Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 15:08
Behavioral task
behavioral1
Sample
96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exe
-
Size
27KB
-
MD5
96538ae078f559ebd02eb684a3e72630
-
SHA1
4dda423d74b8f8f42d5f4c073dc93e8bb9316a87
-
SHA256
f9ec2a280cd99fbb0701867a8b59387aceba7a6ddf3d5eabe6b23381f4aebdf0
-
SHA512
72c32f69d9d56d142dd9ee52379c4db60d011309057505d978b318d6fdbfe92f9f3786110ea6fd26f1e84c11b7828ed2cb8bc5b501d32981c2cb5c9af57643b5
-
SSDEEP
768:X9J/3FzjgfanEGx8V36unjv88tznuRU65Y4gpph1ePVCM2:N5VzcfA/6LrVpL74gfh16n2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
CTS.exepid process 3264 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/1628-0-0x0000000000010000-0x0000000000028000-memory.dmp upx C:\Windows\CTS.exe upx behavioral2/memory/1628-7-0x0000000000010000-0x0000000000028000-memory.dmp upx behavioral2/memory/3264-8-0x0000000000E30000-0x0000000000E48000-memory.dmp upx C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml upx C:\Users\Admin\AppData\Local\Temp\g2ALNC25bcluDNp.exe upx behavioral2/memory/3264-32-0x0000000000E30000-0x0000000000E48000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
Processes:
96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exeCTS.exedescription ioc process File created C:\Windows\CTS.exe 96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exeCTS.exedescription pid process Token: SeDebugPrivilege 1628 96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exe Token: SeDebugPrivilege 3264 CTS.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exedescription pid process target process PID 1628 wrote to memory of 3264 1628 96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exe CTS.exe PID 1628 wrote to memory of 3264 1628 96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exe CTS.exe PID 1628 wrote to memory of 3264 1628 96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exe CTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmlFilesize
350KB
MD5691b906ec200619bf1becf1d715d1a15
SHA13b0408290d3b93b47d5b49abce3d4a1b7b378f0d
SHA2561c29bab1f9211cf72bacceb45b6ef5f559e7d9ae26a3823e487fda2a7e27992f
SHA512faa19e641b352f0548e26a180eb3ed7ae4ff38f720d09c45559f1f2e16d4f0e5875d5693352b95cf7c2a519d074aa49686758ddb6b983a3e73c3650b8656b1e8
-
C:\Users\Admin\AppData\Local\Temp\g2ALNC25bcluDNp.exeFilesize
27KB
MD557ec560df9e65a7796bb362e6b3cda5f
SHA1d9261c596ae5464080d2f0744a6a21ddbedf823e
SHA25688ac178ee69786427a75f32e99f42fcd8c163009896addb3c9cb64e012aa2037
SHA512695e1ecdcb4779690d37fc763327bfb7746f2a5fcda91677e3fc3f08e2c92023013a01eb1723e4732a4b04fda158884123a88162e238c68152d7611a760fe89e
-
C:\Windows\CTS.exeFilesize
27KB
MD5a6749b968461644db5cc0ecceffb224a
SHA12795aa37b8586986a34437081351cdd791749a90
SHA256720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2
SHA5122a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4
-
memory/1628-0-0x0000000000010000-0x0000000000028000-memory.dmpFilesize
96KB
-
memory/1628-7-0x0000000000010000-0x0000000000028000-memory.dmpFilesize
96KB
-
memory/3264-8-0x0000000000E30000-0x0000000000E48000-memory.dmpFilesize
96KB
-
memory/3264-32-0x0000000000E30000-0x0000000000E48000-memory.dmpFilesize
96KB