Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    19-06-2024 04:43

General

  • Target

    8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe

  • Size

    5.7MB

  • MD5

    8a63dd9d554d110d50c9a5fc7be6ddf0

  • SHA1

    64d20fc92846cb54a7a2dc8a42995375b91f89bd

  • SHA256

    3429a934434f068f592511a10583933e0f7ec8d18eaef4c4f508615115f74e40

  • SHA512

    8771f32b73a33e6b21c1873f77721ad5bb86320f799cea12dbd873de58b57999029531e8bef8d92a15d47d69846cdbe56a624d04b2790002d91352845bc5a066

  • SSDEEP

    98304:Y7laQzNXYkwOfVH/f0tguZZVC7+f+6vrmTQMdPzRedwELkex5Hi9h2:Y7EQ5Iqf5/f0t3ZZU7+WQ9MdPteHv

Malware Config

Signatures

  • Detect Neshta payload 18 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Users\Admin\AppData\Local\Temp\3582-490\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2064
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\3582-490\PWRISOSH.DLL"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Windows\SysWOW64\regsvr32.exe
          C:\Windows\System32\regsvr32.exe /s C:\Users\Admin\AppData\Local\Temp\3582-490\PWRISOSH.DLL
          4⤵
            PID:2720

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Event Triggered Execution

    1
    T1546

    Change Default File Association

    1
    T1546.001

    Privilege Escalation

    Event Triggered Execution

    1
    T1546

    Change Default File Association

    1
    T1546.001

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    System Information Discovery

    1
    T1082

    Collection

    Data from Local System

    1
    T1005

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
      Filesize

      859KB

      MD5

      02ee6a3424782531461fb2f10713d3c1

      SHA1

      b581a2c365d93ebb629e8363fd9f69afc673123f

      SHA256

      ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

      SHA512

      6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

    • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
      Filesize

      547KB

      MD5

      cf6c595d3e5e9667667af096762fd9c4

      SHA1

      9bb44da8d7f6457099cb56e4f7d1026963dce7ce

      SHA256

      593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

      SHA512

      ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

    • C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
      Filesize

      186KB

      MD5

      58b58875a50a0d8b5e7be7d6ac685164

      SHA1

      1e0b89c1b2585c76e758e9141b846ed4477b0662

      SHA256

      2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

      SHA512

      d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

    • C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
      Filesize

      1.1MB

      MD5

      566ed4f62fdc96f175afedd811fa0370

      SHA1

      d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

      SHA256

      e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

      SHA512

      cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

    • C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe
      Filesize

      137KB

      MD5

      e1833678885f02b5e3cf1b3953456557

      SHA1

      c197e763500002bc76a8d503933f1f6082a8507a

      SHA256

      bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14

      SHA512

      fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe

    • C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
      Filesize

      714KB

      MD5

      e19544c111fefa491cfe53b99f8bebc2

      SHA1

      a05e096689dd82751ccd0a4eec0db54a5f972830

      SHA256

      82a14caee30a4f86dd143015fc852220a36cc96cdbb9f65aaca87d80f2c43762

      SHA512

      0f017e3aeea8de42195687c2745b9eccc174e6430149edf22a8f4b5fc24e7881654ba7c55ed2327b9c710787dffa3c438c0d99b06e7e12f6126bc3e86392d4db

    • C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE
      Filesize

      674KB

      MD5

      9c10a5ec52c145d340df7eafdb69c478

      SHA1

      57f3d99e41d123ad5f185fc21454367a7285db42

      SHA256

      ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36

      SHA512

      2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

    • C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE
      Filesize

      495KB

      MD5

      9597098cfbc45fae685d9480d135ed13

      SHA1

      84401f03a7942a7e4fcd26e4414b227edd9b0f09

      SHA256

      45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c

      SHA512

      16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

    • C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE
      Filesize

      485KB

      MD5

      87f15006aea3b4433e226882a56f188d

      SHA1

      e3ad6beb8229af62b0824151dbf546c0506d4f65

      SHA256

      8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

      SHA512

      b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

    • C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
      Filesize

      495KB

      MD5

      07e194ce831b1846111eb6c8b176c86e

      SHA1

      b9c83ec3b0949cb661878fb1a8b43a073e15baf1

      SHA256

      d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

      SHA512

      55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

    • C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE
      Filesize

      526KB

      MD5

      7ec5ddf3fcc6796ca4e49ba4b3cf196a

      SHA1

      0f5d6a04f70f466b3cbe1750d9be78da80579e07

      SHA256

      f71d62354d4c6eec8a9cd14db442b9a5f2a6550468b01bda06f82acaa8e0c9b8

      SHA512

      f3884675fd5d324843102bf7dcc22885962ce1feaaf9f2460af8de36d594102957da993576405f18686e04ac693b651fec22c4e66a9821329f53f712281c87ea

