Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 05:40
Static task
static1
Behavioral task
behavioral1
Sample
8f77f8b13b914f358059e3f7b9ddab70_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
8f77f8b13b914f358059e3f7b9ddab70_NeikiAnalytics.exe
-
Size
139KB
-
MD5
8f77f8b13b914f358059e3f7b9ddab70
-
SHA1
d406a28486b4dd881c454e526e149b98c0ec8462
-
SHA256
c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6
-
SHA512
b00ba88d36203e389021672b39839a172b58e492bb71afb33c9f53b9ba406a0cf5d61cb5bfe6f11dc40529be8424690737ce178d7dd4981b120ec4694f51abad
-
SSDEEP
3072:bNmWFIDmBFlT1wnCMjIM8pec/dAnXQdnbeFa7cMjGvA/v2QmZ6OGmfx7jHJm:b06BwnRlcCXUhcdv2uN5
Malware Config
Extracted
xworm
answer-riverside.gl.at.ply.gg:45691
-
Install_directory
%AppData%
-
install_file
svhost.exe
Extracted
umbral
https://discordapp.com/api/webhooks/1239665745831530598/iJT0OELt4O4igXW_VMu-CUIfcqaawXLhyC4Bruuv1t2x0XOvC0_p9dc-G_RxJMO7fn-V
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x002f00000001567f-11.dat family_umbral behavioral1/memory/2604-14-0x0000000000120000-0x0000000000160000-memory.dmp family_umbral -
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral1/files/0x002f00000001566b-7.dat family_xworm behavioral1/memory/2672-16-0x0000000000010000-0x0000000000026000-memory.dmp family_xworm behavioral1/memory/588-48-0x0000000000EF0000-0x0000000000F06000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1992 powershell.exe 2840 powershell.exe 1852 powershell.exe 1040 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk XClient.exe -
Executes dropped EXE 4 IoCs
pid Process 2672 XClient.exe 2604 RustCheat.exe 588 svhost.exe 692 svhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3016 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1992 powershell.exe 2840 powershell.exe 1852 powershell.exe 1040 powershell.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 2088 8f77f8b13b914f358059e3f7b9ddab70_NeikiAnalytics.exe Token: SeDebugPrivilege 2672 XClient.exe Token: SeDebugPrivilege 2604 RustCheat.exe Token: SeIncreaseQuotaPrivilege 2520 wmic.exe Token: SeSecurityPrivilege 2520 wmic.exe Token: SeTakeOwnershipPrivilege 2520 wmic.exe Token: SeLoadDriverPrivilege 2520 wmic.exe Token: SeSystemProfilePrivilege 2520 wmic.exe Token: SeSystemtimePrivilege 2520 wmic.exe Token: SeProfSingleProcessPrivilege 2520 wmic.exe Token: SeIncBasePriorityPrivilege 2520 wmic.exe Token: SeCreatePagefilePrivilege 2520 wmic.exe Token: SeBackupPrivilege 2520 wmic.exe Token: SeRestorePrivilege 2520 wmic.exe Token: SeShutdownPrivilege 2520 wmic.exe Token: SeDebugPrivilege 2520 wmic.exe Token: SeSystemEnvironmentPrivilege 2520 wmic.exe Token: SeRemoteShutdownPrivilege 2520 wmic.exe Token: SeUndockPrivilege 2520 wmic.exe Token: SeManageVolumePrivilege 2520 wmic.exe Token: 33 2520 wmic.exe Token: 34 2520 wmic.exe Token: 35 2520 wmic.exe Token: SeIncreaseQuotaPrivilege 2520 wmic.exe Token: SeSecurityPrivilege 2520 wmic.exe Token: SeTakeOwnershipPrivilege 2520 wmic.exe Token: SeLoadDriverPrivilege 2520 wmic.exe Token: SeSystemProfilePrivilege 2520 wmic.exe Token: SeSystemtimePrivilege 2520 wmic.exe Token: SeProfSingleProcessPrivilege 2520 wmic.exe Token: SeIncBasePriorityPrivilege 2520 wmic.exe Token: SeCreatePagefilePrivilege 2520 wmic.exe Token: SeBackupPrivilege 2520 wmic.exe Token: SeRestorePrivilege 2520 wmic.exe Token: SeShutdownPrivilege 2520 wmic.exe Token: SeDebugPrivilege 2520 wmic.exe Token: SeSystemEnvironmentPrivilege 2520 wmic.exe Token: SeRemoteShutdownPrivilege 2520 wmic.exe Token: SeUndockPrivilege 2520 wmic.exe Token: SeManageVolumePrivilege 2520 wmic.exe Token: 33 2520 wmic.exe Token: 34 2520 wmic.exe Token: 