a857667fe80dec03895bfecf0aa1186802a6cf45c9a1a3e0a104578ea77699f0

General

Target

993c01226bbb74701aa5bc789a9294e0_NeikiAnalytics.exe
Size

41KB
MD5

993c01226bbb74701aa5bc789a9294e0
SHA1

eed8ef7d9344e4cb6b0d6db86121ce9803fc896e
SHA256

a857667fe80dec03895bfecf0aa1186802a6cf45c9a1a3e0a104578ea77699f0
SHA512

c363da7b3346234b2583ead64edc5f998f25b91c364aac0aa417575303f1120245c85d4376c55389f45c706a789fa3d111998a6ebeebea6d1fca9a54e1aeac58
SSDEEP

768:IMAQ+BzWPEwnE+KHM2/fWsaoOD/hosxp0TlZUAr33U/hKsoJUrA7xaEqzA4:t3x85+Ks2zaoODdp0RZUzhgOpz/

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

svhost.exep5ew2haXBugWbOb.exe

pid process

2948 svhost.exe
2600 p5ew2haXBugWbOb.exe
Loads dropped DLL 3 IoCs

Processes:

993c01226bbb74701aa5bc789a9294e0_NeikiAnalytics.exe

pid process

2856 993c01226bbb74701aa5bc789a9294e0_NeikiAnalytics.exe
2856 993c01226bbb74701aa5bc789a9294e0_NeikiAnalytics.exe
2564
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2948	svhost.exe
2600	p5ew2haXBugWbOb.exe

pid	process
2856	993c01226bbb74701aa5bc789a9294e0_NeikiAnalytics.exe
2856	993c01226bbb74701aa5bc789a9294e0_NeikiAnalytics.exe
2564

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

993c01226bbb74701aa5bc789a9294e0_NeikiAnalytics.exesvhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	993c01226bbb74701aa5bc789a9294e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	svhost.exe

Drops file in Windows directory 2 IoCs

Processes:

993c01226bbb74701aa5bc789a9294e0_NeikiAnalytics.exesvhost.exe

description ioc process

File created C:\Windows\svhost.exe 993c01226bbb74701aa5bc789a9294e0_NeikiAnalytics.exe
File created C:\Windows\svhost.exe svhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

993c01226bbb74701aa5bc789a9294e0_NeikiAnalytics.exesvhost.exe

description pid process

Token: SeDebugPrivilege 2856 993c01226bbb74701aa5bc789a9294e0_NeikiAnalytics.exe
Token: SeDebugPrivilege 2948 svhost.exe

description	ioc	process
File created	C:\Windows\svhost.exe	993c01226bbb74701aa5bc789a9294e0_NeikiAnalytics.exe
File created	C:\Windows\svhost.exe	svhost.exe

description	pid	process
Token: SeDebugPrivilege	2856	993c01226bbb74701aa5bc789a9294e0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2948	svhost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

993c01226bbb74701aa5bc789a9294e0_NeikiAnalytics.exe

description	pid	process	target process
PID 2856 wrote to memory of 2600	2856	993c01226bbb74701aa5bc789a9294e0_NeikiAnalytics.exe	p5ew2haXBugWbOb.exe
PID 2856 wrote to memory of 2600	2856	993c01226bbb74701aa5bc789a9294e0_NeikiAnalytics.exe	p5ew2haXBugWbOb.exe
PID 2856 wrote to memory of 2600	2856	993c01226bbb74701aa5bc789a9294e0_NeikiAnalytics.exe	p5ew2haXBugWbOb.exe
PID 2856 wrote to memory of 2600	2856	993c01226bbb74701aa5bc789a9294e0_NeikiAnalytics.exe	p5ew2haXBugWbOb.exe
PID 2856 wrote to memory of 2948	2856	993c01226bbb74701aa5bc789a9294e0_NeikiAnalytics.exe	svhost.exe
PID 2856 wrote to memory of 2948	2856	993c01226bbb74701aa5bc789a9294e0_NeikiAnalytics.exe	svhost.exe
PID 2856 wrote to memory of 2948	2856	993c01226bbb74701aa5bc789a9294e0_NeikiAnalytics.exe	svhost.exe
PID 2856 wrote to memory of 2948	2856	993c01226bbb74701aa5bc789a9294e0_NeikiAnalytics.exe	svhost.exe

C:\Users\Admin\AppData\Local\Temp\993c01226bbb74701aa5bc789a9294e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\993c01226bbb74701aa5bc789a9294e0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856

C:\Users\Admin\AppData\Local\Temp\p5ew2haXBugWbOb.exe
C:\Users\Admin\AppData\Local\Temp\p5ew2haXBugWbOb.exe
2⤵
- Executes dropped EXE
PID:2600

C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2948

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\p5ew2haXBugWbOb.exe
Filesize
41KB

MD5
51ce22ecfd8113f5bc04a988f0309a3d

SHA1
858e5df1e0108c4fdc73f0085e82b065c5e41263

SHA256
f3dd47c3c94ae88db78cc1948cf56e47db4daa5d7b09da68dd93a16817749902

SHA512
08c136ff8bc3e8ba7bf642df116e4567b74e8ac411ddb277dd881071fd0d301d191c1a6ee463b6577bf1b37b33a7275a7eae8fc2ef1f9f5f737f147d394730ec

Download Submit
C:\Windows\svhost.exe
Filesize
16KB

MD5
76fd02b48297edb28940bdfa3fa1c48a

SHA1
bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce

SHA256
07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c

SHA512
28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

Download Submit
\Users\Admin\AppData\Local\Temp\p5ew2haXBugWbOb.exe
Filesize
25KB

MD5
abbd49c180a2f8703f6306d6fa731fdc

SHA1
d63f4bfe7f74936b2fbace803e3da6103fbf6586

SHA256
5f411c0bd9ed9a42b0f07ed568c7d0cf358a83063b225a1f8f7da3296dde90f1

SHA512
290dd984acc451b778f3db8c510bae7aec1d9547c3ad0a1829df731c136e4ecc9a37dc6a786cf8f1ecc4d14339aed1288af25055f450f6f953138c8d4d5c36e9

Download Submit
memory/2600-13-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads