Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 22:33
Static task
static1
Behavioral task
behavioral1
Sample
6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe
-
Size
8.7MB
-
MD5
6b0956eb828c9de80de6e4144e904ae0
-
SHA1
03099bf11297cdc15badd3dc651c273302e80807
-
SHA256
82bda718a2a0809e9ced3caf31de70eb187447ccf49e7d2d282bd72b5f9c1676
-
SHA512
6de681405d76a368593e6fb606f531301767b02f47033d7de4a45aac28ce6eb3e49f91e3aebc8fd2d5d2fc74c916d1b7f9e2f5709e13120b796d7e297cf67908
-
SSDEEP
196608:Lc1z3ltL5LdGVzu+lKc1z3ltL5LdGVzu+lw:L05LdGVzBo05LdGVzBa
Malware Config
Extracted
lucastealer
https://api.telegram.org/bot6068798932:AAG_cHiqinDwNZ3Hd-rdp8tPwbT0czdVwTw
Signatures
-
Luca Stealer
Info stealer written in Rust first seen in July 2022.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PTTWEY.lnk 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe -
Executes dropped EXE 8 IoCs
pid Process 2888 RDEHKD.exe 2752 rdehkd.exe 2368 icsys.icn.exe 1224 explorer.exe 2704 spoolsv.exe 1540 svchost.exe 1736 spoolsv.exe 2092 RACHIY.exe -
Loads dropped DLL 20 IoCs
pid Process 1956 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 1956 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 1956 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 1956 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 1956 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 2888 RDEHKD.exe 2888 RDEHKD.exe 2888 RDEHKD.exe 2888 RDEHKD.exe 2368 icsys.icn.exe 2368 icsys.icn.exe 1224 explorer.exe 1224 explorer.exe 2704 spoolsv.exe 2704 spoolsv.exe 1540 svchost.exe 1540 svchost.exe 1956 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 1956 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 1956 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\PTTWEY = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\Microsoft Office Click-to-Run.exe\"" 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 2 0.tcp.sa.ngrok.io 5 0.tcp.sa.ngrok.io 8 0.tcp.sa.ngrok.io -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2784 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2368 icsys.icn.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1540 svchost.exe 1540 svchost.exe 1224 explorer.exe 1540 svchost.exe 1224 explorer.exe 1540 svchost.exe 1224 explorer.exe 1540 svchost.exe 1224 explorer.exe 1540 svchost.exe 1224 explorer.exe 1540 svchost.exe 1224 explorer.exe 1540 svchost.exe 1224 explorer.exe 1540 svchost.exe 1224 explorer.exe 1540 svchost.exe 1224 explorer.exe 1540 svchost.exe 1224 explorer.exe 1540 svchost.exe 1224 explorer.exe 1540 svchost.exe 1224 explorer.exe 1540 svchost.exe 1224 explorer.exe 1540 svchost.exe 1540 svchost.exe 1224 explorer.exe 1224 explorer.exe 1540 svchost.exe 1540 svchost.exe 1224 explorer.exe 1540 svchost.exe 1224 explorer.exe 1224 explorer.exe 1540 svchost.exe 1224 explorer.exe 1540 svchost.exe 1224 explorer.exe 1540 svchost.exe 1224 explorer.exe 1540 svchost.exe 1540 svchost.exe 1224 explorer.exe 1540 svchost.exe 1224 explorer.exe 1956 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 1540 svchost.exe 1224 explorer.exe 1224 explorer.exe 1540 svchost.exe 1224 explorer.exe 1540 svchost.exe 1224 explorer.exe 1540 svchost.exe 1224 explorer.exe 1540 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 1956 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 1224 explorer.exe 1540 svchost.