Analysis

  • max time kernel
    140s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/06/2024, 16:40

General

  • Target

    6d178cfe9f6c8355698c5b2174f6d370_NeikiAnalytics.exe

  • Size

    87KB

  • MD5

    6d178cfe9f6c8355698c5b2174f6d370

  • SHA1

    661540c86c7fd04e91f439608e653f7e433f669b

  • SHA256

    5e9ae3360abeb87097eb56269bc32f1237631f913b8ed0a17a20727d96712ed0

  • SHA512

    f73b1dcc19461f83cdfa22e8492aced19dbebe2720cd03258780824e26a1fb8840375251b65c37f0bc605121e9ed892991f0d18e04cbbb8b6a6203ce69831d38

  • SSDEEP

    1536:N5VzcfA/6LrVpL74gfh16ngX//7HZAbns11kXm/JPYUbCxAw9ySKPIOidq+GfP8v:/V2A/gVh74gpggXbHmC8QLUHySzvor2

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6d178cfe9f6c8355698c5b2174f6d370_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\6d178cfe9f6c8355698c5b2174f6d370_NeikiAnalytics.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:912
    • C:\Users\Admin\AppData\Local\Temp\Fgld1CO35n1X7GK.exe
      C:\Users\Admin\AppData\Local\Temp\Fgld1CO35n1X7GK.exe
      2⤵
      • Executes dropped EXE
      PID:2328
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4288

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

          Filesize

          350KB

          MD5

          34a644a1c4ac821269f4aa12a528489d

          SHA1

          57d94c45567b2da6921f7f13b3a926ccc4613828

          SHA256

          8b5b88c53d3b629eb5473b06283d0a79f0189fd0f60210a44da637a522dda3ed

          SHA512

          b86dddb29639c00c806be5391ed9bb896063ff1caa7bcca7b852078550a1f060ba723856af4c41d88ff0156f412f012afec19e1a188896329eda1db88af99191

        • C:\Users\Admin\AppData\Local\Temp\Fgld1CO35n1X7GK.exe

          Filesize

          60KB

          MD5

          7b112b1fb864c90ec5b65eab21cb40b8

          SHA1

          e7b73361f722fc7cbb93ef98a8d26e34f4d49767

          SHA256

          751941b4e09898c31791efeb5f90fc7367c89831d4a98637ed505e40763e287b

          SHA512

          bf9cdeff39cc4fa48457c55ad02e3856b5b27998535aed801a469252f01e7676462332fa3f93877753e963d037472f615c1fc5fc2e996316621b4e0a180cb5f5

        • C:\Windows\CTS.exe

          Filesize

          27KB

          MD5

          a6749b968461644db5cc0ecceffb224a

          SHA1

          2795aa37b8586986a34437081351cdd791749a90

          SHA256

          720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2

          SHA512

          2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

        • memory/912-0-0x0000000000620000-0x0000000000638000-memory.dmp

          Filesize

          96KB

        • memory/912-10-0x0000000000620000-0x0000000000638000-memory.dmp

          Filesize

          96KB

        • memory/4288-9-0x00000000008E0000-0x00000000008F8000-memory.dmp

          Filesize

          96KB

        • memory/4288-32-0x00000000008E0000-0x00000000008F8000-memory.dmp

          Filesize

          96KB