Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 03:17
Behavioral task
behavioral1
Sample
9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe
-
Size
170KB
-
MD5
9e1694cb5fa2368e90531bdb71bfb920
-
SHA1
b2e61429fb59ff57aa57b431b0cb773cb822e9db
-
SHA256
113065238b001d3557ae25ec83f30bc06460569124c3bcb16f266000f0211430
-
SHA512
656f9a07b6d232093b872be6a5794ca6d69866c84bd53aa16a611f66455304d9054c9950b0b012eca2ef8a3f99bbdc5af1b0523dc35461c0b365d130098b620b
-
SSDEEP
3072:/V2A/gVh74gpgjaVwLyHt4Ye86bBZjFrPXOeQd5AO+btDtVJ4NZcny8+G4bXg/42:/MAoVN5VwOHtj1yHlXO5rLEPUDT8R4Ef
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
IKx90daurQo8y5Q.exeCTS.exepid process 4912 IKx90daurQo8y5Q.exe 1336 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/2560-0-0x00000000008F0000-0x0000000000908000-memory.dmp upx C:\Windows\CTS.exe upx behavioral2/memory/1336-7-0x0000000000DA0000-0x0000000000DB8000-memory.dmp upx behavioral2/memory/2560-10-0x00000000008F0000-0x0000000000908000-memory.dmp upx C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml upx behavioral2/memory/1336-36-0x0000000000DA0000-0x0000000000DB8000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
Processes:
9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exeCTS.exedescription ioc process File created C:\Windows\CTS.exe 9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exeCTS.exedescription pid process Token: SeDebugPrivilege 2560 9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe Token: SeDebugPrivilege 1336 CTS.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exedescription pid process target process PID 2560 wrote to memory of 4912 2560 9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe IKx90daurQo8y5Q.exe PID 2560 wrote to memory of 4912 2560 9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe IKx90daurQo8y5Q.exe PID 2560 wrote to memory of 1336 2560 9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe CTS.exe PID 2560 wrote to memory of 1336 2560 9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe CTS.exe PID 2560 wrote to memory of 1336 2560 9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe CTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\IKx90daurQo8y5Q.exeC:\Users\Admin\AppData\Local\Temp\IKx90daurQo8y5Q.exe2⤵
- Executes dropped EXE
PID:4912
-
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1336
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
350KB
MD56cef3f9e1adc56af67ee6f8944ea22f9
SHA175dae680c27f60d1c9422e1a26b16ae309095079
SHA2568bb17db6597fb94cbcf37fc8495b369bb21f3f8a0446a8a60d0044fe656dc65a
SHA5121609a8237958e7ecfc411e1c4f6f92834f8b8bd6051d8ef6dab86abc2775f3753583724ccd6b7809bd333ffa8e6ca353c198a4c5c6ad5313d724cc56bee04c9b
-
Filesize
143KB
MD52fdb371d45181dff59577110ba1064e2
SHA142a5833cb0ac90e38d734d1327bb3f7c7a6aa453
SHA25680d7ec8ce3913d81ea5d4f304b8609e56f0e49778c52af9279e742ea54f4a155
SHA51252982041ba9ca552b90b79b251501ec6c33c5251d09ca9969a1b179af2ec17aca6eb81db6e588e12751bcea04208e1da8d5a754a979dd98ceb3f50780aadea20
-
Filesize
27KB
MD5a6749b968461644db5cc0ecceffb224a
SHA12795aa37b8586986a34437081351cdd791749a90
SHA256720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2
SHA5122a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4