Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/06/2024, 15:45

General

  • Target

    68cca3706cf94a4ab01e5348dc090160_NeikiAnalytics.exe

  • Size

    91KB

  • MD5

    68cca3706cf94a4ab01e5348dc090160

  • SHA1

    d86312a22e2000f9358c892bfe7996a28727b0d6

  • SHA256

    921f18bdb63225ae82a72100c354723db372981a997d85a5d48bfe3745573008

  • SHA512

    abc0bd1c6dfa4bf4595ead42b901f9a7dacc9a43309cab76bcb8d8efeebecff7f5c386664a5e794bcacc491a22fcdd17c5826362e741bc061d4a5cebe8366cad

  • SSDEEP

    1536:N5VzcfA/6LrVpL74gfh16nV8TsKRVlCKXneQDr/RAvZ4ldtONCgMhoOJGP5eV2ea:/V2A/gVh74gpgV8+AjpU4loZ2yenox

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68cca3706cf94a4ab01e5348dc090160_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\68cca3706cf94a4ab01e5348dc090160_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Users\Admin\AppData\Local\Temp\GHtIVaMIZkmPeVB.exe
      C:\Users\Admin\AppData\Local\Temp\GHtIVaMIZkmPeVB.exe
      2⤵
      • Executes dropped EXE
      PID:860
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2264

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\GHtIVaMIZkmPeVB.exe

          Filesize

          91KB

          MD5

          68958745157c27c2c7f914bb751ec53a

          SHA1

          c77fd69aff135daaa0c2b561ac2119c79d8a7bb5

          SHA256

          42a6dc753c4ca407dc10a88358c5510497a8e81f8a5a457a000f83645c6a4ff5

          SHA512

          e73600310e71103e0962bc807680173306034f9be89b865c1d798b523df5650728af7d0c26e5b38358b7a224b77d3399074cd72114d0e7b78244158e2662c6f0

        • C:\Users\Admin\AppData\Local\Temp\GHtIVaMIZkmPeVB.exe

          Filesize

          64KB

          MD5

          a32a382b8a5a906e03a83b4f3e5b7a9b

          SHA1

          11e2bdd0798761f93cce363329996af6c17ed796

          SHA256

          75f12ea2f30d9c0d872dade345f30f562e6d93847b6a509ba53beec6d0b2c346

          SHA512

          ec87dd957be21b135212454646dcabdd7ef9442cf714e2c1f6b42b81f0c3fa3b1875bde9a8b538e8a0aa2190225649c29e9ed0f25176e7659e55e422dd4efe4c

        • C:\Windows\CTS.exe

          Filesize

          27KB

          MD5

          a6749b968461644db5cc0ecceffb224a

          SHA1

          2795aa37b8586986a34437081351cdd791749a90

          SHA256

          720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2

          SHA512

          2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

        • memory/2164-1-0x00000000009B0000-0x00000000009C8000-memory.dmp

          Filesize

          96KB

        • memory/2164-15-0x00000000009B0000-0x00000000009C8000-memory.dmp

          Filesize

          96KB

        • memory/2264-18-0x0000000000B20000-0x0000000000B38000-memory.dmp

          Filesize

          96KB