Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 02:30
Static task
static1
Behavioral task
behavioral1
Sample
4fb42a9f7986b17d59814a0bb5daffb06a3f40736d9d5cf55daf46615bd1ca0f_NeikiAnalytics.exe
Resource
win7-20240611-en
General
-
Target
4fb42a9f7986b17d59814a0bb5daffb06a3f40736d9d5cf55daf46615bd1ca0f_NeikiAnalytics.exe
-
Size
1.5MB
-
MD5
df9bf4df68480a45ae5a38b85c3152e0
-
SHA1
9cfe0a528a7e327f552f03961071232001cbe44c
-
SHA256
4fb42a9f7986b17d59814a0bb5daffb06a3f40736d9d5cf55daf46615bd1ca0f
-
SHA512
82dcf21b771c24e88d6fd6217780eb57948e17c5f3a52b4098579d2356b6e955b1a8f7423c98f40be027111c447db2c61281be4653f234a734757cf3548b1e19
-
SSDEEP
24576:KK9MHjif9ILK3gBlsXbvLbLUJ70Uj654koEBETT2f1Y+TSXjk:K/jwaLKQl+bH4JbjzzEBETT29YMST
Malware Config
Extracted
vidar
https://t.me/g067n
https://steamcommunity.com/profiles/76561199707802586
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0
Signatures
-
Detect Vidar Stealer 17 IoCs
Processes:
resource yara_rule behavioral1/memory/2516-2-0x0000000003150000-0x0000000003260000-memory.dmp family_vidar_v7 behavioral1/memory/2496-18-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/2496-23-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/2496-21-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/2496-17-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/2496-15-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/2496-135-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/2496-152-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/2496-178-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/2496-186-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/2496-187-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/2496-211-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/2496-355-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/2496-377-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/2496-394-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/2496-411-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 behavioral1/memory/2496-428-0x0000000000400000-0x0000000000648000-memory.dmp family_vidar_v7 -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
kat780.tmppid process 2496 kat780.tmp -
Loads dropped DLL 2 IoCs
Processes:
4fb42a9f7986b17d59814a0bb5daffb06a3f40736d9d5cf55daf46615bd1ca0f_NeikiAnalytics.exepid process 2516 4fb42a9f7986b17d59814a0bb5daffb06a3f40736d9d5cf55daf46615bd1ca0f_NeikiAnalytics.exe 2516 4fb42a9f7986b17d59814a0bb5daffb06a3f40736d9d5cf55daf46615bd1ca0f_NeikiAnalytics.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
4fb42a9f7986b17d59814a0bb5daffb06a3f40736d9d5cf55daf46615bd1ca0f_NeikiAnalytics.exedescription pid process target process PID 2516 set thread context of 2496 2516 4fb42a9f7986b17d59814a0bb5daffb06a3f40736d9d5cf55daf46615bd1ca0f_NeikiAnalytics.exe kat780.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
kat780.tmpdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 kat780.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString kat780.tmp -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 872 timeout.exe -
Processes:
kat780.tmpdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 kat780.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a kat780.tmp -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
kat780.tmppid process 2496 kat780.tmp 2496 kat780.tmp 2496 kat780.tmp 2496 kat780.tmp -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
4fb42a9f7986b17d59814a0bb5daffb06a3f40736d9d5cf55daf46615bd1ca0f_NeikiAnalytics.exekat780.tmpcmd.exedescription pid process target process PID 2516 wrote to memory of 2496 2516 4fb42a9f7986b17d59814a0bb5daffb06a3f40736d9d5cf55daf46615bd1ca0f_NeikiAnalytics.exe kat780.tmp PID 2516 wrote to memory of 2496 2516 4fb42a9f7986b17d59814a0bb5daffb06a3f40736d9d5cf55daf46615bd1ca0f_NeikiAnalytics.exe kat780.tmp PID 2516 wrote to memory of 2496 2516 4fb42a9f7986b17d59814a0bb5daffb06a3f40736d9d5cf55daf46615bd1ca0f_NeikiAnalytics.exe kat780.tmp PID 2516 wrote to memory of 2496 2516 4fb42a9f7986b17d59814a0bb5daffb06a3f40736d9d5cf55daf46615bd1ca0f_NeikiAnalytics.exe kat780.tmp PID 2516 wrote to memory of 2496 2516 4fb42a9f7986b17d59814a0bb5daffb06a3f40736d9d5cf55daf46615bd1ca0f_NeikiAnalytics.exe kat780.tmp PID 2516 wrote to memory of 2496 2516 4fb42a9f7986b17d59814a0bb5daffb06a3f40736d9d5cf55daf46615bd1ca0f_NeikiAnalytics.exe kat780.tmp PID 2516 wrote to memory of 2496 2516 4fb42a9f7986b17d59814a0bb5daffb06a3f40736d9d5cf55daf46615bd1ca0f_NeikiAnalytics.exe kat780.tmp PID 2516 wrote to memory of 2496 2516 4fb42a9f7986b17d59814a0bb5daffb06a3f40736d9d5cf55daf46615bd1ca0f_NeikiAnalytics.exe kat780.tmp PID 2516 wrote to memory of 2496 2516 4fb42a9f7986b17d59814a0bb5daffb06a3f40736d9d5cf55daf46615bd1ca0f_NeikiAnalytics.exe kat780.tmp PID 2496 wrote to memory of 1640 2496 kat780.tmp cmd.exe PID 2496 wrote to memory of 1640 2496 kat780.tmp cmd.exe PID 2496 wrote to memory of 1640 2496 kat780.tmp cmd.exe PID 2496 wrote to memory of 1640 2496 kat780.tmp cmd.exe PID 1640 wrote to memory of 872 1640 cmd.exe timeout.exe PID 1640 wrote to memory of 872 1640 cmd.exe timeout.exe PID 1640 wrote to memory of 872 1640 cmd.exe timeout.exe PID 1640 wrote to memory of 872 1640 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fb42a9f7986b17d59814a0bb5daffb06a3f40736d9d5cf55daf46615bd1ca0f_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4fb42a9f7986b17d59814a0bb5daffb06a3f40736d9d5cf55daf46615bd1ca0f_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\kat780.tmpC:\Users\Admin\AppData\Local\Temp\kat780.tmp2⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\kat780.tmp" & rd /s /q "C:\ProgramData\BFCFBFBFBKFI" & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- Delays execution with timeout.exe
PID:872
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c490d34a2c8f03d9460dcc0e686863b9
SHA1dc8a5bd51e2ab9d15a6c5da01a1cdbb317666526
SHA2560b1d68c7498c5f7c0d5e4abeaa67d10a4ae12e8d4645eecd29c81e4b42172a7f
SHA512966f43951591a6064fba83731f5d32d96b1c50ea94ecc50af73f505dcd2b3a20aa4fda0815150434a9f2eb29e09752da11de8df773d8c94c6a420365ff129e30
-
Filesize
67KB
MD52d3dcf90f6c99f47e7593ea250c9e749
SHA151be82be4a272669983313565b4940d4b1385237
SHA2568714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA5129c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5
-
Filesize
160KB
MD57186ad693b8ad9444401bd9bcd2217c2
SHA15c28ca10a650f6026b0df4737078fa4197f3bac1
SHA2569a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b
-
Filesize
861KB
MD566064dbdb70a5eb15ebf3bf65aba254b
SHA10284fd320f99f62aca800fb1251eff4c31ec4ed7
SHA2566a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795
SHA512b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f