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 2888 RDEHKD.exe 2888 RDEHKD.exe 2368 icsys.icn.exe 2368 icsys.icn.exe 1224 explorer.exe 1224 explorer.exe 2704 spoolsv.exe 2704 spoolsv.exe 1540 svchost.exe 1540 svchost.exe 1736 spoolsv.exe 1736 spoolsv.exe 1224 explorer.exe 1224 explorer.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 1956 wrote to memory of 2888 1956 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 28 PID 1956 wrote to memory of 2888 1956 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 28 PID 1956 wrote to memory of 2888 1956 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 28 PID 1956 wrote to memory of 2888 1956 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 28 PID 2888 wrote to memory of 2752 2888 RDEHKD.exe 29 PID 2888 wrote to memory of 2752 2888 RDEHKD.exe 29 PID 2888 wrote to memory of 2752 2888 RDEHKD.exe 29 PID 2888 wrote to memory of 2752 2888 RDEHKD.exe 29 PID 2888 wrote to memory of 2368 2888 RDEHKD.exe 31 PID 2888 wrote to memory of 2368 2888 RDEHKD.exe 31 PID 2888 wrote to memory of 2368 2888 RDEHKD.exe 31 PID 2888 wrote to memory of 2368 2888 RDEHKD.exe 31 PID 2368 wrote to memory of 1224 2368 icsys.icn.exe 32 PID 2368 wrote to memory of 1224 2368 icsys.icn.exe 32 PID 2368 wrote to memory of 1224 2368 icsys.icn.exe 32 PID 2368 wrote to memory of 1224 2368 icsys.icn.exe 32 PID 1224 wrote to memory of 2704 1224 explorer.exe 33 PID 1224 wrote to memory of 2704 1224 explorer.exe 33 PID 1224 wrote to memory of 2704 1224 explorer.exe 33 PID 1224 wrote to memory of 2704 1224 explorer.exe 33 PID 2704 wrote to memory of 1540 2704 spoolsv.exe 34 PID 2704 wrote to memory of 1540 2704 spoolsv.exe 34 PID 2704 wrote to memory of 1540 2704 spoolsv.exe 34 PID 2704 wrote to memory of 1540 2704 spoolsv.exe 34 PID 1540 wrote to memory of 1736 1540 svchost.exe 35 PID 1540 wrote to memory of 1736 1540 svchost.exe 35 PID 1540 wrote to memory of 1736 1540 svchost.exe 35 PID 1540 wrote to memory of 1736 1540 svchost.exe 35 PID 1540 wrote to memory of 836 1540 svchost.exe 36 PID 1540 wrote to memory of 836 1540 svchost.exe 36 PID 1540 wrote to memory of 836 1540 svchost.exe 36 PID 1540 wrote to memory of 836 1540 svchost.exe 36 PID 1956 wrote to memory of 2092 1956 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 38 PID 1956 wrote to memory of 2092 1956 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 38 PID 1956 wrote to memory of 2092 1956 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 38 PID 1956 wrote to memory of 2092 1956 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 38 PID 1956 wrote to memory of 2532 1956 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 39 PID 1956 wrote to memory of 2532 1956 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 39 PID 1956 wrote to memory of 2532 1956 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 39 PID 1956 wrote to memory of 2532 1956 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 39 PID 2532 wrote to memory of 2784 2532 cmd.exe 41 PID 2532 wrote to memory of 2784 2532 cmd.exe 41 PID 2532 wrote to memory of 2784 2532 cmd.exe 41 PID 2532 wrote to memory of 2784 2532 cmd.exe 41 PID 1540 wrote to memory of 1756 1540 svchost.exe 44 PID 1540 wrote to memory of 1756 1540 svchost.exe 44 PID 1540 wrote to memory of 1756 1540 svchost.exe 44 PID 1540 wrote to memory of 1756 1540 svchost.exe 44 PID 1540 wrote to memory of 1656 1540 svchost.exe 46 PID 1540 wrote to memory of 1656 1540 svchost.exe 46 PID 1540 wrote to memory of 1656 1540 svchost.exe 46 PID 1540 wrote to memory of 1656 1540 svchost.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\RDEHKD.exe"C:\Users\Admin\AppData\Local\Temp\RDEHKD.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\users\admin\appdata\local\temp\rdehkd.exec:\users\admin\appdata\local\temp\rdehkd.exe3⤵
