Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 04:08
Behavioral task
behavioral1
Sample
7680029f2a081c3106b225369fd43140_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
7680029f2a081c3106b225369fd43140_NeikiAnalytics.exe
-
Size
226KB
-
MD5
7680029f2a081c3106b225369fd43140
-
SHA1
b6c4aabb5af614446b3e611ca5f19bef5b265dd2
-
SHA256
b37865d5af18131c669d10859323f5c1120f845a42ef07aa29fb7ff88f0aae31
-
SHA512
eff50877f9a1b490dd6cbf0a1f52d1d1f0f6ed68ef1c659e3c0411e0c1e82d2319826c726f2d457de1bad0a3bf633c3e797e3cd67c20a7bc810b1b49c438d2fd
-
SSDEEP
6144:TZWD5OTvGbSlbF9UhcX7elbKTua9bfF/H9d9n:kFSvHlh93X3u+
Malware Config
Extracted
xworm
posted-does.gl.at.ply.gg:53306
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1264-1-0x0000000000D80000-0x0000000000DBE000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 1780 powershell.exe 2868 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exe7680029f2a081c3106b225369fd43140_NeikiAnalytics.exepid process 1780 powershell.exe 2868 powershell.exe 1264 7680029f2a081c3106b225369fd43140_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
7680029f2a081c3106b225369fd43140_NeikiAnalytics.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1264 7680029f2a081c3106b225369fd43140_NeikiAnalytics.exe Token: SeDebugPrivilege 1780 powershell.exe Token: SeDebugPrivilege 2868 powershell.exe Token: SeDebugPrivilege 1264 7680029f2a081c3106b225369fd43140_NeikiAnalytics.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
7680029f2a081c3106b225369fd43140_NeikiAnalytics.exepid process 1264 7680029f2a081c3106b225369fd43140_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7680029f2a081c3106b225369fd43140_NeikiAnalytics.exedescription pid process target process PID 1264 wrote to memory of 1780 1264 7680029f2a081c3106b225369fd43140_NeikiAnalytics.exe powershell.exe PID 1264 wrote to memory of 1780 1264 7680029f2a081c3106b225369fd43140_NeikiAnalytics.exe powershell.exe PID 1264 wrote to memory of 1780 1264 7680029f2a081c3106b225369fd43140_NeikiAnalytics.exe powershell.exe PID 1264 wrote to memory of 2868 1264 7680029f2a081c3106b225369fd43140_NeikiAnalytics.exe powershell.exe PID 1264 wrote to memory of 2868 1264 7680029f2a081c3106b225369fd43140_NeikiAnalytics.exe powershell.exe PID 1264 wrote to memory of 2868 1264 7680029f2a081c3106b225369fd43140_NeikiAnalytics.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7680029f2a081c3106b225369fd43140_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7680029f2a081c3106b225369fd43140_NeikiAnalytics.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7680029f2a081c3106b225369fd43140_NeikiAnalytics.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7680029f2a081c3106b225369fd43140_NeikiAnalytics.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5dd50619faeadfdf5c016b9977e41011c
SHA1a9c6d3d6ef5bade5a8e92b19535dad8dcfc2e6c1
SHA256af13b62f0dce11d3e51632a1cec5c51264a4ad4a0a958eec438d006d4431ca90
SHA512fc16b7fead1e3af0306a5c68423e9476d141e91513b94b54b39bf923a234395b189d5206688a0f2f35dd2aadd9dfa49b3b875c359fec62b3b94f1c71615245e3