Overview

overview

7

Static

static

3

04d03e477f...cs.exe

windows7-x64

7

04d03e477f...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/05/2024, 21:43

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    04d03e477f0a6602769182acc1dd8dc0_NeikiAnalytics.exe

  • Size

    260KB

  • MD5

    04d03e477f0a6602769182acc1dd8dc0

  • SHA1

    7fa1bc03c0cdfa3d1697e3ad55dd0254b0e96537

  • SHA256

    62a1bdc27ddca35b0e1e540b0a3aa57f1ebf4b89bb9c99770dac19a9549a8c32

  • SHA512

    a992be15386f9cc87677d12b4184e575728f9b9299daa9a21f21ef7d6dfb62bc83f2d81fd79545ab968f5599652dcc853b77a26102e15a407c333ac21526b95f

  • SSDEEP

    6144:uf4/sJYWEbhtwaBV5ZFDQH7i6aEaS/vsd9YoeVjy:uf4QlGD3BV5ZFDfSRsd9YRBy

Score
7/10
bootkitpersistencespywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 4 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04d03e477f0a6602769182acc1dd8dc0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\04d03e477f0a6602769182acc1dd8dc0_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\clzfnqw.exe "C:\Users\Admin\AppData\Local\Temp\04d03e477f0a6602769182acc1dd8dc0_NeikiAnalytics.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3540
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:4040
      • C:\Users\Admin\AppData\Local\Temp\clzfnqw.exe
        C:\Users\Admin\AppData\Local\Temp\\clzfnqw.exe "C:\Users\Admin\AppData\Local\Temp\04d03e477f0a6602769182acc1dd8dc0_NeikiAnalytics.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4540
        • \??\c:\Program Files\jylyt\cftsxig.exe
          "c:\Program Files\jylyt\cftsxig.exe" "c:\Program Files\jylyt\cftsxig.dll",Cache C:\Users\Admin\AppData\Local\Temp\clzfnqw.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4724

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\jylyt\cftsxig.exe
          Filesize

          60KB

          MD5

          889b99c52a60dd49227c5e485a016679

          SHA1

          8fa889e456aa646a4d0a4349977430ce5fa5e2d7

          SHA256

          6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

          SHA512

          08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\clzfnqw.exe
          Filesize

          261KB

          MD5

          3dd614e806c661d151ea3fd8d6e2ff89

          SHA1

          4609345eb44968fd8eb185b79f401962e0f67437

          SHA256

          c567cdf9ca4966ca3b0ac6c4f2a1ba926badb95476fff8e80f208e629b05e470

          SHA512

          6d1f2267f877ca234595cb03cf8745fa1e32bd8b63c8d9b33100c230517c22f55cadac491f2a1af9b851d61fe58bac2ed8e2a1908ed0ec0fbfb9556963d5a280

          Download Submit

        • \??\c:\Program Files\jylyt\cftsxig.dll
          Filesize

          188KB

          MD5

          61f0474d502522a3b63d9a255b597c91

          SHA1

          b687c3d189dbd9c89a408a3e6c9ec15503ff1c44

          SHA256

          dee32b5591ed45622ed4216344b86d1a3cd1179e8646c2bb33545a642482c400

          SHA512

          95dca004d180cd88d37eaac27e9d843097ab01b2d70b935ac6f577e4bcea2d093b048e7751eb2910bac72bc8d9260d310a87a81d955cd9574f05613b246d2bc8

          Download Submit

        • memory/4540-5-0x0000000000400000-0x000000000048C050-memory.dmp

          Filesize

          560KB

          Download

        • memory/4540-11-0x0000000000400000-0x000000000048C050-memory.dmp

          Filesize

          560KB

          Download

        • memory/4724-15-0x0000000010000000-0x000000001006F000-memory.dmp

          Filesize

          444KB

          Download

        • memory/4724-17-0x0000000010000000-0x000000001006F000-memory.dmp

          Filesize

          444KB

          Download

        • memory/4724-18-0x0000000010000000-0x000000001006F000-memory.dmp

          Filesize

          444KB

          Download

        • memory/4956-0-0x0000000000400000-0x000000000048C050-memory.dmp

          Filesize

          560KB

          Download

        • memory/4956-2-0x0000000000400000-0x000000000048C050-memory.dmp

          Filesize

          560KB

          Download