Analysis
-
max time kernel
148s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 16:00
Static task
static1
Behavioral task
behavioral1
Sample
04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe
-
Size
1.8MB
-
MD5
93bab175f87cf76fb8247d78bcfedab0
-
SHA1
3432a30b942f87784bdc677854298312b670a6bd
-
SHA256
04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860
-
SHA512
fb114f76422826e4d1a1d7aca5a97d9593d03b95e27920aa4f6f5c446f320c4022b388c01f49df625c2e268f9e5152b06bd6936b6b5484db2f14032a3e2dc696
-
SSDEEP
24576:LTZth+nZm+GEbfOlSlEiGHzCa0etEQ+ZVY7jzSbknaphQVuQiUJDRcH2JmxnYqqc:LH+QQE4GT1qjrY7agnP0QpXJmxj82Rn
Malware Config
Extracted
xworm
1.tcp.sa.ngrok.io:22405
-
Install_directory
%AppData%
-
install_file
dwm.exe
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2660-21-0x00000000010B0000-0x00000000010C6000-memory.dmp family_xworm C:\Windows\dwm.exe family_xworm behavioral1/memory/2192-50-0x0000000000320000-0x0000000000336000-memory.dmp family_xworm behavioral1/memory/564-52-0x0000000001070000-0x0000000001086000-memory.dmp family_xworm -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2424 powershell.exe 2160 powershell.exe 2568 powershell.exe 2804 powershell.exe 392 powershell.exe -
Executes dropped EXE 4 IoCs
Processes:
Zimo Free2.exedwm.exedwm.exedwm.exepid process 2648 Zimo Free2.exe 2660 dwm.exe 2192 dwm.exe 564 dwm.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Drops file in Windows directory 1 IoCs
Processes:
04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exedescription ioc process File created C:\Windows\dwm.exe 04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2424 powershell.exe 2804 powershell.exe 392 powershell.exe 2160 powershell.exe 2568 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
powershell.exedwm.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exedwm.exedescription pid process Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 2660 dwm.exe Token: SeDebugPrivilege 2804 powershell.exe Token: SeDebugPrivilege 392 powershell.exe Token: SeDebugPrivilege 2160 powershell.exe Token: SeDebugPrivilege 2568 powershell.exe Token: SeDebugPrivilege 2660 dwm.exe Token: SeDebugPrivilege 2192 dwm.exe Token: SeDebugPrivilege 564 dwm.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exeZimo Free2.exedwm.exetaskeng.exedescription pid process target process PID 2580 wrote to memory of 2424 2580 04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe powershell.exe PID 2580 wrote to memory of 2424 2580 04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe powershell.exe PID 2580 wrote to memory of 2424 2580 04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe powershell.exe PID 2580 wrote to memory of 2648 2580 04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe Zimo Free2.exe PID 2580 wrote to memory of 2648 2580 04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe Zimo Free2.exe PID 2580 wrote to memory of 2648 2580 04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe Zimo Free2.exe PID 2580 wrote to memory of 2660 2580 04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe dwm.exe PID 2580 wrote to memory of 2660 2580 04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe dwm.exe PID 2580 wrote to memory of 2660 2580 04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe dwm.exe PID 2648 wrote to memory of 2776 2648 Zimo Free2.exe WerFault.exe PID 2648 wrote to memory of 2776 2648 Zimo Free2.exe WerFault.exe PID 2648 wrote to memory of 2776 2648 Zimo Free2.exe WerFault.exe PID 2660 wrote to memory of 2804 2660 dwm.exe powershell.exe PID 2660 wrote to memory of 2804 2660 dwm.exe powershell.exe PID 2660 wrote to memory of 2804 2660 dwm.exe