Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 22:33
Static task
static1
Behavioral task
behavioral1
Sample
6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe
-
Size
8.7MB
-
MD5
6b0956eb828c9de80de6e4144e904ae0
-
SHA1
03099bf11297cdc15badd3dc651c273302e80807
-
SHA256
82bda718a2a0809e9ced3caf31de70eb187447ccf49e7d2d282bd72b5f9c1676
-
SHA512
6de681405d76a368593e6fb606f531301767b02f47033d7de4a45aac28ce6eb3e49f91e3aebc8fd2d5d2fc74c916d1b7f9e2f5709e13120b796d7e297cf67908
-
SSDEEP
196608:Lc1z3ltL5LdGVzu+lKc1z3ltL5LdGVzu+lw:L05LdGVzBo05LdGVzBa
Malware Config
Extracted
lucastealer
https://api.telegram.org/bot6068798932:AAG_cHiqinDwNZ3Hd-rdp8tPwbT0czdVwTw
Signatures
-
Luca Stealer
Info stealer written in Rust first seen in July 2022.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PTTWEY.lnk 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe -
Executes dropped EXE 8 IoCs
pid Process 4064 RDEHKD.exe 792 RACHIY.exe 1364 rdehkd.exe 4304 icsys.icn.exe 3652 explorer.exe 944 spoolsv.exe 5064 svchost.exe 4308 spoolsv.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PTTWEY = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\Microsoft Office Click-to-Run.exe\"" 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 68 0.tcp.sa.ngrok.io 23 0.tcp.sa.ngrok.io 51 0.tcp.sa.ngrok.io -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 696 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4440 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 4440 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 4304 icsys.icn.exe 4304 icsys.icn.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 3652 explorer.exe 5064 svchost.exe 5064 svchost.exe 5064 svchost.exe 5064 svchost.exe 3652 explorer.exe 3652 explorer.exe 5064 svchost.exe 5064 svchost.exe 3652 explorer.exe 3652 explorer.exe 5064 svchost.exe 5064 svchost.exe 3652 explorer.exe 3652 explorer.exe 5064 svchost.exe 5064 svchost.exe 3652 explorer.exe 3652 explorer.exe 5064 svchost.exe 5064 svchost.exe 3652 explorer.exe 3652 explorer.exe 5064 svchost.exe 5064 svchost.exe 3652 explorer.exe 3652 explorer.exe 5064 svchost.exe 5064 svchost.exe 3652 explorer.exe 3652 explorer.exe 5064 svchost.exe 5064 svchost.exe 3652 explorer.exe 3652 explorer.exe 5064 svchost.exe 5064 svchost.exe 3652 explorer.exe 3652 explorer.exe 5064 svchost.exe 5064 svchost.exe 3652 explorer.exe 3652 explorer.exe 5064 svchost.exe 5064 svchost.exe 3652 explorer.exe 3652 explorer.exe 5064 svchost.exe 5064 svchost.exe 3652 explorer.exe 3652 explorer.exe 5064 svchost.exe 5064 svchost.exe 3652 explorer.exe 3652 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 4440 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 3652 explorer.exe 5064 svchost.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 4064 RDEHKD.exe 4064 RDEHKD.exe 792 RACHIY.exe 4304 icsys.icn.exe 4304 icsys.icn.exe 3652 explorer.exe 3652 explorer.exe 944 spoolsv.exe 944 spoolsv.exe 5064 svchost.exe 5064 svchost.exe 4308 spoolsv.exe 4308 spoolsv.exe 3652 explorer.exe 3652 explorer.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 4440 wrote to memory of 4064 4440 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 84 PID 4440 wrote to memory of 4064 4440 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 84 PID 4440 wrote to memory of 4064 4440 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 84 PID 4440 wrote to memory of 792 4440 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 87 PID 4440 wrote to memory of 792 4440 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 87 PID 4440 wrote to memory of 792 4440 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 87 PID 4440 wrote to memory of 4996 4440 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 89 PID 4440 wrote to memory of 4996 4440 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 89 PID 4440 wrote to memory of 4996 4440 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe 89 PID 4064 wrote to memory of 1364 4064 RDEHKD.exe 88 PID 4064 wrote to memory of 1364 4064 RDEHKD.exe 88 PID 4996 wrote to memory of 696 4996 cmd.exe 92 PID 4996 wrote to memory of 696 4996 cmd.exe 92 PID 4996 wrote to memory of 696 4996 cmd.exe 92 PID 4064 wrote to memory of 4304 4064 RDEHKD.exe 94 PID 4064 wrote to memory of 4304 4064 RDEHKD.exe 94 PID 4064 wrote to memory of 4304 4064 RDEHKD.exe 94 PID 4304 wrote to memory of 3652 4304 icsys.icn.exe 95 PID 4304 wrote to memory of 3652 4304 icsys.icn.exe 95 PID 4304 wrote to memory of 3652 4304 icsys.icn.exe 95 PID 3652 wrote to memory of 944 3652 explorer.exe 96 PID 3652 wrote to memory of 944 3652 explorer.exe 96 PID 3652 wrote to memory of 944 3652 explorer.exe 96 PID 944 wrote to memory of 5064 944 spoolsv.exe 97 PID 944 wrote to memory of 5064 944 spoolsv.exe 97 PID 944 wrote to memory of 5064 944 spoolsv.exe 97 PID 5064 wrote to memory of 4308 5064 svchost.exe 98 PID 5064 wrote to memory of 4308 5064 svchost.exe 98 PID 5064 wrote to memory of 4308 5064 svchost.exe 98 PID 5064 wrote to memory of 3284 5064 svchost.exe 99 PID 5064 wrote to memory of 3284 5064 svchost.exe 99 PID 5064 wrote to memory of 3284 5064 svchost.exe 99 PID 5064 wrote to memory of 1848 5064 svchost.exe 112 PID 5064 wrote to memory of 1848 5064 svchost.exe 112 PID 5064 wrote to memory of 1848 5064 svchost.exe 112 PID 5064 wrote to memory of 3944 5064 svchost.exe 121 PID 5064 wrote to memory of 3944 5064 svchost.exe 121 PID 5064 wrote to memory of 3944 5064 svchost.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\RDEHKD.exe"C:\Users\Admin\AppData\Local\Temp\RDEHKD.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4064 -
\??\c:\users\admin\appdata\local\temp\rdehkd.exec:\users\admin\appdata\local\temp\rdehkd.exe3⤵
- Executes dropped EXE
PID:1364
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4304 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:944 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4308
-
-
C:\Windows\SysWOW64\at.exeat 22:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵PID:3284
-
-
C:\Windows\SysWOW64\at.exeat 22:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵PID:1848
-
-
C:\Windows\SysWOW64\at.exeat 22:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵PID:3944
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RACHIY.exe"C:\Users\Admin\AppData\Local\Temp\RACHIY.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:792
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn PTTWEY.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 12⤵
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn PTTWEY.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 13⤵
- Creates scheduled task(s)
PID:696
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD5dcdc109069b6e0d80d776c143fecde3f
SHA1761589c94ba8c2fd57d3ae9666a0fdc0d1b72eb5
SHA256fe44f050ab9ea33f87acef449ed57157a331a19956207d6243522676c894e284
SHA51285365775caa1f85c585b4979519357421ec0239d900513c0aadf28d9d238f6548164c3573141b3e272a6d4376129204a7ceba9b2c4b31c8fbdfd13cb814b73b9
-
Filesize
5.9MB
MD5021079dc0918b9c7359e93e770678000
SHA170c03da6f7b339340b1943f5d0b7b1fd87579adf
SHA256ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487
SHA5129bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0
-
Filesize
5.7MB
MD52c2055233260e5bb20ce675afd39ed0d
SHA126c056ba8e99a3fb523612b422a85be3ecbbd5b3
SHA256306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d
SHA5123e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546
-
Filesize
206KB
MD5c5f78d788265a8c2b80017a0dc351266
SHA132836c3ccaf84431beaba1b10107743c052cddc0
SHA2560a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0
SHA5120315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16
-
Filesize
206KB
MD55df1e6298db0f0a4d533fb3ccf3571b8
SHA18026a4d428f3f616b93311f31ee3a81e3e987e37
SHA256016c0eaac7627de3ad8b42938358a55653fbb6c76601e29d054479c493f720c0
SHA512b272fb6c9707436cfd522abf526a5f65b01f5bb0b813407368133f60e06e7407acadb734dea077d8f93dc20cfa689905ef1601820c499eb654ce07544b43ed7b
-
Filesize
206KB
MD5a412387d693f3d2a22d0ea0594497e51
SHA181a677a5437d376c96b0f7301ed9eada4cb1ed17
SHA2562286e097266ef6b5d9fbc6a913fee97ea860488ab06a9ed83d8b8b1874870ff0
SHA512003f819c50bfc4113b22a163f0569ba63f88f0bb167d89de0523087fd9dc74278d7baca4413b440d16ce277c88b62e16a4c3f728c526909fda10119ce2738edf
-
Filesize
206KB
MD5c8a57d85770b419393b32863b1daee97
SHA13fcbd1c1412b6b0f9b4950257f6dae64f1c8ea23
SHA256212080b88ed8c7989e05a1b9044702250d6bb3b4895815469f641caad53811bb
SHA51217ff3ab49cc55acf32429d126171a3355540d30d4349e916b38e89e34f9ba40bdc5e381461d20ee26b380dbfd5718dd96cd9e0491fb909d20a88a76301f79e51
-
Filesize
206KB
MD5914673296b3888ec694ea20daad9baf4
SHA1b05ee49e8b02d2fe6c5ceb6c27e95a0c50770f19
SHA2565b2b2105a567cd787fb6c57b1cfd93e0f3278923e31bfecc8dc35115da926921
SHA512a2fd402619851215cc60745abd3196640b6d70b91292d7371adedcf1d7b090b7e069bcaaa6d67facfe64049e6a07c50726bb5211ae6efda3cf1063094267f34b