Analysis

  • max time kernel
    136s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 05:40

General

  • Target

    8f77f8b13b914f358059e3f7b9ddab70_NeikiAnalytics.exe

  • Size

    139KB

  • MD5

    8f77f8b13b914f358059e3f7b9ddab70

  • SHA1

    d406a28486b4dd881c454e526e149b98c0ec8462

  • SHA256

    c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6

  • SHA512

    b00ba88d36203e389021672b39839a172b58e492bb71afb33c9f53b9ba406a0cf5d61cb5bfe6f11dc40529be8424690737ce178d7dd4981b120ec4694f51abad

  • SSDEEP

    3072:bNmWFIDmBFlT1wnCMjIM8pec/dAnXQdnbeFa7cMjGvA/v2QmZ6OGmfx7jHJm:b06BwnRlcCXUhcdv2uN5

Malware Config

Extracted

Family

xworm

C2

answer-riverside.gl.at.ply.gg:45691

Attributes
  • Install_directory

    %AppData%

  • install_file

    svhost.exe

Extracted

Family

umbral

C2

https://discordapp.com/api/webhooks/1239665745831530598/iJT0OELt4O4igXW_VMu-CUIfcqaawXLhyC4Bruuv1t2x0XOvC0_p9dc-G_RxJMO7fn-V

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 3 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f77f8b13b914f358059e3f7b9ddab70_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\8f77f8b13b914f358059e3f7b9ddab70_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Users\Admin\AppData\Local\Temp\XClient.exe
      "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1992
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2840
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1852
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1040
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
        3⤵
        • Creates scheduled task(s)
        PID:3016
    • C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
      "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2520
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {6901E169-5888-462F-AA3A-559178FA3957} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Users\Admin\AppData\Roaming\svhost.exe
      C:\Users\Admin\AppData\Roaming\svhost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:588
    • C:\Users\Admin\AppData\Roaming\svhost.exe
      C:\Users\Admin\AppData\Roaming\svhost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

    Filesize

    231KB

    MD5

    ff8f5c2670894f74456e534b34d6a8fe

    SHA1

    e0b35ae06f68adf07e4616da8e91bb1f935e492a

    SHA256

    d9f3baf81271c395f4dc10e21d12bc2bfb875a8a28ede54abd54a0d8de194d37

    SHA512

    a58b08c3209bc196f914a82ca2b91a096988831bc45babb22ec2210303050cf03923ebf93e7a58926b8813328c672bec015cd0772f27a0192c661d83e796ffff

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe

    Filesize

    60KB

    MD5

    28ff989c1d462f567aabb9c5ba76456b

    SHA1

    24be926b14f64f6a9f5b8248d1618bae9a7fc0b2

    SHA256

    a02fb0b588d89b4ea7f83fc303af6ab00b5ec81a39cf79b2e6ec65d3a3e4c63d

    SHA512

    2e639e5b5480c93c7605480de40e325c0692d3834f305d7d739f3569707e01cbd5d4c75c5fe4b02616edbb5c72b5f9df6466864a2b11fc862b35b5566d51bcba

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    ca08f56e644cc44481c0b242dcbde5e1

    SHA1

    01282bf5bec15269e2b9671d64a27b359cf8c78f

    SHA256

    d9d6dd8dc3b5e2e228032375991e826e0f3e222f71bf202837ae485929e22a3a

    SHA512

    736e5370e0b425da3b0d5274e56ce145acf12d41a15f7ba62d1b8447f05548ea9bbd85a34f4d97df2894c1187ed6d7c18ccfed6edd3941b9ffcd2b585a87e5e8

  • memory/588-48-0x0000000000EF0000-0x0000000000F06000-memory.dmp

    Filesize

    88KB

  • memory/1992-21-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

    Filesize

    2.9MB

  • memory/1992-22-0x0000000002870000-0x0000000002878000-memory.dmp

    Filesize

    32KB

  • memory/2088-13-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

    Filesize

    9.9MB

  • memory/2088-0-0x000007FEF5713000-0x000007FEF5714000-memory.dmp

    Filesize

    4KB

  • memory/2088-2-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

    Filesize

    9.9MB

  • memory/2088-1-0x0000000001060000-0x000000000108A000-memory.dmp

    Filesize

    168KB

  • memory/2604-14-0x0000000000120000-0x0000000000160000-memory.dmp

    Filesize

    256KB

  • memory/2672-16-0x0000000000010000-0x0000000000026000-memory.dmp

    Filesize

    88KB

  • memory/2672-15-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

    Filesize

    9.9MB

  • memory/2672-44-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

    Filesize

    9.9MB

  • memory/2840-28-0x000000001B710000-0x000000001B9F2000-memory.dmp

    Filesize

    2.9MB

  • memory/2840-29-0x0000000002290000-0x0000000002298000-memory.dmp

    Filesize

    32KB