Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 21:01
Behavioral task
behavioral1
Sample
1853a39885597de05116ee87efd15d90_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1853a39885597de05116ee87efd15d90_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
1853a39885597de05116ee87efd15d90_NeikiAnalytics.exe
-
Size
27KB
-
MD5
1853a39885597de05116ee87efd15d90
-
SHA1
e6cb69dba5d201b074e649e25e4cc13d2f7cd459
-
SHA256
c5e1ceef17d70ad2ac8d6251d1846aa989911de1ec5067bab60c72a40b602613
-
SHA512
677ffad942c4f648b6af663eea3f7cae6a2aae3ea32b5fdba331320a7ef5497b0ed1c9acff792e118aafbfa4bd3bf75687b7d171cc19be365f08182fba5f15eb
-
SSDEEP
768:X9J/3FzjgfanEGx8V36unjv88tznuRU65Y4gpph1ePVCMNU:N5VzcfA/6LrVpL74gfh16n6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
CTS.exepid process 3116 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4052-0-0x0000000000AF0000-0x0000000000B08000-memory.dmp upx behavioral2/memory/4052-7-0x0000000000AF0000-0x0000000000B08000-memory.dmp upx behavioral2/memory/3116-9-0x0000000000570000-0x0000000000588000-memory.dmp upx C:\Windows\CTS.exe upx C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml upx C:\Users\Admin\AppData\Local\Temp\IRK3yWlK2xkvxjE.exe upx behavioral2/memory/3116-32-0x0000000000570000-0x0000000000588000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1853a39885597de05116ee87efd15d90_NeikiAnalytics.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 1853a39885597de05116ee87efd15d90_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
Processes:
1853a39885597de05116ee87efd15d90_NeikiAnalytics.exeCTS.exedescription ioc process File created C:\Windows\CTS.exe 1853a39885597de05116ee87efd15d90_NeikiAnalytics.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1853a39885597de05116ee87efd15d90_NeikiAnalytics.exeCTS.exedescription pid process Token: SeDebugPrivilege 4052 1853a39885597de05116ee87efd15d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3116 CTS.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
1853a39885597de05116ee87efd15d90_NeikiAnalytics.exedescription pid process target process PID 4052 wrote to memory of 3116 4052 1853a39885597de05116ee87efd15d90_NeikiAnalytics.exe CTS.exe PID 4052 wrote to memory of 3116 4052 1853a39885597de05116ee87efd15d90_NeikiAnalytics.exe CTS.exe PID 4052 wrote to memory of 3116 4052 1853a39885597de05116ee87efd15d90_NeikiAnalytics.exe CTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1853a39885597de05116ee87efd15d90_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1853a39885597de05116ee87efd15d90_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmlFilesize
348KB
MD558578455ce0306fad4b13a18ae30fd37
SHA1e0f593fe94ebe369397e0403c23cce219bcc9985
SHA2562aa5011ed82a65527af6765d600f23c4e98dc4e3ca4ae3e9333642151d741242
SHA512df22c7618ff32ef9e97d9a7fc9edabf11007730ebeb81b7887112e6121cd89a62f192f022d11f81479d6ebe9b68604d40a09a628ee0f74ccfb462fef0324751f
-
C:\Users\Admin\AppData\Local\Temp\IRK3yWlK2xkvxjE.exeFilesize
27KB
MD516c5fc96de62102d59a4271f4dc80491
SHA1d6e4eeb32df27b6c7c325524043666fd99f4d99b
SHA256b65e6abfc40f1b55835f82204692e8eff384cbb0756707c14363638f6a5fbe1f
SHA5122eb2a0ea6a89ba3ed6ae30b4507aed41b663cb4b2c7073c6c83c7d3334e4e39b4a9b6855aaef99341e95aad0161aa589105acd0f9888ac5514ec9350b1ed37fe
-
C:\Windows\CTS.exeFilesize
27KB
MD5a6749b968461644db5cc0ecceffb224a
SHA12795aa37b8586986a34437081351cdd791749a90
SHA256720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2
SHA5122a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4
-
memory/3116-9-0x0000000000570000-0x0000000000588000-memory.dmpFilesize
96KB
-
memory/3116-32-0x0000000000570000-0x0000000000588000-memory.dmpFilesize
96KB
-
memory/4052-0-0x0000000000AF0000-0x0000000000B08000-memory.dmpFilesize
96KB
-
memory/4052-7-0x0000000000AF0000-0x0000000000B08000-memory.dmpFilesize
96KB