Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 00:03
Static task
static1
Behavioral task
behavioral1
Sample
14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe
-
Size
80KB
-
MD5
14f4fc883efa6024842e67cc83459960
-
SHA1
b52fb29d7e4a0b909b3c9a43b0ad1f655361b13d
-
SHA256
d9a80ccf03a5c2a2cfc478cce22fcfb876757f909536f1711b9bcfcdb41baf35
-
SHA512
363e88fefe3922c8dde36c8657b4d8ebfb55c5e43c15118fb313bc6de9ea32590a1ea16ef3be6f38db2790d68aeef835df1b5836d280211fa6122f0edb4a4c59
-
SSDEEP
1536:t3x85+Ks2/grQJdICVLhmRiuN4PW+lKn7kPZ/l+UjlQCAC:th85+Ks4vwgblKn0l+U9
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
ZPubSAGgeY56Vl7.exesvhost.exepid process 2544 ZPubSAGgeY56Vl7.exe 2080 svhost.exe -
Loads dropped DLL 2 IoCs
Processes:
14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exepid process 1040 14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe 1040 14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exesvhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" 14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" svhost.exe -
Drops file in Windows directory 2 IoCs
Processes:
14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exesvhost.exedescription ioc process File created C:\Windows\svhost.exe 14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe File created C:\Windows\svhost.exe svhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exesvhost.exedescription pid process Token: SeDebugPrivilege 1040 14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe Token: SeDebugPrivilege 2080 svhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exedescription pid process target process PID 1040 wrote to memory of 2544 1040 14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe ZPubSAGgeY56Vl7.exe PID 1040 wrote to memory of 2544 1040 14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe ZPubSAGgeY56Vl7.exe PID 1040 wrote to memory of 2544 1040 14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe ZPubSAGgeY56Vl7.exe PID 1040 wrote to memory of 2544 1040 14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe ZPubSAGgeY56Vl7.exe PID 1040 wrote to memory of 2080 1040 14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe svhost.exe PID 1040 wrote to memory of 2080 1040 14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe svhost.exe PID 1040 wrote to memory of 2080 1040 14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe svhost.exe PID 1040 wrote to memory of 2080 1040 14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\ZPubSAGgeY56Vl7.exeC:\Users\Admin\AppData\Local\Temp\ZPubSAGgeY56Vl7.exe2⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\svhost.exe"C:\Windows\svhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD543adfd9e2cb64bfaaa1f7dde6b2d8db4
SHA164755e47beb78d60d62b2ce43133fd67d106fa69
SHA256cfa38938cef31e9a3b72a854cfbe940f479479bbf836eebdde13d8931d9a2c73
SHA512ed1ab3c86a93272d78a4c791c3616f41f1cfd60407e4382f26768180136139d6dcfa00dab45d270acb5c0d8578ed2f027a9d504a9503609f5a5c94475d02a4ca
-
Filesize
16KB
MD576fd02b48297edb28940bdfa3fa1c48a
SHA1bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA25607abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA51228c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0
-
Filesize
64KB
MD5e97c622b03fb2a2598bf019fbbe29f2c
SHA132698bd1d3a0ff6cf441770d1b2b816285068d19
SHA2565c1af46c7300e87a73dacf6cf41ce397e3f05df6bd9c7e227b4ac59f85769160
SHA512db70c62fb35a8e5b005f13b57c1ebbf6c465f6ff0524422294c43e27fb4aa79379dc1e300ad11dc2354405c43b192ae06b91c0f525a1f2617e4d14673651a87d