Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
07/06/2024, 16:40
Behavioral task
behavioral1
Sample
6d178cfe9f6c8355698c5b2174f6d370_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6d178cfe9f6c8355698c5b2174f6d370_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
6d178cfe9f6c8355698c5b2174f6d370_NeikiAnalytics.exe
-
Size
87KB
-
MD5
6d178cfe9f6c8355698c5b2174f6d370
-
SHA1
661540c86c7fd04e91f439608e653f7e433f669b
-
SHA256
5e9ae3360abeb87097eb56269bc32f1237631f913b8ed0a17a20727d96712ed0
-
SHA512
f73b1dcc19461f83cdfa22e8492aced19dbebe2720cd03258780824e26a1fb8840375251b65c37f0bc605121e9ed892991f0d18e04cbbb8b6a6203ce69831d38
-
SSDEEP
1536:N5VzcfA/6LrVpL74gfh16ngX//7HZAbns11kXm/JPYUbCxAw9ySKPIOidq+GfP8v:/V2A/gVh74gpggXbHmC8QLUHySzvor2
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2328 Fgld1CO35n1X7GK.exe 4288 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/912-0-0x0000000000620000-0x0000000000638000-memory.dmp upx behavioral2/files/0x0008000000023423-8.dat upx behavioral2/memory/4288-9-0x00000000008E0000-0x00000000008F8000-memory.dmp upx behavioral2/memory/912-10-0x0000000000620000-0x0000000000638000-memory.dmp upx behavioral2/files/0x000300000002296f-13.dat upx behavioral2/memory/4288-32-0x00000000008E0000-0x00000000008F8000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 6d178cfe9f6c8355698c5b2174f6d370_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe 6d178cfe9f6c8355698c5b2174f6d370_NeikiAnalytics.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 912 6d178cfe9f6c8355698c5b2174f6d370_NeikiAnalytics.exe Token: SeDebugPrivilege 4288 CTS.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 912 wrote to memory of 2328 912 6d178cfe9f6c8355698c5b2174f6d370_NeikiAnalytics.exe 82 PID 912 wrote to memory of 2328 912 6d178cfe9f6c8355698c5b2174f6d370_NeikiAnalytics.exe 82 PID 912 wrote to memory of 2328 912 6d178cfe9f6c8355698c5b2174f6d370_NeikiAnalytics.exe 82 PID 912 wrote to memory of 4288 912 6d178cfe9f6c8355698c5b2174f6d370_NeikiAnalytics.exe 83 PID 912 wrote to memory of 4288 912 6d178cfe9f6c8355698c5b2174f6d370_NeikiAnalytics.exe 83 PID 912 wrote to memory of 4288 912 6d178cfe9f6c8355698c5b2174f6d370_NeikiAnalytics.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d178cfe9f6c8355698c5b2174f6d370_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6d178cfe9f6c8355698c5b2174f6d370_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Users\Admin\AppData\Local\Temp\Fgld1CO35n1X7GK.exeC:\Users\Admin\AppData\Local\Temp\Fgld1CO35n1X7GK.exe2⤵
- Executes dropped EXE
PID:2328
-
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4288
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
350KB
MD534a644a1c4ac821269f4aa12a528489d
SHA157d94c45567b2da6921f7f13b3a926ccc4613828
SHA2568b5b88c53d3b629eb5473b06283d0a79f0189fd0f60210a44da637a522dda3ed
SHA512b86dddb29639c00c806be5391ed9bb896063ff1caa7bcca7b852078550a1f060ba723856af4c41d88ff0156f412f012afec19e1a188896329eda1db88af99191
-
Filesize
60KB
MD57b112b1fb864c90ec5b65eab21cb40b8
SHA1e7b73361f722fc7cbb93ef98a8d26e34f4d49767
SHA256751941b4e09898c31791efeb5f90fc7367c89831d4a98637ed505e40763e287b
SHA512bf9cdeff39cc4fa48457c55ad02e3856b5b27998535aed801a469252f01e7676462332fa3f93877753e963d037472f615c1fc5fc2e996316621b4e0a180cb5f5
-
Filesize
27KB
MD5a6749b968461644db5cc0ecceffb224a
SHA12795aa37b8586986a34437081351cdd791749a90
SHA256720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2
SHA5122a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4