Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240220-en -
submitted
29/05/2024, 22:40
Static task
static1
Behavioral task
behavioral1
Sample
58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe
-
Size
2.8MB
-
MD5
58b15dd5817b876fbd2c3230319bd8c0
-
SHA1
48234469c4688977f0942c09261d19c7b320e8b1
-
SHA256
893b9d81483e83b7839cdda24fbfdc39044e0616cb7dad89c0a90f7cd9d69572
-
SHA512
256da494e46eea70eb9d6ab2117aa4da0c52e3e55aeaca8b5faf7fa46db1f1ad06bb71b276982ff897049ae12d7a3a6e40490359d33ccab470c4877cd5361ea2
-
SSDEEP
49152:ZnsHyjtk2MYC5GDoy68c4iZ9ds5bk69oVqxZmQq+osEt5gqckXfmHyxCKQpQ01sF:Znsmtk2ah9ds5bk69oilq+osM5gqckMi
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Executes dropped EXE 3 IoCs
pid Process 1748 ._cache_58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe 2568 Synaptics.exe 2572 ._cache_Synaptics.exe -
Loads dropped DLL 5 IoCs
pid Process 2068 58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe 2068 58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe 2068 58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe 2568 Synaptics.exe 2568 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2068 wrote to memory of 1748 2068 58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe 28 PID 2068 wrote to memory of 1748 2068 58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe 28 PID 2068 wrote to memory of 1748 2068 58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe 28 PID 2068 wrote to memory of 1748 2068 58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe 28 PID 2068 wrote to memory of 2568 2068 58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe 29 PID 2068 wrote to memory of 2568 2068 58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe 29 PID 2068 wrote to memory of 2568 2068 58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe 29 PID 2068 wrote to memory of 2568 2068 58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe 29 PID 2568 wrote to memory of 2572 2568 Synaptics.exe 30 PID 2568 wrote to memory of 2572 2568 Synaptics.exe 30 PID 2568 wrote to memory of 2572 2568 Synaptics.exe 30 PID 2568 wrote to memory of 2572 2568 Synaptics.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\._cache_58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe"2⤵
- Executes dropped EXE
PID:1748
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
PID:2572
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD558b15dd5817b876fbd2c3230319bd8c0
SHA148234469c4688977f0942c09261d19c7b320e8b1
SHA256893b9d81483e83b7839cdda24fbfdc39044e0616cb7dad89c0a90f7cd9d69572
SHA512256da494e46eea70eb9d6ab2117aa4da0c52e3e55aeaca8b5faf7fa46db1f1ad06bb71b276982ff897049ae12d7a3a6e40490359d33ccab470c4877cd5361ea2
-
Filesize
2.1MB
MD5b1e4704df1509a6bfb646b1f9783a250
SHA188f5fb9e6c937bc0536bdd250fe4e920f1e51f48
SHA256346269cf5d28b4ee005119c30fb28237082647d0424ec1f0bfc6d35ae8d0b48b
SHA512879dc7e48c9371a1b90f637b7b16ebe341bc3dcbb1392249d64422f73e953f894993869ffd02927995ce81c6abe1a104a642b6488c101b43001c1e4530366f06