Analysis
-
max time kernel
147s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 22:44
Behavioral task
behavioral1
Sample
2d9f2179e7a94d825b43c3c05b796e20_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2d9f2179e7a94d825b43c3c05b796e20_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
2d9f2179e7a94d825b43c3c05b796e20_NeikiAnalytics.exe
-
Size
484KB
-
MD5
2d9f2179e7a94d825b43c3c05b796e20
-
SHA1
e1459b5e90db81ffd956d1b1317cb6280127e8c6
-
SHA256
f3dc9e93d35a399c0a5786ad85aaeafe12eeebbc7ae1e4a730f9cea55d2f4a0d
-
SHA512
fdc29479e69c637be56d3c702c9182ba58a74c6c21691430310ef75f21662cbd20ea81d5d10efe433ec25491875eeb1390ee592a669f5abe42c9cdb0449372c9
-
SSDEEP
6144:g5u5eG44AeJ2ssftlVN+zBfGrSWm+omDAgQsSygGG2IszBAYD:Cu5eG4bsilNoGSJ+omDAdsWGLTVXD
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
uxleg.exepid process 2844 uxleg.exe -
Executes dropped EXE 2 IoCs
Processes:
uxleg.exetpwo.exepid process 2844 uxleg.exe 2624 tpwo.exe -
Loads dropped DLL 7 IoCs
Processes:
cmd.exeuxleg.exetpwo.exepid process 2064 cmd.exe 2064 cmd.exe 2844 uxleg.exe 2624 tpwo.exe 2624 tpwo.exe 2624 tpwo.exe 2624 tpwo.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\uxleg.exe upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tpwo.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfl = "c:\\Program Files\\hqtwuhnu\\tpwo.exe \"c:\\Program Files\\hqtwuhnu\\tpwoq.dll\",WriteErrorLog" tpwo.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
tpwo.exedescription ioc process File opened (read-only) \??\b: tpwo.exe File opened (read-only) \??\g: tpwo.exe File opened (read-only) \??\n: tpwo.exe File opened (read-only) \??\s: tpwo.exe File opened (read-only) \??\v: tpwo.exe File opened (read-only) \??\x: tpwo.exe File opened (read-only) \??\k: tpwo.exe File opened (read-only) \??\t: tpwo.exe File opened (read-only) \??\u: tpwo.exe File opened (read-only) \??\z: tpwo.exe File opened (read-only) \??\e: tpwo.exe File opened (read-only) \??\l: tpwo.exe File opened (read-only) \??\p: tpwo.exe File opened (read-only) \??\r: tpwo.exe File opened (read-only) \??\a: tpwo.exe File opened (read-only) \??\h: tpwo.exe File opened (read-only) \??\i: tpwo.exe File opened (read-only) \??\j: tpwo.exe File opened (read-only) \??\m: tpwo.exe File opened (read-only) \??\o: tpwo.exe File opened (read-only) \??\q: tpwo.exe File opened (read-only) \??\w: tpwo.exe File opened (read-only) \??\y: tpwo.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
tpwo.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 tpwo.exe -
Drops file in Program Files directory 4 IoCs
Processes:
uxleg.exedescription ioc process File opened for modification \??\c:\Program Files\hqtwuhnu uxleg.exe File created \??\c:\Program Files\hqtwuhnu\tpwoq.dll uxleg.exe File created \??\c:\Program Files\hqtwuhnu\tpwo.exe uxleg.exe File opened for modification \??\c:\Program Files\hqtwuhnu\tpwo.exe uxleg.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
tpwo.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 tpwo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString tpwo.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
tpwo.exepid process 2624 tpwo.exe 2624 tpwo.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tpwo.exedescription pid process Token: SeDebugPrivilege 2624 tpwo.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
2d9f2179e7a94d825b43c3c05b796e20_NeikiAnalytics.exeuxleg.exepid process 2832 2d9f2179e7a94d825b43c3c05b796e20_NeikiAnalytics.exe 2844 uxleg.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
