Analysis

  • max time kernel
    140s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 12:02

General

  • Target

    96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe

  • Size

    1.2MB

  • MD5

    11ae8536e9968d050d0eb53ca7fe8d00

  • SHA1

    6741c252fa36715043c3afaf6bdb9687deb08cb0

  • SHA256

    96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87

  • SHA512

    0f3a3603828369fc3a3323c635ea7a3556b8fdf63fc558e1b8ecdb1fba71ac15a73497fad9ae03ca968338b61b1b9e84b573ab86c1b656735359bd753a1c6f55

  • SSDEEP

    24576:NHR0G3bY4R9SslKujAZBZPIn+klcWK8fhx0aA:NyGrY4Rg2KucZLPI+kDK8JU

Malware Config

Signatures

  • 44Caliber

    An open source infostealer written in C#.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4136
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3700 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:5012

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\44\Process.txt

      Filesize

      294B

      MD5

      f65338ec5df6b979adff236282a43a6e

      SHA1

      770a93e086579658d03423a4cbae0db683f280ab

      SHA256

      6eda780beb79942898191b534ac5443ba80ca9fc1cbb9b4f49979ebdb50b945a

      SHA512

      53bace80094bb50d666b5c175f453862b10a6d6ac94cb6ff4c3e37ddebe036052678c99c19e9895282a48e66a03512c70340874cf85e4c2c8e9c44016a5dc10f

    • C:\ProgramData\44\Process.txt

      Filesize

      421B

      MD5

      807f8d4fd7ffd56e13ee1b9734f2b0fa

      SHA1

      ee2a60c91d8730a2bdc2eb38315ea9825300b3bd

      SHA256

      0061bbd269111ebdf9ca784a61d65a55ab387ec7f277d58da1cb46e6c069a554

      SHA512

      705c0e72eda92d2a115ea3ab2601add24ebdf7b85df4aac50cbb25f01db7a1156131741cb690910b64ffd16d98f5b7805486d293f3acd67277c571cc14dafb61

    • C:\ProgramData\44\Process.txt

      Filesize

      738B

      MD5

      839d19b1169d708bfa964d558f47b576

      SHA1

      2d2083c154e3c3e3d1b7b15202bf65e34084a13a

      SHA256

      3a1a845c87ee92366c9484b2674ff6ff2838e477193ff51ed67ef3c51de68539

      SHA512

      cb7c7f7fc661ef8ba9ebdc45115d9836d833f1e12293f8944b5a0223397489994eb7debe96aba2e42e93ae0e370926c08d73b2af682f46b43d028669d07eb917

    • C:\ProgramData\44\Process.txt

      Filesize

      1KB

      MD5

      85fdae8888fa4935fa52f166d93c8893

      SHA1

      cc2abd9e7377078a07c85a21bfcad2b53f0e8770

      SHA256

      1012eda63e0782d0157ca081a014ddd71d6d988cec2bc8a1c770f3d215669000

      SHA512

      00b8e3048be7145fcde2ba4d669209212eb9f7a9ee7c379b3806e699dd885cc5c4144e2bfe8acf8e733a4659b3b2f3ab8b76d4b0b4039fe0de618eb8512e702b

    • memory/4136-0-0x00007FFDB9F93000-0x00007FFDB9F95000-memory.dmp

      Filesize

      8KB

    • memory/4136-1-0x0000026136390000-0x00000261365D2000-memory.dmp

      Filesize

      2.3MB

    • memory/4136-2-0x0000026136980000-0x0000026136981000-memory.dmp

      Filesize

      4KB

    • memory/4136-3-0x00007FFDB9F90000-0x00007FFDBAA51000-memory.dmp

      Filesize

      10.8MB

    • memory/4136-4-0x0000026138330000-0x0000026138380000-memory.dmp

      Filesize

      320KB

    • memory/4136-5-0x00007FFDB9F90000-0x00007FFDBAA51000-memory.dmp

      Filesize

      10.8MB

    • memory/4136-33-0x00007FFDB9F90000-0x00007FFDBAA51000-memory.dmp

      Filesize

      10.8MB

    • memory/4136-127-0x00007FFDB9F90000-0x00007FFDBAA51000-memory.dmp

      Filesize

      10.8MB