Analysis
-
max time kernel
135s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 19:05
Behavioral task
behavioral1
Sample
01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe
-
Size
216KB
-
MD5
01ad65894d5d13f440be975f5e9387e0
-
SHA1
5f3aafcb7a63c395584bd84bb54dea05a036b6bc
-
SHA256
17b42240eb0f61bd8b967fa5ebf0dde68bfb455bf7990cd12dd6d790db4ec8d1
-
SHA512
3ee9d891f786bc96970ad94c4209da648c3b5c95a737101c104942219432cf6370165785fa2e42406255f419edab508c3cde8ce20707dbb024c88848d0672977
-
SSDEEP
3072:94/jX/rIJbjM/bdZb9KO6up8SKfbzxcwg7es6/Vsb8VKTu549oJMfF/H9N3Ky9NP:m/EbsuOlUhcX7elbKTua9bfF/H9d9n
Malware Config
Extracted
xworm
127.0.0.1:7000
141.11.109.151:7000
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2424-1-0x0000000001090000-0x00000000010CC000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\XClient.exe family_xworm behavioral1/memory/1664-36-0x00000000010B0000-0x00000000010EC000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2768 powershell.exe 2808 powershell.exe 2520 powershell.exe 3004 powershell.exe -
Drops startup file 2 IoCs
Processes:
01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk 01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk 01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
XClient.exeXClient.exepid process 1664 XClient.exe 1264 XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" 01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exe01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exepid process 2768 powershell.exe 2808 powershell.exe 2520 powershell.exe 3004 powershell.exe 2424 01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exeXClient.exeXClient.exedescription pid process Token: SeDebugPrivilege 2424 01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe Token: SeDebugPrivilege 2768 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2520 powershell.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeDebugPrivilege 2424 01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe Token: SeDebugPrivilege 1664 XClient.exe Token: SeDebugPrivilege 1264 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exepid process 2424 01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exetaskeng.exedescription pid process target process PID 2424 wrote to memory of 2768 2424 01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2768 2424 01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2768 2424 01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2808 2424 01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2808 2424 01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2808 2424 01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2520 2424 01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2520 2424 01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2520 2424 01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 3004 2424 01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 3004 2424 01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 3004 2424 01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe powershell.exe PID 2424 wrote to memory of 2884 2424 01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe schtasks.exe PID 2424 wrote to memory of 2884 2424 01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe schtasks.exe PID 2424 wrote to memory of 2884 2424 01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe schtasks.exe PID 1532 wrote to memory of 1664 1532 taskeng.exe XClient.exe PID 1532 wrote to memory of 1664 1532 taskeng.exe XClient.exe PID 1532 wrote to memory of 1664 1532 taskeng.exe XClient.exe PID 1532 wrote to memory of 1264 1532 taskeng.exe XClient.exe PID 1532 wrote to memory of 1264 1532 taskeng.exe XClient.exe PID 1532 wrote to memory of 1264 1532 taskeng.exe XClient.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '01ad65894d5d13f440be975f5e9387e0_NeikiAnalytics.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {98D44B9B-5FCF-44C3-BC3C-9DDE69E8FC53} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5d87e9927fa5ca0610edadff2aea3784c
SHA17b4d6a9a1ccacba480c8e1b3ab468057920447b4
SHA256420ebe822f182f8810efa1c5cd412f13bedc10d7c27ec2ed406700da6d9a50bf
SHA512d10a5eec806d76bca3f89888bb433e769c9437b6d9a77e7636dc360e0ccd3ed19785818073f70662f03676d0d94ff043a5bace7ed25800f02f8ae2c4cfd8ba7b
-
C:\Users\Admin\AppData\Roaming\XClient.exeFilesize
216KB
MD501ad65894d5d13f440be975f5e9387e0
SHA15f3aafcb7a63c395584bd84bb54dea05a036b6bc
SHA25617b42240eb0f61bd8b967fa5ebf0dde68bfb455bf7990cd12dd6d790db4ec8d1
SHA5123ee9d891f786bc96970ad94c4209da648c3b5c95a737101c104942219432cf6370165785fa2e42406255f419edab508c3cde8ce20707dbb024c88848d0672977
-
memory/1664-36-0x00000000010B0000-0x00000000010EC000-memory.dmpFilesize
240KB
-
memory/2424-0-0x000007FEF5C23000-0x000007FEF5C24000-memory.dmpFilesize
4KB
-
memory/2424-1-0x0000000001090000-0x00000000010CC000-memory.dmpFilesize
240KB
-
memory/2424-2-0x000007FEF5C20000-0x000007FEF660C000-memory.dmpFilesize
9.9MB
-
memory/2424-30-0x000007FEF5C23000-0x000007FEF5C24000-memory.dmpFilesize
4KB
-
memory/2424-31-0x000007FEF5C20000-0x000007FEF660C000-memory.dmpFilesize
9.9MB
-
memory/2768-7-0x000000001B680000-0x000000001B962000-memory.dmpFilesize
2.9MB
-
memory/2768-8-0x0000000001E00000-0x0000000001E08000-memory.dmpFilesize
32KB
-
memory/2808-14-0x000000001B680000-0x000000001B962000-memory.dmpFilesize
2.9MB
-
memory/2808-15-0x0000000002810000-0x0000000002818000-memory.dmpFilesize
32KB