    • C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
      Filesize

      714KB

      MD5

      af347c1ed4c9439b511585d607aa7a81

      SHA1

      5bccf29c6de8d1e005450f84d8e0ea597d290329

      SHA256

      94626f607c789acc73135c18be6fd93a9e56e839d4739dfebf45ce03d55386b9

      SHA512

      f314ad43f0af94f1178fb40a503c869c2a51ef04f78ee59b8236ca886c01ab7f50b4eb322cf16cbb7fde7015bc926b08df6ef50828c09178da82f2b5d512a5c1

    • C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE
      Filesize

      715KB

      MD5

      f34835c1f458f93cd9041bfa7d01ee7d

      SHA1

      283ac4059492a22e10f7fcef219e52e0400a8926

      SHA256

      afc5cc567db1a3318c89dd0efad2ca60a353290bc25d98bbbba8e6f1492e23b1

      SHA512

      d5cc2244f1b6492dd9e66c6e917c2dfaa11376d4a8d1dea2c241cd35ce947ad919e47d1a78dea0c1f6cd6fa1e74426f806ddcf9ed3e8f25a9ae7c370b09e6857

    • C:\Users\Admin\AppData\Local\Temp\$PowerISO$\169C.tmp.ico
      Filesize

      2KB

      MD5

      4198afdeb9ace242c575ee572af22e1f

      SHA1

      32784594ec69ca459878010401c3931be8e5e15e

      SHA256

      b4d6704aabfcc8b7cb8f4ee58b162dd124e2d0e4dce20ecf13eebd262dd1e76e

      SHA512

      d4288466d9a669c7735dc788f81fd5581876048644c48a58df5e2f8c70d468464d9de2bcbd295cdfe8510fd77a9a3cc26e3de0a1cf985622fec00baefda7f4cc

    • C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
      Filesize

      8B

      MD5

      aa939d42a2d12874c4f9c641b0e47c2e

      SHA1

      82200fb9d0cf9e295679187485a20cbd3d6c4103

      SHA256

      9dc5998587f4e0826080001b2c597553052d704f7bc0f01a86fff89afbbe2db1

      SHA512

      f61717606c7fd9d367f5aedbdbadb93ff5ee1fcb6784563b46b7727aba7168db444107d56f24f289b5c741328a4cba4b2cf0d7a7dfd3f9d1b4a7c01208811303

    • C:\Windows\svchost.com
      Filesize

      40KB

      MD5

      29fcbce31956f368109ec1fc6e5148ff

      SHA1

      cc297e4f5d7e7ca35ee4e565c8d3262168524d4b

      SHA256

      c6e8ecbb783ffaf1d834b61a20c384d04a8af72eeaf83cdee4dc75f654fcfcd2

      SHA512

      3f73585c1f1f34b5c4db941c6c61d85b830bf4af89be2ddf391b766e13797f27cc8d8f22ea8402e97143c5503216be4fbdd2914f3b2e0c73bfd4c85583c0d159

    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
      Filesize

      252KB

      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    • \Users\Admin\AppData\Local\Temp\3582-490\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe
      Filesize

      5.7MB

      MD5

      8803e7c609fa926a782a879ddf4aed31

      SHA1

      96c8fdaff82508341c4e227776e9f22b38362f10

      SHA256

      4371c16ac11f9f66e5467dbbc1066c1a6d9b7320cdece579a62f9296014c8211

      SHA512

      b3faeeb690e3738079a43d36ac5d920a0e041b25cef0215e23abe13d7eeb5d7c1e716b817e7a9f3b3ed4f205e4d616ccd8a2ecbd7b106fa7c480ef6afd1ed96b

    • memory/2280-167-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

    • memory/2280-170-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

    • memory/2684-168-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

    • memory/2684-173-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB