Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 06:52
Behavioral task
behavioral1
Sample
8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe
-
Size
74KB
-
MD5
8c07110e7456b184a2009199f5adba90
-
SHA1
c30e8f19d3eddf941e2b622dc0a211c46211f9b2
-
SHA256
9d879d5db065bb5f76079a4b9fbbb5d0b4ebb66a1a0f58666e2795564c884108
-
SHA512
83ea5dd5eeab6680fc90b79f83e6e11d861511efd4332be42992ddb7f2887641ef0410607fb7afe1726698adb0968a256b29be0b3f441d2521dac81c93d85e23
-
SSDEEP
1536:jUyccxAYZCV6PMVTfxreL2+I6H1b+93oW7Qzc+LVclN:jUjcxAS66PMVdhyH1b+hoW7QXBY
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
146.70.34.130:7812
teeh
-
delay
1
-
install
true
-
install_file
Windows Defender Security Service.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
Windows Defender Security Service.exepid process 1244 Windows Defender Security Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3684 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exeWindows Defender Security Service.exepid process 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe 1244 Windows Defender Security Service.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exeWindows Defender Security Service.exedescription pid process Token: SeDebugPrivilege 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe Token: SeDebugPrivilege 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe Token: SeDebugPrivilege 1244 Windows Defender Security Service.exe Token: SeDebugPrivilege 1244 Windows Defender Security Service.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Defender Security Service.exepid process 1244 Windows Defender Security Service.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
8c07110e7456b184a2009199f5adba90_NeikiAnalytics.execmd.execmd.exedescription pid process target process PID 4684 wrote to memory of 3112 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe cmd.exe PID 4684 wrote to memory of 3112 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe cmd.exe PID 4684 wrote to memory of 4884 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe cmd.exe PID 4684 wrote to memory of 4884 4684 8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe cmd.exe PID 4884 wrote to memory of 3684 4884 cmd.exe timeout.exe PID 4884 wrote to memory of 3684 4884 cmd.exe timeout.exe PID 3112 wrote to memory of 548 3112 cmd.exe schtasks.exe PID 3112 wrote to memory of 548 3112 cmd.exe schtasks.exe PID 4884 wrote to memory of 1244 4884 cmd.exe Windows Defender Security Service.exe PID 4884 wrote to memory of 1244 4884 cmd.exe Windows Defender Security Service.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8c07110e7456b184a2009199f5adba90_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender Security Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Windows Defender Security Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5CE5.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5CE5.tmp.batFilesize
177B
MD55dc4cc672c60b67981b0de8d6a0b4585
SHA1bde66c87de15a22b1b1f7bba7c7581db3ab39692
SHA25682369aa9b619c72d023f1ec99398617226ecea1d829417c07901209754a686f5
SHA512b10fd3e61be2ee19a2007e5358090e0b1c31d798b371f834d51e9d0fc927cd5eec44750480bcff2cec905e4c709cc3e12f88d93f628763d4ecba389458f1082d
-
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.confFilesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exeFilesize
74KB
MD58c07110e7456b184a2009199f5adba90
SHA1c30e8f19d3eddf941e2b622dc0a211c46211f9b2
SHA2569d879d5db065bb5f76079a4b9fbbb5d0b4ebb66a1a0f58666e2795564c884108
SHA51283ea5dd5eeab6680fc90b79f83e6e11d861511efd4332be42992ddb7f2887641ef0410607fb7afe1726698adb0968a256b29be0b3f441d2521dac81c93d85e23
-
memory/4684-0-0x00007FFFBA453000-0x00007FFFBA455000-memory.dmpFilesize
8KB
-
memory/4684-1-0x0000000000730000-0x0000000000748000-memory.dmpFilesize
96KB
-
memory/4684-3-0x00007FFFBA450000-0x00007FFFBAF11000-memory.dmpFilesize
10.8MB
-
memory/4684-8-0x00007FFFBA450000-0x00007FFFBAF11000-memory.dmpFilesize
10.8MB