Analysis
-
max time kernel
133s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
26-05-2024 03:57
General
-
Target
5fe0d791433b06792c910857a72fca50_NeikiAnalytics.exe
-
Size
1.6MB
-
MD5
5fe0d791433b06792c910857a72fca50
-
SHA1
0dedb715e809b5c5666bd8c9598f1ef2da405d1b
-
SHA256
ac82016516585cfb76c36a0808d84b263119b148f6a7aa7ab9d221d616954025
-
SHA512
9100856b77af8d1678adf33c4e0e7f643158a4be7937eb63ee05a5f06c6c5790a06cb4ad7660ac1bcd858160916d609d3c90f3690eb652481baa1280486bda9d
-
SSDEEP
49152:1kTq24GjdGSiqkqXfd+/9AqYanieKds6:11EjdGSiqkqXf0FLYW
Malware Config
Extracted
stealerium
https://discord.com/api/webhooks/1237701622168158289/yCA4XMxxNf2MMWFp1FwpefUD1pLGH0mhT_TQTwndsr1dAVvybWr3hp5JZAVJm0HcEBh8
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fe0d791433b06792c910857a72fca50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5fe0d791433b06792c910857a72fca50_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp75DC.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 30323⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp75DC.tmp.batFilesize
57B
MD59dab782a4cbec9d68f4e2e4bbff75b32
SHA10c4c19f17bcd21bb534ffd97ba392d2306c7d690
SHA256fedc1a41154d4bf3bcea2b79e929ed445bd341d543796e9d4157748134a053dd
SHA5121ebe2156c4e565c6deeb8a88644015b7d319f7178e353f2f8d67a1d43a16c50c45fcbb024f8bf4f444108cae33fa29349d1f0b30f782d92ffdf5be70f9f32068
-
memory/3032-0-0x000000007532E000-0x000000007532F000-memory.dmpFilesize
4KB
-
memory/3032-1-0x0000000000420000-0x00000000005B2000-memory.dmpFilesize
1.6MB
-
memory/3032-2-0x0000000004F10000-0x0000000004F76000-memory.dmpFilesize
408KB
-
memory/3032-3-0x0000000075320000-0x0000000075AD0000-memory.dmpFilesize
7.7MB
-
memory/3032-7-0x0000000005490000-0x0000000005522000-memory.dmpFilesize
584KB
-
memory/3032-8-0x0000000005520000-0x0000000005546000-memory.dmpFilesize
152KB
-
memory/3032-9-0x0000000005550000-0x0000000005558000-memory.dmpFilesize
32KB
-
memory/3032-14-0x0000000075320000-0x0000000075AD0000-memory.dmpFilesize
7.7MB