Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 20:45
Static task
static1
Behavioral task
behavioral1
Sample
376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe
-
Size
78KB
-
MD5
376dedca7b965f4e92d716915589dfe0
-
SHA1
441da49f039e2376cd9d6054bce8ad8f9613239c
-
SHA256
d57f156c23c0429dc51ccd8d1dfbedb700466ec89ee03c8722bad9df9c182774
-
SHA512
cb80adaa04be365626feeb046ca411600f92c23700ecb98cdb281cd1e2f181451459278a0bc55ed5f6bd17f51a79b454957832f854352044273ddf838435be77
-
SSDEEP
1536:1PWV5qLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6h9/op1pT:1PWV5UE2EwR4uY41HyvYZ9/o
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe -
Deletes itself 1 IoCs
Processes:
tmp4E8D.tmp.exepid process 4928 tmp4E8D.tmp.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp4E8D.tmp.exepid process 4928 tmp4E8D.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp4E8D.tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" tmp4E8D.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exetmp4E8D.tmp.exedescription pid process Token: SeDebugPrivilege 2424 376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe Token: SeDebugPrivilege 4928 tmp4E8D.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exevbc.exedescription pid process target process PID 2424 wrote to memory of 4344 2424 376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe vbc.exe PID 2424 wrote to memory of 4344 2424 376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe vbc.exe PID 2424 wrote to memory of 4344 2424 376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe vbc.exe PID 4344 wrote to memory of 4944 4344 vbc.exe cvtres.exe PID 4344 wrote to memory of 4944 4344 vbc.exe cvtres.exe PID 4344 wrote to memory of 4944 4344 vbc.exe cvtres.exe PID 2424 wrote to memory of 4928 2424 376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe tmp4E8D.tmp.exe PID 2424 wrote to memory of 4928 2424 376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe tmp4E8D.tmp.exe PID 2424 wrote to memory of 4928 2424 376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe tmp4E8D.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\baon0sci.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FB6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC49752CAB734C71B2413CCC361C1772.TMP"3⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\tmp4E8D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4E8D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\376dedca7b965f4e92d716915589dfe0_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4928
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES4FB6.tmpFilesize
1KB
MD5c5e44bae0a92c1074a2b5e8e0d25d4eb
SHA1fc319e88adb7eb4488dea1fa9c11830b9f47131b
SHA2569065b15be55ce3acd8173e3f07ed7e003b964d0cf254db1b0a938f19681ad014
SHA512f41f1e84b18bfd12f08400e6e80721fe98b5ca484004ebae657e7372f23e7dd2ab220f034fb4377b548eacb28c576a38b146fa29ac63003b76db3a7a4d2304ca
-
C:\Users\Admin\AppData\Local\Temp\baon0sci.0.vbFilesize
14KB
MD59b5193cf19390505cb0c708904354856
SHA16c604b36c884d62a2cadfe6b1abcde1fc87dc472
SHA25699914b9a5aa75577c532dea456e5d78a06cd603c9303a72ed8327b07e560bc0a
SHA512abec3203c4d2b02f411df7e4656665a3535bcb581626dea3e5ab4c1d0a1c1069f696b9bfde4da9f6db0ae691ef4f6e8fff93d079f7b81adca5888821267a72ee
-
C:\Users\Admin\AppData\Local\Temp\baon0sci.cmdlineFilesize
266B
MD55e4ed4224e9f8d239600bd7b73e49c10
SHA12d8e6f5917966237588b79094cca3fc91ea73edb
SHA25668545184e768ca8687937f48b83e7e14454506d07a60e2e0c69a318685c78561
SHA512ca56d319d33fcb5955b6d7d80bc4f510ea62784ca20982e43ca57ff8eee0f9c266ee6536c8a1d70143a30eca755c18a4a2783327594af1f403295b917b328bde
-
C:\Users\Admin\AppData\Local\Temp\tmp4E8D.tmp.exeFilesize
78KB
MD5a4fa08834c0042f2beca3fc22dcc7f31
SHA114901744de443e014abba17729e9a841335246af
SHA2563b45b9dda270c249a49fdd19488771e19a51af17a3d4b406f57371d1cf189e0e
SHA512800abb29dac42a6f60714553c3b5225572cb756bbb05d1f9956012a45ced99bb4cebc0c47d1e866d0509ce314f4ae62f09fff54bb40c34374713e0af59b5f0cd
-
C:\Users\Admin\AppData\Local\Temp\vbcFC49752CAB734C71B2413CCC361C1772.TMPFilesize
660B
MD54155832afb6f682718d8df9bfae3a8f4
SHA1e72d1dd5d438486c80c6b2c0027bb96f407edcf5
SHA256714dc712edf01de3efb5b4a039c8f390fd0ec639f2e436565334afa3c319d5ec
SHA5121d91435a33201f9dd57f1463d7a6b852e363defc5a976922a9cf191dd0af785037bf67a425dc380bf0a1100d88bf4812419497a9afc81e4757653d3b7ffb2d6f
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD56870a276e0bed6dd5394d178156ebad0
SHA19b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA25669db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA5123b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809
-
memory/2424-1-0x0000000074830000-0x0000000074DE1000-memory.dmpFilesize
5.7MB
-
memory/2424-2-0x0000000074830000-0x0000000074DE1000-memory.dmpFilesize
5.7MB
-
memory/2424-0-0x0000000074832000-0x0000000074833000-memory.dmpFilesize
4KB
-
memory/2424-22-0x0000000074830000-0x0000000074DE1000-memory.dmpFilesize
5.7MB
-
memory/4344-8-0x0000000074830000-0x0000000074DE1000-memory.dmpFilesize
5.7MB
-
memory/4344-18-0x0000000074830000-0x0000000074DE1000-memory.dmpFilesize
5.7MB
-
memory/4928-23-0x0000000074830000-0x0000000074DE1000-memory.dmpFilesize
5.7MB
-
memory/4928-25-0x0000000074830000-0x0000000074DE1000-memory.dmpFilesize
5.7MB
-
memory/4928-24-0x0000000074830000-0x0000000074DE1000-memory.dmpFilesize
5.7MB
-
memory/4928-27-0x0000000074830000-0x0000000074DE1000-memory.dmpFilesize
5.7MB
-
memory/4928-28-0x0000000074830000-0x0000000074DE1000-memory.dmpFilesize
5.7MB
-
memory/4928-29-0x0000000074830000-0x0000000074DE1000-memory.dmpFilesize
5.7MB