Analysis
-
max time kernel
130s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 08:26
Behavioral task
behavioral1
Sample
8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe
Resource
win7-20240220-en
General
-
Target
8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe
-
Size
68KB
-
MD5
f285bb29b6e4476df16c5dca03df7e30
-
SHA1
3a2d1d3600487aefc3839f8873a3a388d8417fba
-
SHA256
8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76
-
SHA512
adfedad4d0476f0cc3b6eb5b1a51699f60ec0c72ad42740174594773f4e91ab2bf1f2e5782cac2c34ced3d76054cb0edb4e9aeb17290a3b17f6a33d31d8a7433
-
SSDEEP
1536:ah2S7CNP4d+okkGbbXwwf0Q7X/7PeZVclN:ah2S7jdDGbbXFPKzY
Malware Config
Extracted
asyncrat
2.0.0
Default
webwhatsapp.cc:65503
ShiningForceRatMutex_cs_cs_cs
-
delay
1
-
install
true
-
install_file
wps.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\wps.exe family_asyncrat -
Executes dropped EXE 1 IoCs
Processes:
wps.exepid process 2684 wps.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2524 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exepid process 2872 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe 2872 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exewps.exedescription pid process Token: SeDebugPrivilege 2872 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe Token: SeDebugPrivilege 2684 wps.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.execmd.execmd.exedescription pid process target process PID 2872 wrote to memory of 2704 2872 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe cmd.exe PID 2872 wrote to memory of 2704 2872 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe cmd.exe PID 2872 wrote to memory of 2704 2872 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe cmd.exe PID 2872 wrote to memory of 2604 2872 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe cmd.exe PID 2872 wrote to memory of 2604 2872 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe cmd.exe PID 2872 wrote to memory of 2604 2872 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe cmd.exe PID 2704 wrote to memory of 2624 2704 cmd.exe schtasks.exe PID 2704 wrote to memory of 2624 2704 cmd.exe schtasks.exe PID 2704 wrote to memory of 2624 2704 cmd.exe schtasks.exe PID 2604 wrote to memory of 2524 2604 cmd.exe timeout.exe PID 2604 wrote to memory of 2524 2604 cmd.exe timeout.exe PID 2604 wrote to memory of 2524 2604 cmd.exe timeout.exe PID 2604 wrote to memory of 2684 2604 cmd.exe wps.exe PID 2604 wrote to memory of 2684 2604 cmd.exe wps.exe PID 2604 wrote to memory of 2684 2604 cmd.exe wps.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wps" /tr '"C:\Users\Admin\AppData\Roaming\wps.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "wps" /tr '"C:\Users\Admin\AppData\Roaming\wps.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:2624 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp195A.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2524 -
C:\Users\Admin\AppData\Roaming\wps.exe"C:\Users\Admin\AppData\Roaming\wps.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147B
MD513fb216b897307a0b242f6a1b6fce5a0
SHA154f2dc9e106d185a22da386a3d2e6ef6b1e50fbd
SHA2568dbd1a804e5ccb8179796039e83f8090517bb29095ae2bce3d3148d0a0f00eab
SHA5129622e19b5e9eedc64425c107ca9c0d6e1fdb3d14d7be3c0f9bfb20d0e59a07cecbf4c420985a9fb9e7ef72f89a2e60d99128fab047b3d4e6f875b1841f7a76a9
-
Filesize
68KB
MD5f285bb29b6e4476df16c5dca03df7e30
SHA13a2d1d3600487aefc3839f8873a3a388d8417fba
SHA2568b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76
SHA512adfedad4d0476f0cc3b6eb5b1a51699f60ec0c72ad42740174594773f4e91ab2bf1f2e5782cac2c34ced3d76054cb0edb4e9aeb17290a3b17f6a33d31d8a7433