c5e1ceef17d70ad2ac8d6251d1846aa989911de1ec5067bab60c72a40b602613

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1853a39885597de05116ee87efd15d90_NeikiAnalytics.exe
Size

27KB
MD5

1853a39885597de05116ee87efd15d90
SHA1

e6cb69dba5d201b074e649e25e4cc13d2f7cd459
SHA256

c5e1ceef17d70ad2ac8d6251d1846aa989911de1ec5067bab60c72a40b602613
SHA512

677ffad942c4f648b6af663eea3f7cae6a2aae3ea32b5fdba331320a7ef5497b0ed1c9acff792e118aafbfa4bd3bf75687b7d171cc19be365f08182fba5f15eb
SSDEEP

768:X9J/3FzjgfanEGx8V36unjv88tznuRU65Y4gpph1ePVCMNU:N5VzcfA/6LrVpL74gfh16n6

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

CTS.exe

pid process

3116 CTS.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3116	CTS.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4052-0-0x0000000000AF0000-0x0000000000B08000-memory.dmp	upx
behavioral2/memory/4052-7-0x0000000000AF0000-0x0000000000B08000-memory.dmp	upx
behavioral2/memory/3116-9-0x0000000000570000-0x0000000000588000-memory.dmp	upx
C:\Windows\CTS.exe	upx
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml	upx
C:\Users\Admin\AppData\Local\Temp\IRK3yWlK2xkvxjE.exe	upx
behavioral2/memory/3116-32-0x0000000000570000-0x0000000000588000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1853a39885597de05116ee87efd15d90_NeikiAnalytics.exeCTS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	1853a39885597de05116ee87efd15d90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

Processes:

1853a39885597de05116ee87efd15d90_NeikiAnalytics.exeCTS.exe

description ioc process

File created C:\Windows\CTS.exe 1853a39885597de05116ee87efd15d90_NeikiAnalytics.exe
File created C:\Windows\CTS.exe CTS.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1853a39885597de05116ee87efd15d90_NeikiAnalytics.exeCTS.exe

description pid process

Token: SeDebugPrivilege 4052 1853a39885597de05116ee87efd15d90_NeikiAnalytics.exe
Token: SeDebugPrivilege 3116 CTS.exe

description	ioc	process
File created	C:\Windows\CTS.exe	1853a39885597de05116ee87efd15d90_NeikiAnalytics.exe
File created	C:\Windows\CTS.exe	CTS.exe

description	pid	process
Token: SeDebugPrivilege	4052	1853a39885597de05116ee87efd15d90_NeikiAnalytics.exe
Token: SeDebugPrivilege	3116	CTS.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1853a39885597de05116ee87efd15d90_NeikiAnalytics.exe

description	pid	process	target process
PID 4052 wrote to memory of 3116	4052	1853a39885597de05116ee87efd15d90_NeikiAnalytics.exe	CTS.exe
PID 4052 wrote to memory of 3116	4052	1853a39885597de05116ee87efd15d90_NeikiAnalytics.exe	CTS.exe
PID 4052 wrote to memory of 3116	4052	1853a39885597de05116ee87efd15d90_NeikiAnalytics.exe	CTS.exe

C:\Users\Admin\AppData\Local\Temp\1853a39885597de05116ee87efd15d90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1853a39885597de05116ee87efd15d90_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3116

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
Filesize
348KB

MD5
58578455ce0306fad4b13a18ae30fd37

SHA1
e0f593fe94ebe369397e0403c23cce219bcc9985

SHA256
2aa5011ed82a65527af6765d600f23c4e98dc4e3ca4ae3e9333642151d741242

SHA512
df22c7618ff32ef9e97d9a7fc9edabf11007730ebeb81b7887112e6121cd89a62f192f022d11f81479d6ebe9b68604d40a09a628ee0f74ccfb462fef0324751f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IRK3yWlK2xkvxjE.exe
Filesize
27KB

MD5
16c5fc96de62102d59a4271f4dc80491

SHA1
d6e4eeb32df27b6c7c325524043666fd99f4d99b

SHA256
b65e6abfc40f1b55835f82204692e8eff384cbb0756707c14363638f6a5fbe1f

SHA512
2eb2a0ea6a89ba3ed6ae30b4507aed41b663cb4b2c7073c6c83c7d3334e4e39b4a9b6855aaef99341e95aad0161aa589105acd0f9888ac5514ec9350b1ed37fe

Download Submit
C:\Windows\CTS.exe
Filesize
27KB

MD5
a6749b968461644db5cc0ecceffb224a

SHA1
2795aa37b8586986a34437081351cdd791749a90

SHA256
720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2

SHA512
2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

Download Submit
memory/3116-9-0x0000000000570000-0x0000000000588000-memory.dmp

Filesize
96KB

Download
memory/3116-32-0x0000000000570000-0x0000000000588000-memory.dmp

Filesize
96KB

Download
memory/4052-0-0x0000000000AF0000-0x0000000000B08000-memory.dmp

Filesize
96KB

Download
memory/4052-7-0x0000000000AF0000-0x0000000000B08000-memory.dmp

Filesize
96KB

Download