powershell.exe PID 2660 wrote to memory of 392 2660 dwm.exe powershell.exe PID 2660 wrote to memory of 392 2660 dwm.exe powershell.exe PID 2660 wrote to memory of 392 2660 dwm.exe powershell.exe PID 2660 wrote to memory of 2160 2660 dwm.exe powershell.exe PID 2660 wrote to memory of 2160 2660 dwm.exe powershell.exe PID 2660 wrote to memory of 2160 2660 dwm.exe powershell.exe PID 2660 wrote to memory of 2568 2660 dwm.exe powershell.exe PID 2660 wrote to memory of 2568 2660 dwm.exe powershell.exe PID 2660 wrote to memory of 2568 2660 dwm.exe powershell.exe PID 2660 wrote to memory of 1292 2660 dwm.exe schtasks.exe PID 2660 wrote to memory of 1292 2660 dwm.exe schtasks.exe PID 2660 wrote to memory of 1292 2660 dwm.exe schtasks.exe PID 1468 wrote to memory of 2192 1468 taskeng.exe dwm.exe PID 1468 wrote to memory of 2192 1468 taskeng.exe dwm.exe PID 1468 wrote to memory of 2192 1468 taskeng.exe dwm.exe PID 1468 wrote to memory of 564 1468 taskeng.exe dwm.exe PID 1468 wrote to memory of 564 1468 taskeng.exe dwm.exe PID 1468 wrote to memory of 564 1468 taskeng.exe dwm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAbgBuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AcQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAZABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AbABlACMAPgA="2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Users\Admin\AppData\Local\Temp\Zimo Free2.exe"C:\Users\Admin\AppData\Local\Temp\Zimo Free2.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2648 -s 5363⤵PID:2776
-
-
-
C:\Windows\dwm.exe"C:\Windows\dwm.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\dwm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dwm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\dwm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dwm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dwm" /tr "C:\Users\Admin\AppData\Roaming\dwm.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1292
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {99432D25-E89E-4BE5-80D0-9A29CBCA7107} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Roaming\dwm.exeC:\Users\Admin\AppData\Roaming\dwm.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Users\Admin\AppData\Roaming\dwm.exeC:\Users\Admin\AppData\Roaming\dwm.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:564
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD53d0cf751fb32bf70ed4f71aabebb3510
SHA19cb2daa219930db66e9fbc0fdbd163b9ea530176
SHA2560469f50854f0dde4fe6c3f21ce5718f8fce4d93b7c7f5c3d87a3be63cf8c8ca4
SHA51200f5087887146714b6d0e4c7db9eafe272acf590046a2ddba359c4cebda16ce8b64ec88095bdb5887e16546af9df255a30f9da1fc16862884638b75d5b23ad1b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5564d4994f63dac3b91fd1dd7b2a7560c
SHA18c00d9dbe938362e913d53ad098c3f1309016355
SHA25641cc97d79f09be58d6fce1d2f831dea8b7c1f8f05a60c5d939f4f602ef6d6666
SHA512edf7f6d6bb89b5a59cb41c5202c8f6f61031a78f60254433a1748ff352e6dea0de3fbe3ebd6fba3fb83dba7ee5d99d7ee0af35a6484992ac44e4469463cf7fe8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GCWHO9R01DFAPUPL5JVZ.temp
Filesize7KB
MD5c29ba10c733f23810f7602258df7fb8c
SHA12f37021c427cb36bbd4b21287e41153bc4e84ee1
SHA25613afc38bf1fc9174bf4fc13388480c85a55f2b3a022fc9a028c32b44c639d693
SHA512bb062deab2a7f05a4f30043e746c3c4b4c625028cfa0479b68328fdd9956ca3801eacb2d671e95818e0396cb2b5019013340dfe115fa6ec6562074a0ebca6ab1
-
Filesize
65KB
MD5cd65113a412150ecdc63837ab1bfe9ba
SHA1c691b213aa095d0c5b1e724c3121ecc28409735d
SHA25606439b356cd3345f9e95eeee776e855c1ed77a9e445de6ce8bdd1765b9157326
SHA512ed2ce053a16649d5866bc81a9602f8b9f22dd87d8651657783d0196ec9c1b7fbdd9390099b99a8f5bc07f0830fb4ac0be469ee3bd7ea160348a9e2df699eaeb7