Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-06-2024 05:18
Static task
static1
Behavioral task
behavioral1
Sample
3add9057e56fe6ed3826b37110946af0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3add9057e56fe6ed3826b37110946af0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
3add9057e56fe6ed3826b37110946af0_NeikiAnalytics.exe
-
Size
420KB
-
MD5
3add9057e56fe6ed3826b37110946af0
-
SHA1
f5235cb1fec12a3bd1ff426be43382b7e2f52123
-
SHA256
a77388ef2a7aa231dfffce78d26fc23c5d8aa38f2b76750c6d04bc0b9a3486c1
-
SHA512
3312405b72d48d16aa396f98bd65d4630478d6eaf339ca8109eca3ed897f3d7b2a4c4bf37adcde1809c9c3180f342be04426ad2303b6070e0fca570a64918a37
-
SSDEEP
12288:oJf/DdUC83OIgFc+tYjhLFHB0iTpc0Kkd8oPEB5:oN/BUBb+tYjBFHBxTaYbPI
Malware Config
Extracted
discordrat
-
discord_token
MTI0Njg5NDU5NjYxNzY2NjY4NA.Gmlbm4.ZRFvWtjlMHl2DRYmK54Ou3DlvwIiGhmTqRBYyU
-
server_id
1246895020653416468
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Executes dropped EXE 1 IoCs
pid Process 2524 Audio.exe -
Loads dropped DLL 6 IoCs
pid Process 1904 3add9057e56fe6ed3826b37110946af0_NeikiAnalytics.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2468 DllHost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1904 wrote to memory of 2524 1904 3add9057e56fe6ed3826b37110946af0_NeikiAnalytics.exe 29 PID 1904 wrote to memory of 2524 1904 3add9057e56fe6ed3826b37110946af0_NeikiAnalytics.exe 29 PID 1904 wrote to memory of 2524 1904 3add9057e56fe6ed3826b37110946af0_NeikiAnalytics.exe 29 PID 1904 wrote to memory of 2524 1904 3add9057e56fe6ed3826b37110946af0_NeikiAnalytics.exe 29 PID 2524 wrote to memory of 2388 2524 Audio.exe 30 PID 2524 wrote to memory of 2388 2524 Audio.exe 30 PID 2524 wrote to memory of 2388 2524 Audio.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\3add9057e56fe6ed3826b37110946af0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3add9057e56fe6ed3826b37110946af0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Audio.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Audio.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2524 -s 5963⤵
- Loads dropped DLL
PID:2388
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:2468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD5fe5bee67891649b12d45121e6120238a
SHA10bb63a513cd1ce3cbdaf46cf025b59912bd4208a
SHA2565d8777f9fc0aa00b19e084a66d3f959e8feb37d38933788ebdc0c8d8edf25791
SHA51254021dd6ffcf7e245fecd5352ca2e6aeeeb6deaf514b16d0a4e754b3606597ff354bb568ff5a751e11c4cc2bbdf88b97eed80d2f8defb5087581be0f0a847486
-
Filesize
14KB
MD58608b56ec181b5a2875177b2f23501a3
SHA14d6fd6e84e12d1573c9d1cf6835aba63079e9b90
SHA25683c101af8f89b5dc9e15af7150a2c130d9d0ac3fd662f8d07fb8225da963db4a
SHA51215f459062db3970cd20db8cf71f8e1ce7d7b0fe7a0c8f108afa025d7187197ffc02f8893652d0e2ea90fee2c7004db6a916fd7232260e0407b8ce1c5e800c85e