Overview

overview

8

Static

static

3

769ef412be...cs.exe

windows7-x64

8

769ef412be...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 02:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    769ef412be937c643a019bd6b5160980_NeikiAnalytics.exe

  • Size

    75KB

  • MD5

    769ef412be937c643a019bd6b5160980

  • SHA1

    745fdc78ff47e471a0865f6788cc67c2345fa33d

  • SHA256

    d9349bdc62c857416361d44998e6b8fdf7f28f84e3d0370c551c56ad45b4e195

  • SHA512

    671831744ffc66ea42d4afd1db9cd5b2c2dd296f132ad52f455592b167ed2b21926a31f0b95720b3785e3cfef8dda550e3cbdd49ccc75851458a9e3a201f154f

  • SSDEEP

    1536:Qx1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3s:YOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPE

Score
8/10
persistencespywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\769ef412be937c643a019bd6b5160980_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\769ef412be937c643a019bd6b5160980_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2864
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    da5c2fa9ba1a26bd5e19716434cd87d3

    SHA1

    c84fabe26ae18e99165c3e03e342e30e376617d6

    SHA256

    100fd1553d3b67e49400282b6bec85946dc64f433fe4a801456e8ad8bd4e165e

    SHA512

    3caf69547cc0f9a7898974e484b90d9fdc07d046af26434f86c1dac2dfadcabab8b73fd25002031feb5ab15f58ba29675795a64a2b0006ff90eda11388ba2d01

    Download Submit
  • C:\Windows\SysWOW64\smnss.exe
    Filesize

    75KB

    MD5

    1815c2111a61d50aa292dfb8ffb8c207

    SHA1

    37462af8fc8892fdf7d9255b532d48452a468521

    SHA256

    c5d58a7d9963b55ef129822c7c61994bdbd55d279cbd2a76dd98ddcf59ff69c8

    SHA512

    fc4c9b1a03030af8f4148cb0c3d57b9775d4efd549d4b52c7aff21d184f754778f37d6e27626e4ed5741bb5adf84e8f8e0635022899e80803183ceb6328b3c6a

    Download Submit
  • \Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    6ed07dbf73e29d280224278c5f2ba9d2

    SHA1

    bd1e2de2b40f5036c622a886f9795d973f692d1c

    SHA256

    e83f8d70e6cad914b2738c0080276c162ec3be143d691d5483a394ea22cf8ce7

    SHA512

    bc028d9db515f13bb9b2e887d3b290f09cf8efb769f41ea869fb27325b23db1423f985617075da201b2dcd7584e390dbedbf5520dbe2bdf295bc246f5be77fcb

    Download Submit
  • \Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    3bbbdc75eda399eed26a5debab862148

    SHA1

    32517dc5e8cf4a8f961100b2656785815a93a5f7

    SHA256

    ddde8e1ee186b48842dcb9e8e266f9303aef06d17d474c3a5ef8343d498fe080

    SHA512

    6cf768b87e53f45e742b4036da648691c9731b1eaf02c5fdce74a5100c2a8b0903273c5795df2530458960b48826bb6394492702e0842dc25e865108ad212935

    Download Submit
  • memory/2552-31-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/2704-44-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2704-48-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2704-66-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2704-64-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2704-39-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/2704-40-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2704-42-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2704-62-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2704-46-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2704-60-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2704-50-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2704-52-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2704-54-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2704-56-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2704-58-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2864-23-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2864-15-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/2864-17-0x0000000000340000-0x0000000000349000-memory.dmp
    Filesize

    36KB

    Download
  • memory/2864-26-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download