Analysis

  • max time kernel
    147s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    04-06-2024 05:06

General

  • Target

    30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe

  • Size

    484KB

  • MD5

    30830893416e1641dd96dc8f25b3bf00

  • SHA1

    f6fe7fd17c145973dffcdec39c4183ff8211b106

  • SHA256

    d095c5af558806269fd965df0e8f4c6e87ce71c6dc5d8519611e3d804fbd0572

  • SHA512

    684f52387dce6f01bb6fe1b4bdbdd432e9e8fe69e74c16ec91d0fb223ec45008ed6e440583f111cbb9465a6c3cfd19e30ea7c01fa9cc87d9ad4e8f0a0d5eeaee

  • SSDEEP

    6144:g5u5eG44AeJ2ssftlVN+zBfGrSWm+omDAgQsSygGG2IszBA3:Cu5eG4bsilNoGSJ+omDAdsWGLTVW

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Program Files directory 4 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\shwyw.exe "C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:3016
      • C:\Users\Admin\AppData\Local\Temp\shwyw.exe
        C:\Users\Admin\AppData\Local\Temp\\shwyw.exe "C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3036
        • \??\c:\Program Files\fmnng\etgydspe.exe
          "c:\Program Files\fmnng\etgydspe.exe" "c:\Program Files\fmnng\etgydspe.dll",WriteErrorLog C:\Users\Admin\AppData\Local\Temp\shwyw.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2160

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\shwyw.exe

    Filesize

    484KB

    MD5

    63d33665a3bbf1e2a1a231d5574d69d8

    SHA1

    5092a4aeb8cbd5eb112560f69ad93bcb731bd0cb

    SHA256

    6bfd094b815c370c63ee93af4f90a1b673947f7c75af9c5f9881f164a081315f

    SHA512

    3b7f550b2d2b48614a9cf82fd8489c54a96c0185b0eb289e18eaa60da4b3d0fd6532d6f0e711566e761289d66d62fe7c7a7a6c8e543c76f6a97725c70a93d643

  • \??\c:\Program Files\fmnng\etgydspe.exe

    Filesize

    43KB

    MD5

    51138beea3e2c21ec44d0932c71762a8

    SHA1

    8939cf35447b22dd2c6e6f443446acc1bf986d58

    SHA256

    5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

    SHA512

    794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

  • \Program Files\fmnng\etgydspe.dll

    Filesize

    181KB

    MD5

    09d1b0fb0962df8ff8e20fa2912a6702

    SHA1

    d0aebab2e0e502367013df50c05657892a478bc6

    SHA256

    21dbab9d1a07c41a034a6eec8237cf45e220eed4367328996eb7206c651a12a1

    SHA512

    5735c42425fd4053acd98ae4df216ce1604fb11b7060b40abdb7b8e7397d60cf793da8a9138386f80cd9e0522dbbc17bfb58d2baf5722ae29b8be157f91e6256

  • memory/2160-17-0x0000000010000000-0x000000001004E000-memory.dmp

    Filesize

    312KB

  • memory/2160-22-0x00000000000D0000-0x00000000000D2000-memory.dmp

    Filesize

    8KB

  • memory/2160-20-0x0000000010000000-0x000000001004E000-memory.dmp

    Filesize

    312KB

  • memory/2160-18-0x0000000010000000-0x000000001004E000-memory.dmp

    Filesize

    312KB

  • memory/2160-23-0x0000000010000000-0x000000001004E000-memory.dmp

    Filesize

    312KB

  • memory/2160-26-0x0000000010000000-0x000000001004E000-memory.dmp

    Filesize

    312KB