2d9f2179e7a94d825b43c3c05b796e20_NeikiAnalytics.execmd.exeuxleg.exedescription pid process target process PID 2832 wrote to memory of 2064 2832 2d9f2179e7a94d825b43c3c05b796e20_NeikiAnalytics.exe cmd.exe PID 2832 wrote to memory of 2064 2832 2d9f2179e7a94d825b43c3c05b796e20_NeikiAnalytics.exe cmd.exe PID 2832 wrote to memory of 2064 2832 2d9f2179e7a94d825b43c3c05b796e20_NeikiAnalytics.exe cmd.exe PID 2832 wrote to memory of 2064 2832 2d9f2179e7a94d825b43c3c05b796e20_NeikiAnalytics.exe cmd.exe PID 2064 wrote to memory of 2212 2064 cmd.exe PING.EXE PID 2064 wrote to memory of 2212 2064 cmd.exe PING.EXE PID 2064 wrote to memory of 2212 2064 cmd.exe PING.EXE PID 2064 wrote to memory of 2212 2064 cmd.exe PING.EXE PID 2064 wrote to memory of 2844 2064 cmd.exe uxleg.exe PID 2064 wrote to memory of 2844 2064 cmd.exe uxleg.exe PID 2064 wrote to memory of 2844 2064 cmd.exe uxleg.exe PID 2064 wrote to memory of 2844 2064 cmd.exe uxleg.exe PID 2844 wrote to memory of 2624 2844 uxleg.exe tpwo.exe PID 2844 wrote to memory of 2624 2844 uxleg.exe tpwo.exe PID 2844 wrote to memory of 2624 2844 uxleg.exe tpwo.exe PID 2844 wrote to memory of 2624 2844 uxleg.exe tpwo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d9f2179e7a94d825b43c3c05b796e20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2d9f2179e7a94d825b43c3c05b796e20_NeikiAnalytics.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\uxleg.exe "C:\Users\Admin\AppData\Local\Temp\2d9f2179e7a94d825b43c3c05b796e20_NeikiAnalytics.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\uxleg.exeC:\Users\Admin\AppData\Local\Temp\\uxleg.exe "C:\Users\Admin\AppData\Local\Temp\2d9f2179e7a94d825b43c3c05b796e20_NeikiAnalytics.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\Program Files\hqtwuhnu\tpwo.exe"c:\Program Files\hqtwuhnu\tpwo.exe" "c:\Program Files\hqtwuhnu\tpwoq.dll",WriteErrorLog C:\Users\Admin\AppData\Local\Temp\uxleg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\Program Files\hqtwuhnu\tpwoq.dllFilesize
181KB
MD5256174960b6d0593d22f13aadd5aab55
SHA194c4cc077ae50fb718e9cb5a38f8587bce45841a
SHA256057fd406d873db092d8e778e0aa969a6fc712c34690ca127e8efbc78b8d0ac40
SHA51289abf94e6d26a4f73dd743ad665f32bb89c216be5f6dedacb149865ac87e50be7c343faa16f2b83bf195b7213c2c9af897a91fae8f708f123e334dd7ab350ccf
-
\Program Files\hqtwuhnu\tpwo.exeFilesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
\Users\Admin\AppData\Local\Temp\uxleg.exeFilesize
484KB
MD579fc7ecbc3dc4807b1cc7bb2b25df2c0
SHA1404311d093676658c0672c7a8f031c9ba94d3993
SHA25621863cc304e3016d0d883d8bf0468db08fc30f1f61494017213c55141137e004
SHA512f49c36d3660156e8b10b9bc52692746c65606081d5ad01be3c4f2ec4fe5f655644142b27aa71ce2d4f28b86ed7de67d54775047eb29930ba153a2dbf8d9cfde5
-
memory/2624-20-0x0000000010000000-0x000000001004E000-memory.dmpFilesize
312KB
-
memory/2624-16-0x0000000010000000-0x000000001004E000-memory.dmpFilesize
312KB
-
memory/2624-19-0x0000000010000000-0x000000001004E000-memory.dmpFilesize
312KB
-
memory/2624-18-0x0000000010000000-0x000000001004E000-memory.dmpFilesize
312KB
-
memory/2624-21-0x0000000000110000-0x0000000000112000-memory.dmpFilesize
8KB
-
memory/2624-22-0x0000000010000000-0x000000001004E000-memory.dmpFilesize
312KB
-
memory/2624-24-0x0000000010000000-0x000000001004E000-memory.dmpFilesize
312KB
-
memory/2624-26-0x0000000010000000-0x000000001004E000-memory.dmpFilesize
312KB
-
memory/2624-28-0x0000000000110000-0x0000000000112000-memory.dmpFilesize
8KB
-
memory/2624-30-0x0000000010000000-0x000000001004E000-memory.dmpFilesize
312KB