Analysis
-
max time kernel
145s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 16:00
Static task
static1
Behavioral task
behavioral1
Sample
04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe
-
Size
1.8MB
-
MD5
93bab175f87cf76fb8247d78bcfedab0
-
SHA1
3432a30b942f87784bdc677854298312b670a6bd
-
SHA256
04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860
-
SHA512
fb114f76422826e4d1a1d7aca5a97d9593d03b95e27920aa4f6f5c446f320c4022b388c01f49df625c2e268f9e5152b06bd6936b6b5484db2f14032a3e2dc696
-
SSDEEP
24576:LTZth+nZm+GEbfOlSlEiGHzCa0etEQ+ZVY7jzSbknaphQVuQiUJDRcH2JmxnYqqc:LH+QQE4GT1qjrY7agnP0QpXJmxj82Rn
Malware Config
Extracted
xworm
1.tcp.sa.ngrok.io:22405
-
Install_directory
%AppData%
-
install_file
dwm.exe
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Windows\dwm.exe family_xworm behavioral2/memory/3144-34-0x0000000000680000-0x0000000000696000-memory.dmp family_xworm -
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/228-32-0x000001F52BC60000-0x000001F52BE74000-memory.dmp family_agenttesla -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3240 powershell.exe 612 powershell.exe 1672 powershell.exe 1876 powershell.exe 4124 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exedwm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation dwm.exe -
Executes dropped EXE 4 IoCs
Processes:
Zimo Free2.exedwm.exedwm.exedwm.exepid process 228 Zimo Free2.exe 3144 dwm.exe 896 dwm.exe 4900 dwm.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-api.com -
Drops file in Windows directory 1 IoCs
Processes:
04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exedescription ioc process File created C:\Windows\dwm.exe 04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
Zimo Free2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Zimo Free2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Zimo Free2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Zimo Free2.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3240 powershell.exe 3240 powershell.exe 1876 powershell.exe 1876 powershell.exe 4124 powershell.exe 4124 powershell.exe 612 powershell.exe 612 powershell.exe 1672 powershell.exe 1672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
powershell.exedwm.exeZimo Free2.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exedwm.exedescription pid process Token: SeDebugPrivilege 3240 powershell.exe Token: SeDebugPrivilege 3144 dwm.exe Token: SeDebugPrivilege 228 Zimo Free2.exe Token: SeDebugPrivilege 1876 powershell.exe Token: SeDebugPrivilege 4124 powershell.exe Token: SeDebugPrivilege 612 powershell.exe Token: SeDebugPrivilege 1672 powershell.exe Token: SeDebugPrivilege 3144 dwm.exe Token: SeDebugPrivilege 896 dwm.exe Token: SeDebugPrivilege 4900 dwm.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exedwm.exedescription pid process target process PID 2444 wrote to memory of 3240 2444 04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe powershell.exe PID 2444 wrote to memory of 3240 2444 04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe powershell.exe PID 2444 wrote to memory of 228 2444 04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe Zimo Free2.exe PID 2444 wrote to memory of 228 2444 04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe Zimo Free2.exe PID 2444 wrote to memory of 3144 2444 04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe dwm.exe PID 2444 wrote to memory of 3144 2444 04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe dwm.exe PID 3144 wrote to memory of 1876 3144 dwm.exe powershell.exe PID 3144 wrote to memory of 1876 3144 dwm.exe powershell.exe PID 3144 wrote to memory of 4124 3144 dwm.exe powershell.exe PID 3144 wrote to memory of 4124 3144 dwm.exe powershell.exe PID 3144 wrote to memory of 612 3144 dwm.exe powershell.exe PID 3144 wrote to memory of 612 3144 dwm.exe powershell.exe PID 3144 wrote to memory of 1672 3144 dwm.exe powershell.exe PID 3144 wrote to memory of 1672 3144 dwm.exe powershell.exe PID 3144 wrote to memory of 3292 3144 dwm.exe schtasks.exe PID 3144 wrote to memory of 3292 3144 dwm.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAbgBuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AcQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAZABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AbABlACMAPgA="2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3240
-
-
C:\Users\Admin\AppData\Local\Temp\Zimo Free2.exe"C:\Users\Admin\AppData\Local\Temp\Zimo Free2.exe"2⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:228
-
-
C:\Windows\dwm.exe"C:\Windows\dwm.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\dwm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dwm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\dwm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dwm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dwm" /tr "C:\Users\Admin\AppData\Roaming\dwm.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:3292
-
-
-
C:\Users\Admin\AppData\Roaming\dwm.exeC:\Users\Admin\AppData\Roaming\dwm.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:896
-
C:\Users\Admin\AppData\Roaming\dwm.exeC:\Users\Admin\AppData\Roaming\dwm.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d775b6d7bb7ad804668df75a5e9b9455
SHA1567110dd4bd79f341697cff48d777584a06f75b5
SHA2566cd235d2bc6d8c4e8281b81956156391290a02aea8306e8bc10c771e6ba3622c
SHA512a3e78f52ef042adbd4ca9475864c69d3e981fcbe111b8df16ad1e21e61e2c4da4d159fdbd80995e7214697385140c0afc315cc32d7f8a4cd4fa943ca9d175a6a
-
Filesize
944B
MD5ce4540390cc4841c8973eb5a3e9f4f7d
SHA12293f30a6f4c9538bc5b06606c10a50ab4ecef8e
SHA256e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105
SHA5122a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b
-
Filesize
944B
MD52a4825f4f95c5d3d72911c6e7eb902ca
SHA14c22133f24e77211313beb0831980029a53e7dde
SHA25659eecad327a693c8b2e3a5932238cda2141c6a0afbba6a5587933c9f2c1025e0
SHA5128e09a61c62a4b83f4f323b5b74f89cc26d708fd1fe646317f5f404af8d4d3fcf327f20f5e4a3b310786c0f639df2d17e1a51def08c95fa964928ad6c08c81386
-
Filesize
944B
MD565a68df1062af34622552c4f644a5708
SHA16f6ecf7b4b635abb0b132d95dac2759dc14b50af
SHA256718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35
SHA5124e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d
-
Filesize
1.6MB
MD53d0cf751fb32bf70ed4f71aabebb3510
SHA19cb2daa219930db66e9fbc0fdbd163b9ea530176
SHA2560469f50854f0dde4fe6c3f21ce5718f8fce4d93b7c7f5c3d87a3be63cf8c8ca4
SHA51200f5087887146714b6d0e4c7db9eafe272acf590046a2ddba359c4cebda16ce8b64ec88095bdb5887e16546af9df255a30f9da1fc16862884638b75d5b23ad1b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
65KB
MD5cd65113a412150ecdc63837ab1bfe9ba
SHA1c691b213aa095d0c5b1e724c3121ecc28409735d
SHA25606439b356cd3345f9e95eeee776e855c1ed77a9e445de6ce8bdd1765b9157326
SHA512ed2ce053a16649d5866bc81a9602f8b9f22dd87d8651657783d0196ec9c1b7fbdd9390099b99a8f5bc07f0830fb4ac0be469ee3bd7ea160348a9e2df699eaeb7