f9ec2a280cd99fbb0701867a8b59387aceba7a6ddf3d5eabe6b23381f4aebdf0

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exe
Size

27KB
MD5

96538ae078f559ebd02eb684a3e72630
SHA1

4dda423d74b8f8f42d5f4c073dc93e8bb9316a87
SHA256

f9ec2a280cd99fbb0701867a8b59387aceba7a6ddf3d5eabe6b23381f4aebdf0
SHA512

72c32f69d9d56d142dd9ee52379c4db60d011309057505d978b318d6fdbfe92f9f3786110ea6fd26f1e84c11b7828ed2cb8bc5b501d32981c2cb5c9af57643b5
SSDEEP

768:X9J/3FzjgfanEGx8V36unjv88tznuRU65Y4gpph1ePVCM2:N5VzcfA/6LrVpL74gfh16n2

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

CTS.exe

pid process

3264 CTS.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3264	CTS.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1628-0-0x0000000000010000-0x0000000000028000-memory.dmp	upx
C:\Windows\CTS.exe	upx
behavioral2/memory/1628-7-0x0000000000010000-0x0000000000028000-memory.dmp	upx
behavioral2/memory/3264-8-0x0000000000E30000-0x0000000000E48000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml	upx
C:\Users\Admin\AppData\Local\Temp\g2ALNC25bcluDNp.exe	upx
behavioral2/memory/3264-32-0x0000000000E30000-0x0000000000E48000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exeCTS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

Processes:

96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exeCTS.exe

description ioc process

File created C:\Windows\CTS.exe 96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exe
File created C:\Windows\CTS.exe CTS.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exeCTS.exe

description pid process

Token: SeDebugPrivilege 1628 96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exe
Token: SeDebugPrivilege 3264 CTS.exe

description	ioc	process
File created	C:\Windows\CTS.exe	96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exe
File created	C:\Windows\CTS.exe	CTS.exe

description	pid	process
Token: SeDebugPrivilege	1628	96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exe
Token: SeDebugPrivilege	3264	CTS.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exe

description	pid	process	target process
PID 1628 wrote to memory of 3264	1628	96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exe	CTS.exe
PID 1628 wrote to memory of 3264	1628	96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exe	CTS.exe
PID 1628 wrote to memory of 3264	1628	96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exe	CTS.exe

C:\Users\Admin\AppData\Local\Temp\96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\96538ae078f559ebd02eb684a3e72630_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
Filesize
350KB

MD5
691b906ec200619bf1becf1d715d1a15

SHA1
3b0408290d3b93b47d5b49abce3d4a1b7b378f0d

SHA256
1c29bab1f9211cf72bacceb45b6ef5f559e7d9ae26a3823e487fda2a7e27992f

SHA512
faa19e641b352f0548e26a180eb3ed7ae4ff38f720d09c45559f1f2e16d4f0e5875d5693352b95cf7c2a519d074aa49686758ddb6b983a3e73c3650b8656b1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\g2ALNC25bcluDNp.exe
Filesize
27KB

MD5
57ec560df9e65a7796bb362e6b3cda5f

SHA1
d9261c596ae5464080d2f0744a6a21ddbedf823e

SHA256
88ac178ee69786427a75f32e99f42fcd8c163009896addb3c9cb64e012aa2037

SHA512
695e1ecdcb4779690d37fc763327bfb7746f2a5fcda91677e3fc3f08e2c92023013a01eb1723e4732a4b04fda158884123a88162e238c68152d7611a760fe89e

Download Submit
C:\Windows\CTS.exe
Filesize
27KB

MD5
a6749b968461644db5cc0ecceffb224a

SHA1
2795aa37b8586986a34437081351cdd791749a90

SHA256
720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2

SHA512
2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

Download Submit
memory/1628-0-0x0000000000010000-0x0000000000028000-memory.dmp

Filesize
96KB

Download
memory/1628-7-0x0000000000010000-0x0000000000028000-memory.dmp

Filesize
96KB

Download
memory/3264-8-0x0000000000E30000-0x0000000000E48000-memory.dmp

Filesize
96KB

Download
memory/3264-32-0x0000000000E30000-0x0000000000E48000-memory.dmp

Filesize
96KB

Download