2aa2977f302467d912db19494621929c23b30bb5b8d17b7fc95ee3f7ac18a042

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exe
Size

27KB
MD5

1679ea6a5d0372bbc71fc3f9bc7cbda0
SHA1

c413cafa8f99382d82622777cfdabe36002003a6
SHA256

2aa2977f302467d912db19494621929c23b30bb5b8d17b7fc95ee3f7ac18a042
SHA512

832f97e6569c421a9b8532a91d3cc0566d4487124b19c4831aacf15e7ba0ab5615d95f5bd170bfc3734e0fe47edd22e5c25e2126fc5ba9a8a39a62efb804355e
SSDEEP

768:X9J/3FzjgfanEGx8V36unjv88tznuRU65Y4gpph1ePVCMg:N5VzcfA/6LrVpL74gfh16ng

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

CTS.exe

pid process

3056 CTS.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3056	CTS.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1920-0-0x00000000007F0000-0x0000000000808000-memory.dmp	upx
behavioral2/memory/3056-9-0x0000000000F50000-0x0000000000F68000-memory.dmp	upx
C:\Windows\CTS.exe	upx
behavioral2/memory/1920-6-0x00000000007F0000-0x0000000000808000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml	upx
C:\Users\Admin\AppData\Local\Temp\0uR2kxQWVACZh0h.exe	upx
behavioral2/memory/3056-32-0x0000000000F50000-0x0000000000F68000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exeCTS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

Processes:

1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exeCTS.exe

description ioc process

File created C:\Windows\CTS.exe 1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exe
File created C:\Windows\CTS.exe CTS.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exeCTS.exe

description pid process

Token: SeDebugPrivilege 1920 1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exe
Token: SeDebugPrivilege 3056 CTS.exe

description	ioc	process
File created	C:\Windows\CTS.exe	1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exe
File created	C:\Windows\CTS.exe	CTS.exe

description	pid	process
Token: SeDebugPrivilege	1920	1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exe
Token: SeDebugPrivilege	3056	CTS.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exe

description	pid	process	target process
PID 1920 wrote to memory of 3056	1920	1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exe	CTS.exe
PID 1920 wrote to memory of 3056	1920	1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exe	CTS.exe
PID 1920 wrote to memory of 3056	1920	1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exe	CTS.exe

C:\Users\Admin\AppData\Local\Temp\1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3056

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
Filesize
348KB

MD5
99de5ede0c4325404184552f445eee11

SHA1
db75181cd76b8e6251aaad73326ae31e69f83884

SHA256
972cda496742b59d5fd5a210f833270af680f1f3248f242d600632aa9ba95ce6

SHA512
7c8976f3c12e30180153f381ede4147ba804db873d79206984c5b60b283abf8a6ff46c41937f8cad54e28732205825a1e62f0c2813f693a7dfc9f13532e052db

Download Submit
C:\Users\Admin\AppData\Local\Temp\0uR2kxQWVACZh0h.exe
Filesize
27KB

MD5
f41d95b50691f9ff7c42d6ee5c5b5753

SHA1
d2d09736d5410c88c970b8bfdb75518f60b6c4c0

SHA256
e43839f4d07d75dbf6f43be90c36d9b69e448adb76d55479159dc20b169d8678

SHA512
b9de5c6cc5214504649c409290f089b41d3e7b2fb87edcc53443f1fe2b09369a0253773dffefdf1206ebe61658cef81702a3e7d75852a7e279f5ebdbc0712b1c

Download Submit
C:\Windows\CTS.exe
Filesize
27KB

MD5
a6749b968461644db5cc0ecceffb224a

SHA1
2795aa37b8586986a34437081351cdd791749a90

SHA256
720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2

SHA512
2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

Download Submit
memory/1920-0-0x00000000007F0000-0x0000000000808000-memory.dmp

Filesize
96KB

Download
memory/1920-6-0x00000000007F0000-0x0000000000808000-memory.dmp

Filesize
96KB

Download
memory/3056-9-0x0000000000F50000-0x0000000000F68000-memory.dmp

Filesize
96KB

Download
memory/3056-32-0x0000000000F50000-0x0000000000F68000-memory.dmp

Filesize
96KB

Download