Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 20:45
Static task
static1
Behavioral task
behavioral1
Sample
376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe
-
Size
78KB
-
MD5
376dedca7b965f4e92d716915589dfe0
-
SHA1
441da49f039e2376cd9d6054bce8ad8f9613239c
-
SHA256
d57f156c23c0429dc51ccd8d1dfbedb700466ec89ee03c8722bad9df9c182774
-
SHA512
cb80adaa04be365626feeb046ca411600f92c23700ecb98cdb281cd1e2f181451459278a0bc55ed5f6bd17f51a79b454957832f854352044273ddf838435be77
-
SSDEEP
1536:1PWV5qLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6h9/op1pT:1PWV5UE2EwR4uY41HyvYZ9/o
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp1861.tmp.exepid process 2632 tmp1861.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exepid process 2932 376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe 2932 376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp1861.tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" tmp1861.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exetmp1861.tmp.exedescription pid process Token: SeDebugPrivilege 2932 376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe Token: SeDebugPrivilege 2632 tmp1861.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exevbc.exedescription pid process target process PID 2932 wrote to memory of 2004 2932 376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe vbc.exe PID 2932 wrote to memory of 2004 2932 376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe vbc.exe PID 2932 wrote to memory of 2004 2932 376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe vbc.exe PID 2932 wrote to memory of 2004 2932 376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe vbc.exe PID 2004 wrote to memory of 1732 2004 vbc.exe cvtres.exe PID 2004 wrote to memory of 1732 2004 vbc.exe cvtres.exe PID 2004 wrote to memory of 1732 2004 vbc.exe cvtres.exe PID 2004 wrote to memory of 1732 2004 vbc.exe cvtres.exe PID 2932 wrote to memory of 2632 2932 376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe tmp1861.tmp.exe PID 2932 wrote to memory of 2632 2932 376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe tmp1861.tmp.exe PID 2932 wrote to memory of 2632 2932 376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe tmp1861.tmp.exe PID 2932 wrote to memory of 2632 2932 376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe tmp1861.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\by9gqhyw.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES18FE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc18FD.tmp"3⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\tmp1861.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1861.tmp.exe" C:\Users\Admin\AppData\Local\Temp\376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES18FE.tmpFilesize
1KB
MD54ec1c09e8752d6a6ee9b4a92210b4f3c
SHA17453e2efdfd504c21b8a76f4d52213ebca0c2266
SHA25672e5bac3f13a31b6f431d6e6d5ba0077ead6a6364fd64b8de400337eb085a46b
SHA51205be78a87d9199cc7c2e9bd0bd17e6af19a425fdeae9c8963bed829b66d0f7fa07dd1e7cbf8362a318b982fee35d01f647357ba9333d916de8186f8cabe2cde6
-
C:\Users\Admin\AppData\Local\Temp\by9gqhyw.0.vbFilesize
14KB
MD568aed454fce6cddbd0fab4490ce17ac3
SHA1b9784956038d70935d8b2c5b60f4aa9201a80785
SHA256ecbe3b55bd63b699fe46a90547a9b807ad83c9d2cde596d47d860999c48a39fc
SHA51237d3a01dacc669ee483421a170dcaab91b42d2aa5f409021e02d534d40460fe665ae40be735655a4c121692362d9dc06f5bddc78e0019280418cb2dc8d5b5a19
-
C:\Users\Admin\AppData\Local\Temp\by9gqhyw.cmdlineFilesize
266B
MD5573ff44d20c1be59b30c0b06e1154305
SHA1642787df4bafb3d75359d1ffeecf14ddbaf89c3c
SHA25653f26d44a133bc64df6949f37660c4ca070ef36351c757a59122df246db59ac7
SHA512c5dfea54bbf39240389abcd2680d861fc35cbff38e68058e8a89f726d8de1393164ee0b32e222cdff80d800b050df12ee9d7fdcb2ba4b1788a5a52ae50fea0e8
-
C:\Users\Admin\AppData\Local\Temp\tmp1861.tmp.exeFilesize
78KB
MD5640d7f1d5fccb78028b17500fc2ae51e
SHA147d3a58cd4cc9239e7bde1ee47986db3124db52a
SHA256dfa172afcc2fddb2f5c8d9f043eea156b242f7da6d12090f2f7fcd95e6d65d7b
SHA512918d88d399117652d07de4c948b966a838933ba775f64b21d19ecf4a4088c873c2671f87b37f4bb02e0c6ec38344a4d80a118835e99b768c89cfdf9d45edba08
-
C:\Users\Admin\AppData\Local\Temp\vbc18FD.tmpFilesize
660B
MD559090ffd5676263a75ff384fd2d057ed
SHA16ec8771841dc154571df771fdac4031dcd571825
SHA256523a587985ff866c98d475e5b4673de6109a61587eb30b6b831fc3064c4ceab0
SHA5125d02699a8cdc0e4b4cafa72123746e595b109703128a34ed166cae5ea526478b01b53f36ce937e49253fd34802e976ffba27ff81185e79866f773f52c7179bde
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD56870a276e0bed6dd5394d178156ebad0
SHA19b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA25669db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA5123b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809
-
memory/2004-9-0x00000000743A0000-0x000000007494B000-memory.dmpFilesize
5.7MB
-
memory/2004-18-0x00000000743A0000-0x000000007494B000-memory.dmpFilesize
5.7MB
-
memory/2932-0-0x00000000743A1000-0x00000000743A2000-memory.dmpFilesize
4KB
-
memory/2932-1-0x00000000743A0000-0x000000007494B000-memory.dmpFilesize
5.7MB
-
memory/2932-2-0x00000000743A0000-0x000000007494B000-memory.dmpFilesize
5.7MB
-
memory/2932-24-0x00000000743A0000-0x000000007494B000-memory.dmpFilesize
5.7MB