Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 03:17
Behavioral task
behavioral1
Sample
9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe
-
Size
170KB
-
MD5
9e1694cb5fa2368e90531bdb71bfb920
-
SHA1
b2e61429fb59ff57aa57b431b0cb773cb822e9db
-
SHA256
113065238b001d3557ae25ec83f30bc06460569124c3bcb16f266000f0211430
-
SHA512
656f9a07b6d232093b872be6a5794ca6d69866c84bd53aa16a611f66455304d9054c9950b0b012eca2ef8a3f99bbdc5af1b0523dc35461c0b365d130098b620b
-
SSDEEP
3072:/V2A/gVh74gpgjaVwLyHt4Ye86bBZjFrPXOeQd5AO+btDtVJ4NZcny8+G4bXg/42:/MAoVN5VwOHtj1yHlXO5rLEPUDT8R4Ef
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
4sGHlORDYV5JWuM.exeCTS.exepid process 2088 4sGHlORDYV5JWuM.exe 2068 CTS.exe -
Loads dropped DLL 1 IoCs
Processes:
9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exepid process 1780 9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1780-0-0x0000000000B60000-0x0000000000B78000-memory.dmp upx behavioral1/memory/2068-13-0x00000000010D0000-0x00000000010E8000-memory.dmp upx C:\Windows\CTS.exe upx behavioral1/memory/1780-11-0x0000000000B60000-0x0000000000B78000-memory.dmp upx behavioral1/memory/2068-19-0x00000000010D0000-0x00000000010E8000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
CTS.exe9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe -
Drops file in Windows directory 2 IoCs
Processes:
CTS.exe9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exedescription ioc process File created C:\Windows\CTS.exe CTS.exe File created C:\Windows\CTS.exe 9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exeCTS.exedescription pid process Token: SeDebugPrivilege 1780 9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe Token: SeDebugPrivilege 2068 CTS.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exedescription pid process target process PID 1780 wrote to memory of 2088 1780 9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe 4sGHlORDYV5JWuM.exe PID 1780 wrote to memory of 2088 1780 9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe 4sGHlORDYV5JWuM.exe PID 1780 wrote to memory of 2088 1780 9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe 4sGHlORDYV5JWuM.exe PID 1780 wrote to memory of 2088 1780 9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe 4sGHlORDYV5JWuM.exe PID 1780 wrote to memory of 2068 1780 9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe CTS.exe PID 1780 wrote to memory of 2068 1780 9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe CTS.exe PID 1780 wrote to memory of 2068 1780 9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe CTS.exe PID 1780 wrote to memory of 2068 1780 9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe CTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Users\Admin\AppData\Local\Temp\4sGHlORDYV5JWuM.exeC:\Users\Admin\AppData\Local\Temp\4sGHlORDYV5JWuM.exe2⤵
- Executes dropped EXE
PID:2088
-
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD5a6749b968461644db5cc0ecceffb224a
SHA12795aa37b8586986a34437081351cdd791749a90
SHA256720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2
SHA5122a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4
-
Filesize
143KB
MD52fdb371d45181dff59577110ba1064e2
SHA142a5833cb0ac90e38d734d1327bb3f7c7a6aa453
SHA25680d7ec8ce3913d81ea5d4f304b8609e56f0e49778c52af9279e742ea54f4a155
SHA51252982041ba9ca552b90b79b251501ec6c33c5251d09ca9969a1b179af2ec17aca6eb81db6e588e12751bcea04208e1da8d5a754a979dd98ceb3f50780aadea20