Analysis
-
max time kernel
7s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 00:45
Behavioral task
behavioral1
Sample
28132ef9c24ea461015be0ca1a6f775d28e36c28d59df1f24a0527aa5c043695_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
28132ef9c24ea461015be0ca1a6f775d28e36c28d59df1f24a0527aa5c043695_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
28132ef9c24ea461015be0ca1a6f775d28e36c28d59df1f24a0527aa5c043695_NeikiAnalytics.exe
-
Size
37KB
-
MD5
a1e092a1d81eb20d8d5904b6cbab7160
-
SHA1
333fb684353cc1e8dfe6206cd3b9721c5574a05d
-
SHA256
28132ef9c24ea461015be0ca1a6f775d28e36c28d59df1f24a0527aa5c043695
-
SHA512
883088a4ebb323698f50fcad2db43a88c96bc6379eabeb1b169b097ba8f4fa9b4d48390e5f24c5b3d3ca15b105121739987dcb5514aa58b441ae777930901537
-
SSDEEP
768:H5gTXwbLsAheofRhTUOe9tLFyc9PoO/hiDy0R:H5gTgUAhHKOSF39PoO/R0R
Malware Config
Extracted
xworm
5.0
modern-educators.gl.at.ply.gg:23695
8N14jzyvJ63EProc
-
Install_directory
%Userprofile%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1964-1-0x0000000000EF0000-0x0000000000F00000-memory.dmp family_xworm -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
28132ef9c24ea461015be0ca1a6f775d28e36c28d59df1f24a0527aa5c043695_NeikiAnalytics.exedescription pid process Token: SeDebugPrivilege 1964 28132ef9c24ea461015be0ca1a6f775d28e36c28d59df1f24a0527aa5c043695_NeikiAnalytics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28132ef9c24ea461015be0ca1a6f775d28e36c28d59df1f24a0527aa5c043695_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\28132ef9c24ea461015be0ca1a6f775d28e36c28d59df1f24a0527aa5c043695_NeikiAnalytics.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows backup" /tr "C:\Users\Admin\Windows backup"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\taskeng.exetaskeng.exe {69EDA391-F9AF-4B2A-B8B3-E733B8BBABB9} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1964-0-0x000007FEF6193000-0x000007FEF6194000-memory.dmpFilesize
4KB
-
memory/1964-1-0x0000000000EF0000-0x0000000000F00000-memory.dmpFilesize
64KB
-
memory/1964-2-0x000007FEF6190000-0x000007FEF6B7C000-memory.dmpFilesize
9.9MB
-
memory/1964-6-0x000007FEF6193000-0x000007FEF6194000-memory.dmpFilesize
4KB
-
memory/1964-7-0x000007FEF6190000-0x000007FEF6B7C000-memory.dmpFilesize
9.9MB