Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 07:02
Behavioral task
behavioral1
Sample
3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe
-
Size
328KB
-
MD5
3b5968e499242eb63ba8d82eebd0b9d0
-
SHA1
a7363081c8214b62f7eefe37705d3c700ad8e46c
-
SHA256
8fbe6b8faf87ba5df0fe4f5d6e5d6eceb666a31ca24af1b22dd383e4e128e991
-
SHA512
49ad73b8297a86fc19d90c0caa1db5c40843fe40ee31b4e9a3a88fd1a600e840472adeaa4996fb646f6b9ffd1dc286e7f04884d4f33edbdd829fa00f7934b362
-
SSDEEP
6144:JVBqzX2x/XsQ1YA53/vkNI+uuu7iDgbzzWoOd1KLcdn:BqzX2xfdY6/cNKlD+o61KUn
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3264 shtrwixvb.exe -
Executes dropped EXE 2 IoCs
pid Process 3264 shtrwixvb.exe 3836 sttobzxju.exe -
Loads dropped DLL 1 IoCs
pid Process 3836 sttobzxju.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x00090000000235bb-2.dat upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HTML = "c:\\Program Files\\weovs\\sttobzxju.exe \"c:\\Program Files\\weovs\\sttobzxju.dll\",PraseHTML" sttobzxju.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: sttobzxju.exe File opened (read-only) \??\s: sttobzxju.exe File opened (read-only) \??\z: sttobzxju.exe File opened (read-only) \??\t: sttobzxju.exe File opened (read-only) \??\w: sttobzxju.exe File opened (read-only) \??\x: sttobzxju.exe File opened (read-only) \??\e: sttobzxju.exe File opened (read-only) \??\p: sttobzxju.exe File opened (read-only) \??\q: sttobzxju.exe File opened (read-only) \??\k: sttobzxju.exe File opened (read-only) \??\m: sttobzxju.exe File opened (read-only) \??\n: sttobzxju.exe File opened (read-only) \??\r: sttobzxju.exe File opened (read-only) \??\u: sttobzxju.exe File opened (read-only) \??\h: sttobzxju.exe File opened (read-only) \??\i: sttobzxju.exe File opened (read-only) \??\j: sttobzxju.exe File opened (read-only) \??\y: sttobzxju.exe File opened (read-only) \??\o: sttobzxju.exe File opened (read-only) \??\v: sttobzxju.exe File opened (read-only) \??\a: sttobzxju.exe File opened (read-only) \??\b: sttobzxju.exe File opened (read-only) \??\g: sttobzxju.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 sttobzxju.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification \??\c:\Program Files\weovs shtrwixvb.exe File created \??\c:\Program Files\weovs\sttobzxju.dll shtrwixvb.exe File created \??\c:\Program Files\weovs\sttobzxju.exe shtrwixvb.exe File opened for modification \??\c:\Program Files\weovs\sttobzxju.exe shtrwixvb.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 sttobzxju.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString sttobzxju.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3364 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3836 sttobzxju.exe 3836 sttobzxju.exe 3836 sttobzxju.exe 3836 sttobzxju.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3836 sttobzxju.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2936 3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe 3264 shtrwixvb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2936 wrote to memory of 5008 2936 3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe 92 PID 2936 wrote to memory of 5008 2936 3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe 92 PID 2936 wrote to memory of 5008 2936 3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe 92 PID 5008 wrote to memory of 3364 5008 cmd.exe 94 PID 5008 wrote to memory of 3364 5008 cmd.exe 94 PID 5008 wrote to memory of 3364 5008 cmd.exe 94 PID 5008 wrote to memory of 3264 5008 cmd.exe 98 PID 5008 wrote to memory of 3264 5008 cmd.exe 98 PID 5008 wrote to memory of 3264 5008 cmd.exe 98 PID 3264 wrote to memory of 3836 3264 shtrwixvb.exe 99 PID 3264 wrote to memory of 3836 3264 shtrwixvb.exe 99 PID 3264 wrote to memory of 3836 3264 shtrwixvb.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\shtrwixvb.exe "C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:3364
-
-
C:\Users\Admin\AppData\Local\Temp\shtrwixvb.exeC:\Users\Admin\AppData\Local\Temp\\shtrwixvb.exe "C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3264 -
\??\c:\Program Files\weovs\sttobzxju.exe"c:\Program Files\weovs\sttobzxju.exe" "c:\Program Files\weovs\sttobzxju.dll",PraseHTML C:\Users\Admin\AppData\Local\Temp\shtrwixvb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4376,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:81⤵PID:3740
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149KB
MD59adedba2b440b7340eed8506abb604c8
SHA1da644de7c53c232a9204aac2a791ebc8012641d8
SHA256b8d68df91792487f83068c31c8895db5ae72ae2e1cffc1b2fc54dd1bc459595b
SHA512bc45d3b14de7e1e92147f8649e39c51c90e4b68b69d5c97f8b52e47d262f0c2fa139508e49ff3dd8bc78da4014d4a0ca260bfefa4d2221265294287ea3ab9f7f
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
328KB
MD5b0c1c50d53735acfed2935047eb99c3e
SHA14086c90699fdc3cc1159c45db54b6a2dc0418b7c
SHA256ac401d90495ccf7dc3eccc8a86543e3fe9d093f0a9ad239e0b46a9cbf6543087
SHA51282aebfb4c6240575e857f9c74983892353d0b7857f26493b4667fd469ebe12473d86f42044912d67f207c2c55e923f40b06310ebee9fb287e3c98efeaf70487c