Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 03:46
Behavioral task
behavioral1
Sample
1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exe
-
Size
27KB
-
MD5
1679ea6a5d0372bbc71fc3f9bc7cbda0
-
SHA1
c413cafa8f99382d82622777cfdabe36002003a6
-
SHA256
2aa2977f302467d912db19494621929c23b30bb5b8d17b7fc95ee3f7ac18a042
-
SHA512
832f97e6569c421a9b8532a91d3cc0566d4487124b19c4831aacf15e7ba0ab5615d95f5bd170bfc3734e0fe47edd22e5c25e2126fc5ba9a8a39a62efb804355e
-
SSDEEP
768:X9J/3FzjgfanEGx8V36unjv88tznuRU65Y4gpph1ePVCMg:N5VzcfA/6LrVpL74gfh16ng
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
CTS.exepid process 3056 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/1920-0-0x00000000007F0000-0x0000000000808000-memory.dmp upx behavioral2/memory/3056-9-0x0000000000F50000-0x0000000000F68000-memory.dmp upx C:\Windows\CTS.exe upx behavioral2/memory/1920-6-0x00000000007F0000-0x0000000000808000-memory.dmp upx C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml upx C:\Users\Admin\AppData\Local\Temp\0uR2kxQWVACZh0h.exe upx behavioral2/memory/3056-32-0x0000000000F50000-0x0000000000F68000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
Processes:
1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exeCTS.exedescription ioc process File created C:\Windows\CTS.exe 1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exeCTS.exedescription pid process Token: SeDebugPrivilege 1920 1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exe Token: SeDebugPrivilege 3056 CTS.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exedescription pid process target process PID 1920 wrote to memory of 3056 1920 1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exe CTS.exe PID 1920 wrote to memory of 3056 1920 1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exe CTS.exe PID 1920 wrote to memory of 3056 1920 1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exe CTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1679ea6a5d0372bbc71fc3f9bc7cbda0_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmlFilesize
348KB
MD599de5ede0c4325404184552f445eee11
SHA1db75181cd76b8e6251aaad73326ae31e69f83884
SHA256972cda496742b59d5fd5a210f833270af680f1f3248f242d600632aa9ba95ce6
SHA5127c8976f3c12e30180153f381ede4147ba804db873d79206984c5b60b283abf8a6ff46c41937f8cad54e28732205825a1e62f0c2813f693a7dfc9f13532e052db
-
C:\Users\Admin\AppData\Local\Temp\0uR2kxQWVACZh0h.exeFilesize
27KB
MD5f41d95b50691f9ff7c42d6ee5c5b5753
SHA1d2d09736d5410c88c970b8bfdb75518f60b6c4c0
SHA256e43839f4d07d75dbf6f43be90c36d9b69e448adb76d55479159dc20b169d8678
SHA512b9de5c6cc5214504649c409290f089b41d3e7b2fb87edcc53443f1fe2b09369a0253773dffefdf1206ebe61658cef81702a3e7d75852a7e279f5ebdbc0712b1c
-
C:\Windows\CTS.exeFilesize
27KB
MD5a6749b968461644db5cc0ecceffb224a
SHA12795aa37b8586986a34437081351cdd791749a90
SHA256720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2
SHA5122a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4
-
memory/1920-0-0x00000000007F0000-0x0000000000808000-memory.dmpFilesize
96KB
-
memory/1920-6-0x00000000007F0000-0x0000000000808000-memory.dmpFilesize
96KB
-
memory/3056-9-0x0000000000F50000-0x0000000000F68000-memory.dmpFilesize
96KB
-
memory/3056-32-0x0000000000F50000-0x0000000000F68000-memory.dmpFilesize
96KB