Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    30-05-2024 22:33

General

  • Target

    6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe

  • Size

    8.7MB

  • MD5

    6b0956eb828c9de80de6e4144e904ae0

  • SHA1

    03099bf11297cdc15badd3dc651c273302e80807

  • SHA256

    82bda718a2a0809e9ced3caf31de70eb187447ccf49e7d2d282bd72b5f9c1676

  • SHA512

    6de681405d76a368593e6fb606f531301767b02f47033d7de4a45aac28ce6eb3e49f91e3aebc8fd2d5d2fc74c916d1b7f9e2f5709e13120b796d7e297cf67908

  • SSDEEP

    196608:Lc1z3ltL5LdGVzu+lKc1z3ltL5LdGVzu+lw:L05LdGVzBo05LdGVzBa

Malware Config

Extracted

Family

lucastealer

C2

https://api.telegram.org/bot6068798932:AAG_cHiqinDwNZ3Hd-rdp8tPwbT0czdVwTw

Signatures

  • Luca Stealer

    Info stealer written in Rust first seen in July 2022.

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 20 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Users\Admin\AppData\Local\Temp\RDEHKD.exe
      "C:\Users\Admin\AppData\Local\Temp\RDEHKD.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2888
      • \??\c:\users\admin\appdata\local\temp\rdehkd.exe 
        c:\users\admin\appdata\local\temp\rdehkd.exe 
        3⤵
        • Executes dropped EXE
        PID:2752
      • C:\Users\Admin\AppData\Local\icsys.icn.exe
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2368
        • \??\c:\windows\system\explorer.exe
          c:\windows\system\explorer.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1224
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe SE
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2704
            • \??\c:\windows\system\svchost.exe
              c:\windows\system\svchost.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visiblity of hidden/system files in Explorer
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1540
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe PR
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1736
              • C:\Windows\SysWOW64\at.exe
                at 22:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                7⤵
                  PID:836
                • C:\Windows\SysWOW64\at.exe
                  at 22:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                  7⤵
                    PID:1756
                  • C:\Windows\SysWOW64\at.exe
                    at 22:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                    7⤵
                      PID:1656
          • C:\Users\Admin\AppData\Local\Temp\RACHIY.exe
            "C:\Users\Admin\AppData\Local\Temp\RACHIY.exe"
            2⤵
            • Executes dropped EXE
            PID:2092
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c schtasks /create /tn PTTWEY.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2532
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn PTTWEY.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 1
              3⤵
              • Creates scheduled task(s)
              PID:2784

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RACHIY.exe

          Filesize

          74KB

          MD5

          dcdc109069b6e0d80d776c143fecde3f

          SHA1

          761589c94ba8c2fd57d3ae9666a0fdc0d1b72eb5

          SHA256

          fe44f050ab9ea33f87acef449ed57157a331a19956207d6243522676c894e284

          SHA512

          85365775caa1f85c585b4979519357421ec0239d900513c0aadf28d9d238f6548164c3573141b3e272a6d4376129204a7ceba9b2c4b31c8fbdfd13cb814b73b9

        • C:\Users\Admin\AppData\Local\Temp\rdehkd.exe 

          Filesize

          5.7MB

          MD5

          2c2055233260e5bb20ce675afd39ed0d

          SHA1

          26c056ba8e99a3fb523612b422a85be3ecbbd5b3

          SHA256

          306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

          SHA512

          3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

        • C:\Users\Admin\AppData\Roaming\mrsys.exe

          Filesize

          206KB

          MD5

          855e286247e6a73977719e4bec501562

          SHA1

          77b8d6ffc7fe886dd0c249ff0d57b466f328ccf9

          SHA256

          c76c98550ca56e9bb8ec09dc024482f162b28a3487ef042d4ed81a92caa29851

          SHA512

          bfa2098503ba9bbd5cb3cfdf11bf05f4d4a5968619a07c9cdb879d0cb6bb8b34ffec57117852bdb8c6291c1e7b4bc06d6877cc0c2af8ad3a702736d132b4c6c3

        • C:\Windows\system\explorer.exe

          Filesize

          206KB

          MD5

          7ba7dfc262d0a0a04615a484a36a64c0

          SHA1

          c54a902910329110be1f27097dc6bc2c04ebf85a

          SHA256

          dd8ca270a71bb5eed659ec5581fdcbad62cf7647d8ade4f0584accb4053b242d

          SHA512

          8f4bd2f63987b26dbbb3b07fd5f5e9eb42ec29d6f9029d1135fea984c32dbe03c8b8fd8bb641c06bc30b0a96e0e383ced87ee64ccd2569b04945d1c886241eb3

        • C:\Windows\system\spoolsv.exe

          Filesize

          206KB

          MD5

          dd6eed7cccf0cfc3d4f939e51badfce8

          SHA1

          34498d8d8e80b264ed20785cb0e490cdd94644d6

          SHA256

          80fbf7ea2f08f692ea5ebbdc272848c01cd18cb9020a0907c78967a57f55925a

          SHA512

          a682f9131862ae17391e4afac298c38e676138451392a2d9b09be799d84ca8c3d88c29ca812d0791b09eafca6a11f3c2f7b9c0810c39a435437ec5bd60dd568a

        • C:\Windows\system\svchost.exe

          Filesize

          206KB

          MD5

          2cd861f4ceae87f5c11dc3a52fb78be8

          SHA1

          c6970ac238ea7bb722805360378c8ee37460e021

          SHA256

          eccec1f86730362438caf67ff99e70e38c51603442044661ae36bcf0a550b74d

          SHA512

          e8d63b4b09444fc9129e159d607cd5462d660382ca6b8d3f68d97de79aa125538946c4a6f5200c224c1f763e817bac36ec8c38a82cc45d257b7610f7631dd25f

        • \??\c:\users\admin\appdata\local\icsys.icn.exe

          Filesize

          206KB

          MD5

          c5f78d788265a8c2b80017a0dc351266

          SHA1

          32836c3ccaf84431beaba1b10107743c052cddc0

          SHA256

          0a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0

          SHA512

          0315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16

        • \Users\Admin\AppData\Local\Temp\RDEHKD.exe

          Filesize

          5.9MB

          MD5

          021079dc0918b9c7359e93e770678000

          SHA1

          70c03da6f7b339340b1943f5d0b7b1fd87579adf

          SHA256

          ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

          SHA512

          9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

        • memory/1736-98-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/1956-21-0x0000000004140000-0x0000000004180000-memory.dmp

          Filesize

          256KB

        • memory/1956-7-0x0000000004140000-0x0000000004180000-memory.dmp

          Filesize

          256KB

        • memory/2092-119-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

        • memory/2368-48-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/2368-102-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/2704-99-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/2888-103-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB