Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 08:26
Behavioral task
behavioral1
Sample
8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe
Resource
win7-20240220-en
General
-
Target
8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe
-
Size
68KB
-
MD5
f285bb29b6e4476df16c5dca03df7e30
-
SHA1
3a2d1d3600487aefc3839f8873a3a388d8417fba
-
SHA256
8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76
-
SHA512
adfedad4d0476f0cc3b6eb5b1a51699f60ec0c72ad42740174594773f4e91ab2bf1f2e5782cac2c34ced3d76054cb0edb4e9aeb17290a3b17f6a33d31d8a7433
-
SSDEEP
1536:ah2S7CNP4d+okkGbbXwwf0Q7X/7PeZVclN:ah2S7jdDGbbXFPKzY
Malware Config
Extracted
asyncrat
2.0.0
Default
webwhatsapp.cc:65503
ShiningForceRatMutex_cs_cs_cs
-
delay
1
-
install
true
-
install_file
wps.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\wps.exe family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
wps.exepid process 1500 wps.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3024 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exepid process 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exewps.exedescription pid process Token: SeDebugPrivilege 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe Token: SeDebugPrivilege 1500 wps.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.execmd.execmd.exedescription pid process target process PID 640 wrote to memory of 5080 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe cmd.exe PID 640 wrote to memory of 5080 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe cmd.exe PID 640 wrote to memory of 4304 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe cmd.exe PID 640 wrote to memory of 4304 640 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe cmd.exe PID 4304 wrote to memory of 3024 4304 cmd.exe timeout.exe PID 4304 wrote to memory of 3024 4304 cmd.exe timeout.exe PID 5080 wrote to memory of 4940 5080 cmd.exe schtasks.exe PID 5080 wrote to memory of 4940 5080 cmd.exe schtasks.exe PID 4304 wrote to memory of 1500 4304 cmd.exe wps.exe PID 4304 wrote to memory of 1500 4304 cmd.exe wps.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wps" /tr '"C:\Users\Admin\AppData\Roaming\wps.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "wps" /tr '"C:\Users\Admin\AppData\Roaming\wps.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:4940 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp538E.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3024 -
C:\Users\Admin\AppData\Roaming\wps.exe"C:\Users\Admin\AppData\Roaming\wps.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147B
MD5532c875503ce6d22291ae87f7db5e644
SHA1643a77273178d30958b20140a38e4315667a2b66
SHA25695352ef0ef235947a8009faadec3793becfb6386eb0c4848089127293e165d17
SHA512ea24939d05e41357e77ab8f92a97085a783e1b528bd3181ac4398b51e6f65dfb5c83e6ffb58d03cfeca32bf39760d6a0a7550618bea26b69592d5107b9af5acb
-
Filesize
68KB
MD5f285bb29b6e4476df16c5dca03df7e30
SHA13a2d1d3600487aefc3839f8873a3a388d8417fba
SHA2568b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76
SHA512adfedad4d0476f0cc3b6eb5b1a51699f60ec0c72ad42740174594773f4e91ab2bf1f2e5782cac2c34ced3d76054cb0edb4e9aeb17290a3b17f6a33d31d8a7433