General
-
Target
4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe
-
Size
449KB
-
Sample
240620-kmtvkasfqk
-
MD5
835a7fc62c636ef2472c4c7923ebbea0
-
SHA1
b17c94ca7f372dfbbbd8044bc3c0e3503fc552d0
-
SHA256
4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca
-
SHA512
93fb971fd30c338db444cd84fcb02c843c769cab16c0ad1e5aee4c2bf5af0eb75c08faf6280a8e85e43fca3fbae4b0902f6a85a37b40807355ab56a9580dbb20
-
SSDEEP
12288:QehuHbQ9Tece9a+oX4xqwHryk+wAJubORAu:9sMLe9a8tOk+n3C
Static task
static1
Behavioral task
behavioral1
Sample
4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
asyncrat
0.0.0.1
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
194.55.186.122:6606
194.55.186.122:7707
194.55.186.122:8808
bbgJYQyQgIFe
-
delay
3
-
install
true
-
install_file
server.exe
-
install_folder
%AppData%
Targets
-
-
Target
4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca_NeikiAnalytics.exe
-
Size
449KB
-
MD5
835a7fc62c636ef2472c4c7923ebbea0
-
SHA1
b17c94ca7f372dfbbbd8044bc3c0e3503fc552d0
-
SHA256
4c13b062c288d79772fef92466bb64965de7256ac2a63b5540deec0e457b0dca
-
SHA512
93fb971fd30c338db444cd84fcb02c843c769cab16c0ad1e5aee4c2bf5af0eb75c08faf6280a8e85e43fca3fbae4b0902f6a85a37b40807355ab56a9580dbb20
-
SSDEEP
12288:QehuHbQ9Tece9a+oX4xqwHryk+wAJubORAu:9sMLe9a8tOk+n3C
-
Modifies security service
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Async RAT payload
-
Drops file in Drivers directory
-
Event Triggered Execution: Image File Execution Options Injection
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1