Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 03:17

General

  • Target

    9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe

  • Size

    170KB

  • MD5

    9e1694cb5fa2368e90531bdb71bfb920

  • SHA1

    b2e61429fb59ff57aa57b431b0cb773cb822e9db

  • SHA256

    113065238b001d3557ae25ec83f30bc06460569124c3bcb16f266000f0211430

  • SHA512

    656f9a07b6d232093b872be6a5794ca6d69866c84bd53aa16a611f66455304d9054c9950b0b012eca2ef8a3f99bbdc5af1b0523dc35461c0b365d130098b620b

  • SSDEEP

    3072:/V2A/gVh74gpgjaVwLyHt4Ye86bBZjFrPXOeQd5AO+btDtVJ4NZcny8+G4bXg/42:/MAoVN5VwOHtj1yHlXO5rLEPUDT8R4Ef

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9e1694cb5fa2368e90531bdb71bfb920_NeikiAnalytics.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2560
    • C:\Users\Admin\AppData\Local\Temp\IKx90daurQo8y5Q.exe
      C:\Users\Admin\AppData\Local\Temp\IKx90daurQo8y5Q.exe
      2⤵
      • Executes dropped EXE
      PID:4912
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1336

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

    Filesize

    350KB

    MD5

    6cef3f9e1adc56af67ee6f8944ea22f9

    SHA1

    75dae680c27f60d1c9422e1a26b16ae309095079

    SHA256

    8bb17db6597fb94cbcf37fc8495b369bb21f3f8a0446a8a60d0044fe656dc65a

    SHA512

    1609a8237958e7ecfc411e1c4f6f92834f8b8bd6051d8ef6dab86abc2775f3753583724ccd6b7809bd333ffa8e6ca353c198a4c5c6ad5313d724cc56bee04c9b

  • C:\Users\Admin\AppData\Local\Temp\IKx90daurQo8y5Q.exe

    Filesize

    143KB

    MD5

    2fdb371d45181dff59577110ba1064e2

    SHA1

    42a5833cb0ac90e38d734d1327bb3f7c7a6aa453

    SHA256

    80d7ec8ce3913d81ea5d4f304b8609e56f0e49778c52af9279e742ea54f4a155

    SHA512

    52982041ba9ca552b90b79b251501ec6c33c5251d09ca9969a1b179af2ec17aca6eb81db6e588e12751bcea04208e1da8d5a754a979dd98ceb3f50780aadea20

  • C:\Windows\CTS.exe

    Filesize

    27KB

    MD5

    a6749b968461644db5cc0ecceffb224a

    SHA1

    2795aa37b8586986a34437081351cdd791749a90

    SHA256

    720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2

    SHA512

    2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

  • memory/1336-7-0x0000000000DA0000-0x0000000000DB8000-memory.dmp

    Filesize

    96KB

  • memory/1336-36-0x0000000000DA0000-0x0000000000DB8000-memory.dmp

    Filesize

    96KB

  • memory/2560-0-0x00000000008F0000-0x0000000000908000-memory.dmp

    Filesize

    96KB

  • memory/2560-10-0x00000000008F0000-0x0000000000908000-memory.dmp

    Filesize

    96KB

  • memory/4912-22-0x0000000000930000-0x0000000000958000-memory.dmp

    Filesize

    160KB

  • memory/4912-24-0x00007FFB83F33000-0x00007FFB83F35000-memory.dmp

    Filesize

    8KB

  • memory/4912-31-0x00007FFB83F30000-0x00007FFB849F1000-memory.dmp

    Filesize

    10.8MB

  • memory/4912-38-0x00007FFB83F30000-0x00007FFB849F1000-memory.dmp

    Filesize

    10.8MB