75d493749

          Filesize

          8B

          MD5

          dec3a465561beb6fb39c71e129e70cd4

          SHA1

          4f18b981bedf9086e9108fdfdc0c138e53db2293

          SHA256

          09edd6ea3fa87005f5328de8f3f4aa60281d9a4455c31b2020abf88f57c283bf

          SHA512

          6c71e74f0b400f401ad5d0a1254616b7ecd9c627fcd380ec18e4bb8c77517d3a57500b517cbe33a0a982ebccd1da10b283efd601b497117301bb9d30865d14cf

        • C:\ProgramData\khaxFMfI\47928f366bbf48c9ad07f8d6a7670eaf

          Filesize

          88B

          MD5

          0b187cb1c7efffd179c1b9d14c64f7c9

          SHA1

          fe491fe4acbc3b8c43d0993bdaabdafde99b7be5

          SHA256

          0c59e31bae265ee8bb01eca33a59de8b1fc44403fa5979b9bc21a6d8460eb6c8

          SHA512

          df643da2f9e6b90b70e2144360657b0c2b9b4b0a552aba14a4f1c73b5e3b882b5d51c6373f91f5975454b3f9857e01cce8c0c02548e94add3ab8368fcf641f09

        • C:\ProgramData\winmgr119.exe

          Filesize

          2.6MB

          MD5

          4cb3643980d2659d41e289961e968c1a

          SHA1

          a47d5c317f8a7a53d482e11e005f8b32bf4af2b6

          SHA256

          c7f797f7bfb6a23b171245588830c3139dc9bf45d538c295574a79a9e6654350

          SHA512

          8bdcd51006074234368f66ef429f30aa193164999dd9157bc2c9f7a1abc7befa50fde164d987a044124702ac58187ed7eb84f87034de58a2ee9cab59d76f1d49

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        • C:\Users\Admin\AppData\Local\Temp\Tar9315.tmp

          Filesize

          177KB

          MD5

          435a9ac180383f9fa094131b173a2f7b

          SHA1

          76944ea657a9db94f9a4bef38f88c46ed4166983

          SHA256

          67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

          SHA512

          1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        • C:\Users\Admin\AppData\Local\Temp\tmp8BCB.tmp

          Filesize

          399B

          MD5

          e4bf4f7accc657622fe419c0d62419ab

          SHA1

          c2856936dd3de05bad0da5ca94d6b521e40ab5a2

          SHA256

          b32fa68b79c5a7ceaa89e8e537efe33a963c499666202611329944bd2c09318e

          SHA512

          85dc223e39a16ddeba53a4b3d6c9eff14d30ec67dfda1e650da2c9057f640edd033a31868915a31caac0d325d240a7f634f62cd52fbd2adc68bd1d9cb6281431

        • C:\Users\Admin\AppData\Local\Temp\tmp8C49.tmp

          Filesize

          400B

          MD5

          de4e5ff058882957cf8a3b5f839a031f

          SHA1

          0b3d8279120fb5fa27efbd9eee89695aa040fc24

          SHA256

          ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49

          SHA512

          a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

        • C:\Users\Admin\AppData\Local\Temp\tmpA04F.tmp

          Filesize

          391B

          MD5

          3525ea58bba48993ea0d01b65ea71381

          SHA1

          1b917678fdd969e5ee5916e5899e7c75a979cf4d

          SHA256

          681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2

          SHA512

          5aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986

        • \ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

          Filesize

          2.6MB

          MD5

          00fdefae0eeb41e238a31f129d55f20f

          SHA1

          8c106ef33db72ccd60b008897dfb1ec72aa5ba7c

          SHA256

          6c1470d3a8dfc943a840edf9fedfaa0aabae0c1a72a1bce82811aa5f1d01619d

          SHA512

          979e5badfb1e093af29c6f457778a5efc568ed90fdea935a54cf285254ebea74f445a4539dc87deee2ed10a6d4398a007b331bf73366e9f4998d178e0ae15531

        • memory/2448-21-0x0000000000400000-0x000000000048E000-memory.dmp

          Filesize

          568KB

        • memory/2448-23-0x0000000000400000-0x000000000048E000-memory.dmp

          Filesize

          568KB

        • memory/2448-22-0x0000000000400000-0x000000000048E000-memory.dmp

          Filesize

          568KB

        • memory/2448-30-0x0000000000400000-0x000000000048E000-memory.dmp

          Filesize

          568KB

        • memory/2460-100-0x0000000000090000-0x000000000015A000-memory.dmp

          Filesize

          808KB

        • memory/2460-99-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2460-102-0x0000000000090000-0x000000000015A000-memory.dmp

          Filesize

          808KB

        • memory/2460-101-0x0000000000090000-0x000000000015A000-memory.dmp

          Filesize

          808KB

        • memory/2664-10-0x0000000000140000-0x000000000020A000-memory.dmp

          Filesize

          808KB

        • memory/2664-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2664-12-0x0000000000140000-0x000000000020A000-memory.dmp

          Filesize

          808KB

        • memory/2664-16-0x0000000000140000-0x000000000020A000-memory.dmp

          Filesize

          808KB

        • memory/2664-17-0x00000000741A2000-0x00000000741A4000-memory.dmp

          Filesize

          8KB

        • memory/2664-87-0x00000000741A2000-0x00000000741A4000-memory.dmp

          Filesize

          8KB

        • memory/2664-14-0x0000000000140000-0x000000000020A000-memory.dmp

          Filesize

          808KB

        • memory/2712-124-0x0000000000400000-0x0000000000491000-memory.dmp

          Filesize

          580KB

        • memory/2816-130-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2856-81-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2856-79-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2856-78-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2976-33-0x0000000000400000-0x0000000000491000-memory.dmp

          Filesize

          580KB

        • memory/2976-74-0x0000000000400000-0x0000000000491000-memory.dmp

          Filesize

          580KB

        • memory/2976-34-0x0000000000400000-0x0000000000491000-memory.dmp

          Filesize

          580KB

        • memory/2976-35-0x0000000000400000-0x0000000000491000-memory.dmp

          Filesize

          580KB

        • memory/3004-115-0x0000000000400000-0x000000000048E000-memory.dmp

          Filesize

          568KB