Overview

overview

7

Static

static

7

b846bb1c9d...cs.exe

windows7-x64

7

b846bb1c9d...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/06/2024, 10:30

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b846bb1c9d1791e0dc0b377246017ed0_NeikiAnalytics.exe

  • Size

    32KB

  • MD5

    b846bb1c9d1791e0dc0b377246017ed0

  • SHA1

    548fcb207b312c7e849c6ef82e7b27e45b9ed498

  • SHA256

    15eb7a9beda4ca51eab80ce1325921074c1cffae267d306ca9e730526e11174d

  • SHA512

    878915cfba1f128846ae7568c3140818e7ba2fb55a6da2f56d50a9a121f8009ccf29c32715a70e4ff50e59900ad01014c8e39d560ba83bc608813d1e16dd6551

  • SSDEEP

    768:X9J/3FzjgfanEGx8V36unjv88tznuRU65Y4gpph1ePVCM74H0U78:N5VzcfA/6LrVpL74gfh16nUH0U78

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b846bb1c9d1791e0dc0b377246017ed0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\b846bb1c9d1791e0dc0b377246017ed0_NeikiAnalytics.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3472
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:216

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
          Filesize

          350KB

          MD5

          692dae9c41b16d91f5bedd4a96fe938a

          SHA1

          b9cef7870dac9632c91b26ffff9b741593a9f3e8

          SHA256

          534e1abdf17a345d098ea04b7a7a88bde1ee982af5f65212541143fc6573aa0f

          SHA512

          e61a198eb6c0e41a2238af71d1747fa4c64e9dfa4345181ba7934a8baa3231852beb24c5aa8afb00de56dccea040e766ae79b0027532f96b7b9250041d91b1ca

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\JXQrqDFYKTRcmj5.exe
          Filesize

          32KB

          MD5

          2efc4255ac90d6deb80f371cc5c4e7e7

          SHA1

          398e738e0ad0653b5fa6b7f92743efafad244831

          SHA256

          0b4b1a2dcd7bad9fe58d3d12a3052988bbba090463f59735108def2cb68cb883

          SHA512

          2980cf316f63514adfbc3ab0e22248678a328ca9997857c50741f54561d3047da9825b4c05dd703e544e232590c98a72e3b4ab3cff6664c9d92cf9b1cfb2b542

          Download Submit

        • C:\Windows\CTS.exe
          Filesize

          27KB

          MD5

          a6749b968461644db5cc0ecceffb224a

          SHA1

          2795aa37b8586986a34437081351cdd791749a90

          SHA256

          720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2

          SHA512

          2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

          Download Submit

        • memory/216-10-0x00000000007D0000-0x00000000007E8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/3472-0-0x00000000001B0000-0x00000000001C8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/3472-9-0x00000000001B0000-0x00000000001C8000-memory.dmp

          Filesize

          96KB

          Download