Overview

overview

8

Static

static

3

67b342125e...cs.exe

windows7-x64

7

67b342125e...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 00:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67b342125eaf54c5557c4f358dbcdf20_NeikiAnalytics.exe

  • Size

    75KB

  • MD5

    67b342125eaf54c5557c4f358dbcdf20

  • SHA1

    98cab288c690a2ef126f4f0d84739f47924df87e

  • SHA256

    33e75770d8d403a4c9b4aaba6f7a1023bea2ddb762763cdc00fc4feb089772ad

  • SHA512

    97816c9766d113a64b241f00aec1aa5f6ea06e7a13b92520097c4f7b4b50b8cc28b9cb71e050ec516d13fddfd86722e3e0c7737a4632bdeadb6e57e71eb444d2

  • SSDEEP

    1536:Kx1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3B:aOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPp

Score
8/10
persistencespywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67b342125eaf54c5557c4f358dbcdf20_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\67b342125eaf54c5557c4f358dbcdf20_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1316
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:3068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    6b683d42f78b201edfb3f6121f493b89

    SHA1

    face0a4598ffa089bc30ff81fc68417db7813be3

    SHA256

    3a193395caa17988b9741c51c28be7ad72db6558d4aee40eece0f49b932e0ec6

    SHA512

    04939f3fdff4a2f57208c7440c50ddb111060084f8b93176d2a6fc46b8de4d7bb6ac35e69e99736bdb98a9744a486dfa301ddf07d8d4b506e94a8856931c48da

    Download Submit

  • C:\Windows\SysWOW64\grcopy.dll
    Filesize

    75KB

    MD5

    837086b4366e1c74aebb6e58ea820f1e

    SHA1

    ff93e7abd01556acedc260a4dcc90d3d49049265

    SHA256

    ac89cff537168e2d8fe58ce7695dbaf1fd4b560841497a404f20af86a6caee77

    SHA512

    fa9bbbfa6f98dd21ff73a522696ef809694a63cc0213ad95572551ca3a7c32e5e4096197d89c9df9c034c7c70668de975629305478217dc789558bf0ae35407c

    Download Submit

  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    a035fb671d3d4cda6d4a6145ddbfb4bb

    SHA1

    e00408283b96562b38392a8ba03a1f6779e0256f

    SHA256

    1b61c27a4ede1f0402a1b8822b1d4e8d29235df5b2ae8e8bfbd2def8de7dab6b

    SHA512

    cc11a52e21fba3fe2d41e62f2360609268e116af44cce56f231ff069b48705009756d1d122035a886eaf3116564116a007d5c88c2cc5df3cd31f8d5f40a613c3

    Download Submit

  • C:\Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    c0295834e834076e7f632b296d4813ed

    SHA1

    570ea40604f31e4338f45f5cdb71918e8bd7fc1b

    SHA256

    317fa78d579c6738b7a0373b01505dbf3c724e7f7abaa87178acc82c398d1814

    SHA512

    d2bd7d87c163cc105ed433b13ea0aa47fc5ea6e24a5c7700dd5dee59ff1118d2705d773fd596b6a1b7db5d3af90184389e65d06421ea02ca09ceb57570e6a812

    Download Submit

  • memory/1316-11-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1316-22-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1316-20-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1984-24-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3068-38-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3068-48-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3068-35-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3068-40-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3068-42-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3068-44-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3068-46-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3068-36-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3068-50-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3068-52-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3068-54-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3068-56-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3068-58-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3068-60-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3068-62-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download