Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 04:08

General

  • Target

    7680029f2a081c3106b225369fd43140_NeikiAnalytics.exe

  • Size

    226KB

  • MD5

    7680029f2a081c3106b225369fd43140

  • SHA1

    b6c4aabb5af614446b3e611ca5f19bef5b265dd2

  • SHA256

    b37865d5af18131c669d10859323f5c1120f845a42ef07aa29fb7ff88f0aae31

  • SHA512

    eff50877f9a1b490dd6cbf0a1f52d1d1f0f6ed68ef1c659e3c0411e0c1e82d2319826c726f2d457de1bad0a3bf633c3e797e3cd67c20a7bc810b1b49c438d2fd

  • SSDEEP

    6144:TZWD5OTvGbSlbF9UhcX7elbKTua9bfF/H9d9n:kFSvHlh93X3u+

Malware Config

Extracted

Family

xworm

C2

posted-does.gl.at.ply.gg:53306

Attributes
  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7680029f2a081c3106b225369fd43140_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\7680029f2a081c3106b225369fd43140_NeikiAnalytics.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7680029f2a081c3106b225369fd43140_NeikiAnalytics.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1780
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7680029f2a081c3106b225369fd43140_NeikiAnalytics.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    dd50619faeadfdf5c016b9977e41011c

    SHA1

    a9c6d3d6ef5bade5a8e92b19535dad8dcfc2e6c1

    SHA256

    af13b62f0dce11d3e51632a1cec5c51264a4ad4a0a958eec438d006d4431ca90

    SHA512

    fc16b7fead1e3af0306a5c68423e9476d141e91513b94b54b39bf923a234395b189d5206688a0f2f35dd2aadd9dfa49b3b875c359fec62b3b94f1c71615245e3

  • memory/1264-0-0x000007FEF58F3000-0x000007FEF58F4000-memory.dmp

    Filesize

    4KB

  • memory/1264-1-0x0000000000D80000-0x0000000000DBE000-memory.dmp

    Filesize

    248KB

  • memory/1264-16-0x000000001AFF0000-0x000000001B070000-memory.dmp

    Filesize

    512KB

  • memory/1264-17-0x000007FEF58F3000-0x000007FEF58F4000-memory.dmp

    Filesize

    4KB

  • memory/1264-18-0x000000001AFF0000-0x000000001B070000-memory.dmp

    Filesize

    512KB

  • memory/1780-6-0x0000000002C30000-0x0000000002CB0000-memory.dmp

    Filesize

    512KB

  • memory/1780-7-0x000000001B640000-0x000000001B922000-memory.dmp

    Filesize

    2.9MB

  • memory/1780-8-0x0000000002890000-0x0000000002898000-memory.dmp

    Filesize

    32KB

  • memory/2868-14-0x000000001B570000-0x000000001B852000-memory.dmp

    Filesize

    2.9MB

  • memory/2868-15-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

    Filesize

    32KB