Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 22:33

General

  • Target

    6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe

  • Size

    8.7MB

  • MD5

    6b0956eb828c9de80de6e4144e904ae0

  • SHA1

    03099bf11297cdc15badd3dc651c273302e80807

  • SHA256

    82bda718a2a0809e9ced3caf31de70eb187447ccf49e7d2d282bd72b5f9c1676

  • SHA512

    6de681405d76a368593e6fb606f531301767b02f47033d7de4a45aac28ce6eb3e49f91e3aebc8fd2d5d2fc74c916d1b7f9e2f5709e13120b796d7e297cf67908

  • SSDEEP

    196608:Lc1z3ltL5LdGVzu+lKc1z3ltL5LdGVzu+lw:L05LdGVzBo05LdGVzBa

Malware Config

Extracted

Family

lucastealer

C2

https://api.telegram.org/bot6068798932:AAG_cHiqinDwNZ3Hd-rdp8tPwbT0czdVwTw

Signatures

  • Luca Stealer

    Info stealer written in Rust first seen in July 2022.

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:4440
    • C:\Users\Admin\AppData\Local\Temp\RDEHKD.exe
      "C:\Users\Admin\AppData\Local\Temp\RDEHKD.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4064
      • \??\c:\users\admin\appdata\local\temp\rdehkd.exe 
        c:\users\admin\appdata\local\temp\rdehkd.exe 
        3⤵
        • Executes dropped EXE
        PID:1364
      • C:\Users\Admin\AppData\Local\icsys.icn.exe
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4304
        • \??\c:\windows\system\explorer.exe
          c:\windows\system\explorer.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3652
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe SE
            5⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:944
            • \??\c:\windows\system\svchost.exe
              c:\windows\system\svchost.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visiblity of hidden/system files in Explorer
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:5064
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe PR
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:4308
              • C:\Windows\SysWOW64\at.exe
                at 22:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                7⤵
                  PID:3284
                • C:\Windows\SysWOW64\at.exe
                  at 22:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                  7⤵
                    PID:1848
                  • C:\Windows\SysWOW64\at.exe
                    at 22:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                    7⤵
                      PID:3944
          • C:\Users\Admin\AppData\Local\Temp\RACHIY.exe
            "C:\Users\Admin\AppData\Local\Temp\RACHIY.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:792
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c schtasks /create /tn PTTWEY.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4996
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn PTTWEY.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 1
              3⤵
              • Creates scheduled task(s)
              PID:696

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RACHIY.exe

          Filesize

          74KB

          MD5

          dcdc109069b6e0d80d776c143fecde3f

          SHA1

          761589c94ba8c2fd57d3ae9666a0fdc0d1b72eb5

          SHA256

          fe44f050ab9ea33f87acef449ed57157a331a19956207d6243522676c894e284

          SHA512

          85365775caa1f85c585b4979519357421ec0239d900513c0aadf28d9d238f6548164c3573141b3e272a6d4376129204a7ceba9b2c4b31c8fbdfd13cb814b73b9

        • C:\Users\Admin\AppData\Local\Temp\RDEHKD.exe

          Filesize

          5.9MB

          MD5

          021079dc0918b9c7359e93e770678000

          SHA1

          70c03da6f7b339340b1943f5d0b7b1fd87579adf

          SHA256

          ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

          SHA512

          9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

        • C:\Users\Admin\AppData\Local\Temp\rdehkd.exe 

          Filesize

          5.7MB

          MD5

          2c2055233260e5bb20ce675afd39ed0d

          SHA1

          26c056ba8e99a3fb523612b422a85be3ecbbd5b3

          SHA256

          306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

          SHA512

          3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

        • C:\Users\Admin\AppData\Local\icsys.icn.exe

          Filesize

          206KB

          MD5

          c5f78d788265a8c2b80017a0dc351266

          SHA1

          32836c3ccaf84431beaba1b10107743c052cddc0

          SHA256

          0a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0

          SHA512

          0315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16

        • C:\Users\Admin\AppData\Roaming\mrsys.exe

          Filesize

          206KB

          MD5

          5df1e6298db0f0a4d533fb3ccf3571b8

          SHA1

          8026a4d428f3f616b93311f31ee3a81e3e987e37

          SHA256

          016c0eaac7627de3ad8b42938358a55653fbb6c76601e29d054479c493f720c0

          SHA512

          b272fb6c9707436cfd522abf526a5f65b01f5bb0b813407368133f60e06e7407acadb734dea077d8f93dc20cfa689905ef1601820c499eb654ce07544b43ed7b

        • C:\Windows\System\explorer.exe

          Filesize

          206KB

          MD5

          a412387d693f3d2a22d0ea0594497e51

          SHA1

          81a677a5437d376c96b0f7301ed9eada4cb1ed17

          SHA256

          2286e097266ef6b5d9fbc6a913fee97ea860488ab06a9ed83d8b8b1874870ff0

          SHA512

          003f819c50bfc4113b22a163f0569ba63f88f0bb167d89de0523087fd9dc74278d7baca4413b440d16ce277c88b62e16a4c3f728c526909fda10119ce2738edf

        • C:\Windows\System\spoolsv.exe

          Filesize

          206KB

          MD5

          c8a57d85770b419393b32863b1daee97

          SHA1

          3fcbd1c1412b6b0f9b4950257f6dae64f1c8ea23

          SHA256

          212080b88ed8c7989e05a1b9044702250d6bb3b4895815469f641caad53811bb

          SHA512

          17ff3ab49cc55acf32429d126171a3355540d30d4349e916b38e89e34f9ba40bdc5e381461d20ee26b380dbfd5718dd96cd9e0491fb909d20a88a76301f79e51

        • C:\Windows\System\svchost.exe

          Filesize

          206KB

          MD5

          914673296b3888ec694ea20daad9baf4

          SHA1

          b05ee49e8b02d2fe6c5ceb6c27e95a0c50770f19

          SHA256

          5b2b2105a567cd787fb6c57b1cfd93e0f3278923e31bfecc8dc35115da926921

          SHA512

          a2fd402619851215cc60745abd3196640b6d70b91292d7371adedcf1d7b090b7e069bcaaa6d67facfe64049e6a07c50726bb5211ae6efda3cf1063094267f34b

        • memory/792-82-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

        • memory/944-60-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/944-78-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/4064-79-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/4064-22-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/4304-80-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/4308-75-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB