Overview

overview

8

Static

static

3

89d3ad291b...cs.exe

windows7-x64

8

89d3ad291b...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 09:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    89d3ad291b56c80ec198807e4279f030_NeikiAnalytics.exe

  • Size

    75KB

  • MD5

    89d3ad291b56c80ec198807e4279f030

  • SHA1

    162878793e9cf441834e2748cf61ce4d606593c4

  • SHA256

    d6fd7e4c2b3acb1df72ddd3511d14c16cd4bd91487bd4794e88c5957d8b00abd

  • SHA512

    ee247cc34cdda181d75e5dbb457163f8e6a4abfe3050b5af5b003e7b02e231bfa3c836b9c7bd40c04654687faf1947943ee63a9d58e914e94c24e290937fbfb1

  • SSDEEP

    1536:rx1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3s:1OjWuyt0ZsqsXOKofHfHTXQLzgvnzHPE

Score
8/10
persistencespywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89d3ad291b56c80ec198807e4279f030_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\89d3ad291b56c80ec198807e4279f030_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:548
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:1404

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    ec7d19d6c846ce3e5fc088c9f382da22

    SHA1

    f8c3e04d4afd07687f381cc41df54401f621b329

    SHA256

    b57f1ad24ade685bd1d4a2842a27a544e460ee47bd8307fe11f6bb8a9c55dac3

    SHA512

    8e6a10f8747e425d52ab4931a0aef3ff89115696c80168cb1d6ad9788eb9b149ed00120ded276c4a8eedb4b360e7ddc7d2414a9c797ae5274977197ef83477b3

    Download Submit
  • C:\Windows\SysWOW64\grcopy.dll
    Filesize

    75KB

    MD5

    3dd233da3a5355ba27d5ab58ee22191f

    SHA1

    f75d73f04eccc7f8b77f24749f98ea2bc6937eb2

    SHA256

    83dd3cbdf171b7d462f168f7752dc8015d91793e55e5e6c744572cd118f1a786

    SHA512

    25223544aca310c39bfdd52b18a932cbe852979371e187e48324ad080f96eb627a011b1d80934586a30f79993279f9fca5b91746ab3e534fb348838aa674811d

    Download Submit
  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    cb97ba24f8ac7fdc07b602cf209ffe2e

    SHA1

    aacd9e3fa79118249e013cd5efd591e2e904fb4d

    SHA256

    3ac94b6461ffb54bbba14f64f7df05895948bba16a10c0237aadfe84b702be0b

    SHA512

    39f89aa8f5142d08eb29244eee72b9729dacf09ca70e052f5dfdba595c8b9ee0410b4126399ad77eee334c6fdd65012723f5de1b2f9ce60c0ff079bdd538e6a6

    Download Submit
  • C:\Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    be2e033942f4befeb2a6afa9d8fad271

    SHA1

    87fd317fcb25f94992a0ba6eaae46259279e0dcb

    SHA256

    8bcce13c12e95f1d1a43c8b99bce1c0be91861238f1d40bc0cbe793e3271e770

    SHA512

    3bf02721d9f7f7336e257bc53f2daad2399d256f491f719721601e8cf1dc33056a946487aae72b16ec9abe5a05c4821462d843654055dadf62bcce9f0684d44b

    Download Submit
  • memory/548-17-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/548-22-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/548-20-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1404-38-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1404-46-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1404-36-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1404-62-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1404-40-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1404-42-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1404-44-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1404-35-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/1404-48-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1404-50-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1404-52-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1404-54-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1404-56-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1404-58-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1404-60-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2292-26-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download