35 2520 wmic.exe Token: SeDebugPrivilege 1992 powershell.exe Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 1852 powershell.exe Token: SeDebugPrivilege 1040 powershell.exe Token: SeDebugPrivilege 2672 XClient.exe Token: SeDebugPrivilege 588 svhost.exe Token: SeDebugPrivilege 692 svhost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2088 wrote to memory of 2672 2088 8f77f8b13b914f358059e3f7b9ddab70_NeikiAnalytics.exe 29 PID 2088 wrote to memory of 2672 2088 8f77f8b13b914f358059e3f7b9ddab70_NeikiAnalytics.exe 29 PID 2088 wrote to memory of 2672 2088 8f77f8b13b914f358059e3f7b9ddab70_NeikiAnalytics.exe 29 PID 2088 wrote to memory of 2604 2088 8f77f8b13b914f358059e3f7b9ddab70_NeikiAnalytics.exe 30 PID 2088 wrote to memory of 2604 2088 8f77f8b13b914f358059e3f7b9ddab70_NeikiAnalytics.exe 30 PID 2088 wrote to memory of 2604 2088 8f77f8b13b914f358059e3f7b9ddab70_NeikiAnalytics.exe 30 PID 2604 wrote to memory of 2520 2604 RustCheat.exe 31 PID 2604 wrote to memory of 2520 2604 RustCheat.exe 31 PID 2604 wrote to memory of 2520 2604 RustCheat.exe 31 PID 2672 wrote to memory of 1992 2672 XClient.exe 33 PID 2672 wrote to memory of 1992 2672 XClient.exe 33 PID 2672 wrote to memory of 1992 2672 XClient.exe 33 PID 2672 wrote to memory of 2840 2672 XClient.exe 35 PID 2672 wrote to memory of 2840 2672 XClient.exe 35 PID 2672 wrote to memory of 2840 2672 XClient.exe 35 PID 2672 wrote to memory of 1852 2672 XClient.exe 37 PID 2672 wrote to memory of 1852 2672 XClient.exe 37 PID 2672 wrote to memory of 1852 2672 XClient.exe 37 PID 2672 wrote to memory of 1040 2672 XClient.exe 39 PID 2672 wrote to memory of 1040 2672 XClient.exe 39 PID 2672 wrote to memory of 1040 2672 XClient.exe 39 PID 2672 wrote to memory of 3016 2672 XClient.exe 41 PID 2672 wrote to memory of 3016 2672 XClient.exe 41 PID 2672 wrote to memory of 3016 2672 XClient.exe 41 PID 2876 wrote to memory of 588 2876 taskeng.exe 46 PID 2876 wrote to memory of 588 2876 taskeng.exe 46 PID 2876 wrote to memory of 588 2876 taskeng.exe 46 PID 2876 wrote to memory of 692 2876 taskeng.exe 47 PID 2876 wrote to memory of 692 2876 taskeng.exe 47 PID 2876 wrote to memory of 692 2876 taskeng.exe 47 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f77f8b13b914f358059e3f7b9ddab70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8f77f8b13b914f358059e3f7b9ddab70_NeikiAnalytics.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"3⤵
- Creates scheduled task(s)
PID:3016
-
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {6901E169-5888-462F-AA3A-559178FA3957} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:588
-
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:692
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231KB
MD5ff8f5c2670894f74456e534b34d6a8fe
SHA1e0b35ae06f68adf07e4616da8e91bb1f935e492a
SHA256d9f3baf81271c395f4dc10e21d12bc2bfb875a8a28ede54abd54a0d8de194d37
SHA512a58b08c3209bc196f914a82ca2b91a096988831bc45babb22ec2210303050cf03923ebf93e7a58926b8813328c672bec015cd0772f27a0192c661d83e796ffff
-
Filesize
60KB
MD528ff989c1d462f567aabb9c5ba76456b
SHA124be926b14f64f6a9f5b8248d1618bae9a7fc0b2
SHA256a02fb0b588d89b4ea7f83fc303af6ab00b5ec81a39cf79b2e6ec65d3a3e4c63d
SHA5122e639e5b5480c93c7605480de40e325c0692d3834f305d7d739f3569707e01cbd5d4c75c5fe4b02616edbb5c72b5f9df6466864a2b11fc862b35b5566d51bcba
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ca08f56e644cc44481c0b242dcbde5e1
SHA101282bf5bec15269e2b9671d64a27b359cf8c78f
SHA256d9d6dd8dc3b5e2e228032375991e826e0f3e222f71bf202837ae485929e22a3a
SHA512736e5370e0b425da3b0d5274e56ce145acf12d41a15f7ba62d1b8447f05548ea9bbd85a34f4d97df2894c1187ed6d7c18ccfed6edd3941b9ffcd2b585a87e5e8