Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 05:04
Behavioral task
behavioral1
Sample
6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe
-
Size
3.6MB
-
MD5
6091e5353873fa898f5cafa67c92fb60
-
SHA1
7bb67f0441e353bb5c438904e633c851ec6ee55f
-
SHA256
3625cb99d6cc874905d717eaf39b0ec82eb5879c2c7258e7cae8f235934bc84a
-
SHA512
fb3853bb96e3e5bf5dff733121c90204d193ed9c59fb60b17daf1bb9bf9adb49709a0139f3ecd43d09ee570b09b35bab77b98f239dc21589080454d749d9f766
-
SSDEEP
98304:DJH+HcdirOAdSs8ObRL0KySbX+KEajWFS:DJHYWi5dSs8OV/7bX+MUS
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Q5VHMIHWsRqAId2.exeCTS.exevs_setup_bootstrapper.exepid process 2968 Q5VHMIHWsRqAId2.exe 2844 CTS.exe 1036 vs_setup_bootstrapper.exe -
Loads dropped DLL 27 IoCs
Processes:
6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exeQ5VHMIHWsRqAId2.exevs_setup_bootstrapper.exepid process 2904 6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe 2968 Q5VHMIHWsRqAId2.exe 1036 vs_setup_bootstrapper.exe 1036 vs_setup_bootstrapper.exe 1036 vs_setup_bootstrapper.exe 1036 vs_setup_bootstrapper.exe 1036 vs_setup_bootstrapper.exe 1036 vs_setup_bootstrapper.exe 1036 vs_setup_bootstrapper.exe 1036 vs_setup_bootstrapper.exe 1036 vs_setup_bootstrapper.exe 1036 vs_setup_bootstrapper.exe 1036 vs_setup_bootstrapper.exe 1036 vs_setup_bootstrapper.exe 1036 vs_setup_bootstrapper.exe 1036 vs_setup_bootstrapper.exe 1036 vs_setup_bootstrapper.exe 1036 vs_setup_bootstrapper.exe 1036 vs_setup_bootstrapper.exe 1036 vs_setup_bootstrapper.exe 1036 vs_setup_bootstrapper.exe 1036 vs_setup_bootstrapper.exe 1036 vs_setup_bootstrapper.exe 1036 vs_setup_bootstrapper.exe 1036 vs_setup_bootstrapper.exe 1036 vs_setup_bootstrapper.exe 1036 vs_setup_bootstrapper.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2904-1-0x0000000000350000-0x0000000000368000-memory.dmp upx C:\Windows\CTS.exe upx behavioral1/memory/2844-15-0x0000000000A80000-0x0000000000A98000-memory.dmp upx behavioral1/memory/2904-12-0x0000000000350000-0x0000000000368000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
Processes:
6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exeCTS.exedescription ioc process File created C:\Windows\CTS.exe 6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe File created C:\Windows\CTS.exe CTS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
vs_setup_bootstrapper.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vs_setup_bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vs_setup_bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz vs_setup_bootstrapper.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vs_setup_bootstrapper.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vs_setup_bootstrapper.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exeCTS.exevs_setup_bootstrapper.exedescription pid process Token: SeDebugPrivilege 2904 6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe Token: SeDebugPrivilege 2844 CTS.exe Token: SeDebugPrivilege 1036 vs_setup_bootstrapper.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exeQ5VHMIHWsRqAId2.exevs_setup_bootstrapper.exedescription pid process target process PID 2904 wrote to memory of 2968 2904 6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe Q5VHMIHWsRqAId2.exe PID 2904 wrote to memory of 2968 2904 6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe Q5VHMIHWsRqAId2.exe PID 2904 wrote to memory of 2968 2904 6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe Q5VHMIHWsRqAId2.exe PID 2904 wrote to memory of 2968 2904 6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe Q5VHMIHWsRqAId2.exe PID 2904 wrote to memory of 2968 2904 6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe