Overview

overview

10

Static

static

3

1d3535cc01...cs.exe

windows7-x64

10

1d3535cc01...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-05-2024 17:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d3535cc01b2cc54b808a55e945707a0_NeikiAnalytics.exe

  • Size

    596KB

  • MD5

    1d3535cc01b2cc54b808a55e945707a0

  • SHA1

    a9a563b8ee37f17c847248bb207b28086d9f4628

  • SHA256

    f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19

  • SHA512

    4c344a2abc7ace17a3fced1e3fcf09ac959b47d8bc1a5bf4280d46c3dccd015254a42ce722f93bbbe28f9866696db685df6209b4e863fa9e02772753eeb2ebbc

  • SSDEEP

    12288:15/Sm4/r42toIX4IaZo2BOtdMKX8MbICwAvV6LwfAnxMlpxxWmBNIg9SWvAK:70/rX8IJ2BwNQcfAnxgDzBx

Score
10/10
redlinesectopratxwormvicdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

Vic

C2

beshomandotestbesnd.run.place:1111

Extracted

Family

xworm

C2

127.0.0.1:7000

beshomandotestbesnd.run.place:7000
Attributes
  • Install_directory

    %ProgramData%

  • install_file

    taskmgr.exe

  • telegram

    https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Signatures

  • Detect Xworm Payload 5 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • .NET Reactor proctector 35 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d3535cc01b2cc54b808a55e945707a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1d3535cc01b2cc54b808a55e945707a0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\ProgramData\system.exe
      "C:\ProgramData\system.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\system.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2308
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2812
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\taskmgr.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1504
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskmgr.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1800
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "taskmgr" /tr "C:\ProgramData\taskmgr.exe"
        3⤵
        • Creates scheduled task(s)
        PID:1612
    • C:\ProgramData\build.exe
      "C:\ProgramData\build.exe"
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2844
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {F422B2BE-E646-4404-A175-A2C2DC948F9C} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:996
    • C:\ProgramData\taskmgr.exe
      C:\ProgramData\taskmgr.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1100
    • C:\ProgramData\taskmgr.exe
      C:\ProgramData\taskmgr.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2820

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\build.exe
    Filesize

    95KB

    MD5

    16280875fdcf55ab4c8f1dff6dabc72e

    SHA1

    39880e6fbb258f4f4fa5c79337ec893acae55fb7

    SHA256

    91455ac8837ff1fdba7067cd3e7f790c1649ae70164ccbdf0483eae831a7253a

    SHA512

    53ba4e5e88a8f19ba3faa2f1244501c2d62827a9178ec0fdc995582e03e7d8e39f2dfd7bde11285781a65a021d4f4aab48b94be66a8a1cebbd47ab0cb819202e

    Download Submit
  • C:\ProgramData\system.exe
    Filesize

    75KB

    MD5

    70b9f8ef4c4ce24fe372b292aebcd138

    SHA1

    5fd7ce9318727b27db0dd50effbb632686d53f8c

    SHA256

    15af516d88e83cfc8d3deebe7aeb9ccaebc558fc93544ef31b612113fcce907b

    SHA512

    b4658ccb665aa9f43cc049a51c477a0b314c5c13d254d648e34f9feca9feb06021bbf271857f73998e31cc7f877fa5457fbe7420beb58f3563fbfbe121a4cbad

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Cab47FA.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Tar491A.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp4C03.tmp
    Filesize

    46KB

    MD5

    02d2c46697e3714e49f46b680b9a6b83

    SHA1

    84f98b56d49f01e9b6b76a4e21accf64fd319140

    SHA256

    522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

    SHA512

    60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp4C38.tmp
    Filesize

    92KB

    MD5

    c38ea50a9d1b652272fdae5db82c9404

    SHA1

    d7444179c921d090b4e5d954997087bc0004e69f

    SHA256

    b5e3708f123a02f980e4e8397a055b98dceecdc754bbb67872e8bf3651541742

    SHA512

    b91d23e89ca310a4cc9bbfc9537880e1b0c09d0ebf28fa1514258110f3fe33493f24145430093c9d1eb6ddcac8ef25ed74eb0d0c2c8c0544c1cfe2dcf206e2f5

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    9734a2baf69a3d63dfcc7f5a066824b6

    SHA1

    4f24a41f54f6cacd7a4dcc2232444668d95b6391

    SHA256

    221b4b434a00137b435ef1f577e6c0b0614db88abdd7ef84eee99b0754600e75

    SHA512

    efc869aa6016176442760ee412c52e354ce72415e077442b7a9bab4a124c63a5a9ea7bc8f1a8d2277e69d431359eee2a25f1706714e8e27e0f74854d181b366d

    Download Submit
  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • memory/1100-366-0x0000000000A20000-0x0000000000A3A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2308-145-0x0000000002770000-0x0000000002778000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2308-144-0x000000001B660000-0x000000001B942000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2372-36-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-130-0x0000000000400000-0x000000000048B000-memory.dmp
    Filesize

    556KB

    Download
  • memory/2372-69-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-34-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-70-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-66-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-64-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-62-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-60-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-58-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-56-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-54-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-53-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-50-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-48-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-47-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-44-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-42-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-40-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-38-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-1-0x0000000000600000-0x0000000000700000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/2372-32-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-30-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-28-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-26-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-24-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-20-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-18-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-3-0x0000000000400000-0x000000000048B000-memory.dmp
    Filesize

    556KB

    Download
  • memory/2372-2-0x0000000000220000-0x00000000002A8000-memory.dmp
    Filesize

    544KB

    Download
  • memory/2372-133-0x0000000000400000-0x00000000004DF000-memory.dmp
    Filesize

    892KB

    Download
  • memory/2372-16-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-131-0x0000000000600000-0x0000000000700000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/2372-4-0x0000000000400000-0x00000000004DF000-memory.dmp
    Filesize

    892KB

    Download
  • memory/2372-14-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-5-0x0000000004740000-0x00000000047A6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2372-6-0x00000000047B0000-0x0000000004814000-memory.dmp
    Filesize

    400KB

    Download
  • memory/2372-7-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-12-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-10-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-8-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2372-22-0x00000000047B0000-0x000000000480F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2668-360-0x000007FEF5933000-0x000007FEF5934000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2668-139-0x0000000000450000-0x00000000004D0000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2668-137-0x0000000001110000-0x000000000112A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2668-136-0x000007FEF5933000-0x000007FEF5934000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2668-362-0x0000000000450000-0x00000000004D0000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2812-152-0x0000000002820000-0x0000000002828000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2812-151-0x000000001B710000-0x000000001B9F2000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2820-369-0x0000000000BF0000-0x0000000000C0A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2844-134-0x00000000008A0000-0x00000000008BE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2844-361-0x0000000000940000-0x0000000000980000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2844-359-0x00000000742AE000-0x00000000742AF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2844-135-0x00000000742AE000-0x00000000742AF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2844-138-0x0000000000940000-0x0000000000980000-memory.dmp
    Filesize

    256KB

    Download