- Executes dropped EXE
PID:2752
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1736
-
-
C:\Windows\SysWOW64\at.exeat 22:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵PID:836
-
-
C:\Windows\SysWOW64\at.exeat 22:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵PID:1756
-
-
C:\Windows\SysWOW64\at.exeat 22:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵PID:1656
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RACHIY.exe"C:\Users\Admin\AppData\Local\Temp\RACHIY.exe"2⤵
- Executes dropped EXE
PID:2092
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn PTTWEY.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 12⤵
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn PTTWEY.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 13⤵
- Creates scheduled task(s)
PID:2784
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD5dcdc109069b6e0d80d776c143fecde3f
SHA1761589c94ba8c2fd57d3ae9666a0fdc0d1b72eb5
SHA256fe44f050ab9ea33f87acef449ed57157a331a19956207d6243522676c894e284
SHA51285365775caa1f85c585b4979519357421ec0239d900513c0aadf28d9d238f6548164c3573141b3e272a6d4376129204a7ceba9b2c4b31c8fbdfd13cb814b73b9
-
Filesize
5.7MB
MD52c2055233260e5bb20ce675afd39ed0d
SHA126c056ba8e99a3fb523612b422a85be3ecbbd5b3
SHA256306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d
SHA5123e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546
-
Filesize
206KB
MD5855e286247e6a73977719e4bec501562
SHA177b8d6ffc7fe886dd0c249ff0d57b466f328ccf9
SHA256c76c98550ca56e9bb8ec09dc024482f162b28a3487ef042d4ed81a92caa29851
SHA512bfa2098503ba9bbd5cb3cfdf11bf05f4d4a5968619a07c9cdb879d0cb6bb8b34ffec57117852bdb8c6291c1e7b4bc06d6877cc0c2af8ad3a702736d132b4c6c3
-
Filesize
206KB
MD57ba7dfc262d0a0a04615a484a36a64c0
SHA1c54a902910329110be1f27097dc6bc2c04ebf85a
SHA256dd8ca270a71bb5eed659ec5581fdcbad62cf7647d8ade4f0584accb4053b242d
SHA5128f4bd2f63987b26dbbb3b07fd5f5e9eb42ec29d6f9029d1135fea984c32dbe03c8b8fd8bb641c06bc30b0a96e0e383ced87ee64ccd2569b04945d1c886241eb3
-
Filesize
206KB
MD5dd6eed7cccf0cfc3d4f939e51badfce8
SHA134498d8d8e80b264ed20785cb0e490cdd94644d6
SHA25680fbf7ea2f08f692ea5ebbdc272848c01cd18cb9020a0907c78967a57f55925a
SHA512a682f9131862ae17391e4afac298c38e676138451392a2d9b09be799d84ca8c3d88c29ca812d0791b09eafca6a11f3c2f7b9c0810c39a435437ec5bd60dd568a
-
Filesize
206KB
MD52cd861f4ceae87f5c11dc3a52fb78be8
SHA1c6970ac238ea7bb722805360378c8ee37460e021
SHA256eccec1f86730362438caf67ff99e70e38c51603442044661ae36bcf0a550b74d
SHA512e8d63b4b09444fc9129e159d607cd5462d660382ca6b8d3f68d97de79aa125538946c4a6f5200c224c1f763e817bac36ec8c38a82cc45d257b7610f7631dd25f
-
Filesize
206KB
MD5c5f78d788265a8c2b80017a0dc351266
SHA132836c3ccaf84431beaba1b10107743c052cddc0
SHA2560a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0
SHA5120315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16
-
Filesize
5.9MB
MD5021079dc0918b9c7359e93e770678000
SHA170c03da6f7b339340b1943f5d0b7b1fd87579adf
SHA256ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487
SHA5129bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0