General

  • Target

    4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe

  • Size

    449KB

  • Sample

    240620-kmtvkasfqk

  • MD5

    835a7fc62c636ef2472c4c7923ebbea0

  • SHA1

    b17c94ca7f372dfbbbd8044bc3c0e3503fc552d0

  • SHA256

    4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca

  • SHA512

    93fb971fd30c338db444cd84fcb02c843c769cab16c0ad1e5aee4c2bf5af0eb75c08faf6280a8e85e43fca3fbae4b0902f6a85a37b40807355ab56a9580dbb20

  • SSDEEP

    12288:QehuHbQ9Tece9a+oX4xqwHryk+wAJubORAu:9sMLe9a8tOk+n3C

Malware Config

Extracted

Family

asyncrat

Version

0.0.0.1

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

194.55.186.122:6606

194.55.186.122:7707

194.55.186.122:8808

Mutex

bbgJYQyQgIFe

Attributes
  • delay

    3

  • install

    true

  • install_file

    server.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe

    • Size

      449KB

    • MD5

      835a7fc62c636ef2472c4c7923ebbea0

    • SHA1

      b17c94ca7f372dfbbbd8044bc3c0e3503fc552d0

    • SHA256

      4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca

    • SHA512

      93fb971fd30c338db444cd84fcb02c843c769cab16c0ad1e5aee4c2bf5af0eb75c08faf6280a8e85e43fca3fbae4b0902f6a85a37b40807355ab56a9580dbb20

    • SSDEEP

      12288:QehuHbQ9Tece9a+oX4xqwHryk+wAJubORAu:9sMLe9a8tOk+n3C

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Modifies security service

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Async RAT payload

    • Drops file in Drivers directory

    • Event Triggered Execution: Image File Execution Options Injection

    • Sets service image path in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

2
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Discovery

Query Registry

6
T1012

System Information Discovery

6
T1082

Peripheral Device Discovery

2
T1120

Command and Control

Web Service

1
T1102

Tasks