Q5VHMIHWsRqAId2.exe PID 2904 wrote to memory of 2968 2904 6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe Q5VHMIHWsRqAId2.exe PID 2904 wrote to memory of 2968 2904 6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe Q5VHMIHWsRqAId2.exe PID 2904 wrote to memory of 2844 2904 6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe CTS.exe PID 2904 wrote to memory of 2844 2904 6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe CTS.exe PID 2904 wrote to memory of 2844 2904 6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe CTS.exe PID 2904 wrote to memory of 2844 2904 6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe CTS.exe PID 2968 wrote to memory of 1036 2968 Q5VHMIHWsRqAId2.exe vs_setup_bootstrapper.exe PID 2968 wrote to memory of 1036 2968 Q5VHMIHWsRqAId2.exe vs_setup_bootstrapper.exe PID 2968 wrote to memory of 1036 2968 Q5VHMIHWsRqAId2.exe vs_setup_bootstrapper.exe PID 2968 wrote to memory of 1036 2968 Q5VHMIHWsRqAId2.exe vs_setup_bootstrapper.exe PID 2968 wrote to memory of 1036 2968 Q5VHMIHWsRqAId2.exe vs_setup_bootstrapper.exe PID 2968 wrote to memory of 1036 2968 Q5VHMIHWsRqAId2.exe vs_setup_bootstrapper.exe PID 2968 wrote to memory of 1036 2968 Q5VHMIHWsRqAId2.exe vs_setup_bootstrapper.exe PID 1036 wrote to memory of 1912 1036 vs_setup_bootstrapper.exe getmac.exe PID 1036 wrote to memory of 1912 1036 vs_setup_bootstrapper.exe getmac.exe PID 1036 wrote to memory of 1912 1036 vs_setup_bootstrapper.exe getmac.exe PID 1036 wrote to memory of 1912 1036 vs_setup_bootstrapper.exe getmac.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\Q5VHMIHWsRqAId2.exeC:\Users\Admin\AppData\Local\Temp\Q5VHMIHWsRqAId2.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\vs_setup_bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\Admin\AppData\Local\Temp\Q5VHMIHWsRqAId2.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\getmac.exe"getmac"4⤵PID:1912
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2844
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll
Filesize113KB
MD5ed2315668a0dda422f463d27c8110838
SHA1ce17813ccc0cd968d9fb3d01e7b7ffbf3b05cebe
SHA2560ce6da02115192a688359299b1a47ce9e6b2a8adf3dfcd92a2467b55d5f3c0aa
SHA512e9a47c030fa20a8d36f0c47293e547de0e7d978813ebde64f181d76d8606cf629846075ecb5e3a0b9d262a6fba7aeb0caa8fe3006c018de3c2c2ecdbf31c1eb7
-
C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll
Filesize44KB
MD52338953ae2ab47de1703f27e872e84ba
SHA12765b2f2cd04a0e1df7556da551ce9d763bc5c4d
SHA256bfc4890087c01f629fa09e744e5a861f9f68b504100cbcf805855fa5906d61c7
SHA512417ce0ef8344409ebd05b8c52b58a3960489fe810b95af31e72430690ffb8258042a73e205fc27396731113ad84302ff898821b4f2db2b9d4fa2b2293ccca872
-
C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll
Filesize401KB
MD5d4fa5e438ff243a1da462726fb4ea164
SHA17effd06f4eaa0a5d701ea4162dce55cbfeb4c0cd
SHA256fa9d5c116363ccc82f92767bbb36d154f8903b861a9de65a01fd7824a566b4b0
SHA5128dbfc97abb5eb4363a1c896a4d276630a502354ed144e60dfb0ffbc1245486003d8af49443fd4baa70541114b50764467caed709cc416f60eaf33fd0f6fcee7b
-
C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll
Filesize1.2MB
MD5fc32f39277ebbe48d976c9970cdab5dd
SHA12d2e6eafd0d16ec8f577293f4903f2ae3453752f
SHA2567dd27a5ca48c16725e3a3ec9b18b1e198390e4c5f62af9a5c2489b27e3f871f8
SHA51230f99c799d2f88fc5cd66593435f851410e9cbafb10ad435c57a85a7eb86a4cf7179937b2da2597dab77da3b04d9770331ea776053d02af08ad4f6c7abbc45ea
-
C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll
Filesize919KB
MD5015ef51b3e50cc182b323524e5296172
SHA1f5e8cb54340c3f6f0c4876348193afd04bb10323
SHA256289200599446f28664d3a44774ec076061fab75fa7307637284bf50231d25c0b
SHA5128c69cbaee9e9d4c526fd5f5db5a1d5030821f1ce79e7a4698bb2ef9617e81832528130a485c09bfd24b63202e5c91ba03accdbe53f0be9a3bcb11e16b12097e5
-
C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll
Filesize41KB
MD5c510b1756eac53c62ba8c7279609357f
SHA1953ee732da8c49d2ef97711f5b7220d5e2cea8d6
SHA256188f3af3e336a5bf1dc82007fa4b96522b3ed946326a65b93dbeb0e24356f642
SHA51261ebf783d156733cbcf654a73bb73a67e63bc544376154b86f8c418a9ffaced9dfb7a0eea1b36d2622f7990539b078064cabe5d26976124a18e6aba580be2b33
-
Filesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll
Filesize16KB
MD59a341540899dcc5630886f2d921be78f
SHA1bab44612721c3dc91ac3d9dfca7c961a3a511508
SHA2563cadcb6b8a7335141c7c357a1d77af1ff49b59b872df494f5025580191d1c0d5
SHA512066984c83de975df03eee1c2b5150c6b9b2e852d9caf90cfd956e9f0f7bd5a956b96ea961b26f7cd14c089bc8a27f868b225167020c5eb6318f66e58113efa37
-
Filesize
8KB
MD5782f4beae90d11351db508f38271eb26
SHA1f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c
SHA256c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9
SHA5120a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4
-
C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\vs_setup_bootstrapper.config
Filesize618B
MD50e4ebc00f6099b2e065d9015fb53977d
SHA17542e6ecbd4fe9c018f1875126f72159a14369d8
SHA2562f2975da8453485ddf84221e1e3d6823dcba996a4ce44cd6391cf4d2dd18e828
SHA5122937e89aad01ca30f9aff99f84c33083c7a32ce8534e98a0c5acd8ab3edfeb23d2f6d9d99902ea34857c187ec093f18e833a192f71d29d18a7e378ecf351923e
-
C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config
Filesize2KB
MD5010d94408fd5432563d51e416ba346b3
SHA10041f1989b67b666ec0f0581f9e6ce0e94b55c55
SHA2560472025ac139903fead459c4c173364f128f68f015d0299fb0ddd835f7437d5d
SHA512d3252d2f2e07ca2e29c26894400690a0698a8cfcaefc3dd7f7c5020193725e331833fe997b8889807900e08d5c9b09ce69e803d64452b297385713f0e3a325f1
-
C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\vs_setup_bootstrapper.json
Filesize163B
MD5ecd028adc95c8ae1a92db26c5fdedb09
SHA1a0b505a8ba954147e33542de25fdbd54ef3c5304
SHA25694cdbb8cd5b9fd5e44858efe36e25994c56848fa0e77920c08253f3e3063a2e3
SHA5120df8ace311c4bb75e4e036857828a57a1f76d075fe2056ef44fd9f3d865ab7dbc686c01274627b418a530ba0e761673d29c3f0ee3432887df7465ecfd167b7f6
-
Filesize
27KB
MD5a6749b968461644db5cc0ecceffb224a
SHA12795aa37b8586986a34437081351cdd791749a90
SHA256720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2
SHA5122a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4
-
Filesize
3.5MB
MD5f32908d4944949b7c026a0421ce04879
SHA154f01696973eb9cc63c5a0a08812c188dd5150df
SHA2562cd59d39d80de8823851ede07d0ddba1f283b0fae86060441f748b11e6e31f4f
SHA5128d2ad3ea536a84320da3cbe874aca227329069624f2606767adc335ded18fd6f0646d74d7169179bebb1fce7bc4687f2164a0f23dd50d251a392bf4eea7d36c8
-
\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll
Filesize18KB
MD57ef638cbd3200605fc15e7be7ea9fcb5
SHA1534f6176f10bc79b2655e535b7ac6a4df9f67855
SHA256467df0856c41d9b37e6c55ae1b82edcca60f4c7847f93b7f24ca6543b675ad8a
SHA512c145576d119e2053c0cbffb910f63003d42c2af320ba410f6e81da9e40cc337000d8ad733778873bd2700e366f5672c311d69b4b2391564fe19fa6e48c1cb373
-
\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll
Filesize133KB
MD5a6076a6e981bc6c29f270d3919e722e8
SHA1739c1b7fe6ade740cd87aeb84a4ac10720b14a2a
SHA256460bed22e1f7148209901da0eb97fd8d83fef8f1404e3fb82219c90ae2876710
SHA512064f5a4756b3a0b8f8017e892ab85e0340d9f60fd1c03f2250cc24bdb0d650edaae873c8dcf543af31e027ac5eaa1bfeda99099286de71332eced742c78d6720
-
Filesize
398KB
MD5d6baac92ade6ade86ac8b33179c13db8
SHA1c2dfc428a02ffc2c3cc293423d38037ea75cfade
SHA256eafadec2a23db1e659ecec552971b847eaa78b5e665db8984e456e159715ec10
SHA5127577167f2954402ffa642e1705acacc49e577268c102f00685cf5968c669d16e2925db39650882054b6e812433c98c916f737f7bacdb94ce8c37277a7585ec45