Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04-06-2024 00:03

General

  • Target

    14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe

  • Size

    80KB

  • MD5

    14f4fc883efa6024842e67cc83459960

  • SHA1

    b52fb29d7e4a0b909b3c9a43b0ad1f655361b13d

  • SHA256

    d9a80ccf03a5c2a2cfc478cce22fcfb876757f909536f1711b9bcfcdb41baf35

  • SHA512

    363e88fefe3922c8dde36c8657b4d8ebfb55c5e43c15118fb313bc6de9ea32590a1ea16ef3be6f38db2790d68aeef835df1b5836d280211fa6122f0edb4a4c59

  • SSDEEP

    1536:t3x85+Ks2/grQJdICVLhmRiuN4PW+lKn7kPZ/l+UjlQCAC:th85+Ks4vwgblKn0l+U9

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1040
    • C:\Users\Admin\AppData\Local\Temp\ZPubSAGgeY56Vl7.exe
      C:\Users\Admin\AppData\Local\Temp\ZPubSAGgeY56Vl7.exe
      2⤵
      • Executes dropped EXE
      PID:2544
    • C:\Windows\svhost.exe
      "C:\Windows\svhost.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2080

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ZPubSAGgeY56Vl7.exe

    Filesize

    80KB

    MD5

    43adfd9e2cb64bfaaa1f7dde6b2d8db4

    SHA1

    64755e47beb78d60d62b2ce43133fd67d106fa69

    SHA256

    cfa38938cef31e9a3b72a854cfbe940f479479bbf836eebdde13d8931d9a2c73

    SHA512

    ed1ab3c86a93272d78a4c791c3616f41f1cfd60407e4382f26768180136139d6dcfa00dab45d270acb5c0d8578ed2f027a9d504a9503609f5a5c94475d02a4ca

  • C:\Windows\svhost.exe

    Filesize

    16KB

    MD5

    76fd02b48297edb28940bdfa3fa1c48a

    SHA1

    bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce

    SHA256

    07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c

    SHA512

    28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

  • \Users\Admin\AppData\Local\Temp\ZPubSAGgeY56Vl7.exe

    Filesize

    64KB

    MD5

    e97c622b03fb2a2598bf019fbbe29f2c

    SHA1

    32698bd1d3a0ff6cf441770d1b2b816285068d19

    SHA256

    5c1af46c7300e87a73dacf6cf41ce397e3f05df6bd9c7e227b4ac59f85769160

    SHA512

    db70c62fb35a8e5b005f13b57c1ebbf6c465f6ff0524422294c43e27fb4aa79379dc1e300ad11dc2354405c43b192ae06b91c0f525a1f2617e4d14673651a87d