Analysis
-
max time kernel
145s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 00:08
Static task
static1
Behavioral task
behavioral1
Sample
25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe
-
Size
100KB
-
MD5
d1d73678477e150ceebbfc9daec53070
-
SHA1
5f8597ad91251c6f13d13596864a5dfd542872b4
-
SHA256
25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59
-
SHA512
bf70ce0429791261c030dff001077fdc950d5183b1afac03e0cfe5ef75115243e24f878c1eaead7d9bdcc1b6353c550e2c7fd78d33ead300b12c4cd2b54c837d
-
SSDEEP
1536:YyYCkvjnFk/6jW8JX/3jtzUYx5QRpeTi+ORyBeRQ2R:YyY1bFCcW8JX/zeYxVT8RMeye
Malware Config
Signatures
-
Detect Neshta payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4332-16-0x000000001BB20000-0x000000001BB3B000-memory.dmp family_neshta -
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4332-16-0x000000001BB20000-0x000000001BB3B000-memory.dmp family_xworm -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation 25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
sqRLkphNDkWHwD.exepid process 4332 sqRLkphNDkWHwD.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
sqRLkphNDkWHwD.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqRLkphNDkWHwD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqRLkphNDkWHwD.exe" sqRLkphNDkWHwD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqRLkphNDkWHwD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqRLkphNDkWHwD.exe" sqRLkphNDkWHwD.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exesqRLkphNDkWHwD.exedw20.exedescription pid process Token: SeDebugPrivilege 3492 25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe Token: SeDebugPrivilege 4332 sqRLkphNDkWHwD.exe Token: SeBackupPrivilege 4592 dw20.exe Token: SeBackupPrivilege 4592 dw20.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exesqRLkphNDkWHwD.exedescription pid process target process PID 3492 wrote to memory of 4332 3492 25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe sqRLkphNDkWHwD.exe PID 3492 wrote to memory of 4332 3492 25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe sqRLkphNDkWHwD.exe PID 4332 wrote to memory of 4592 4332 sqRLkphNDkWHwD.exe dw20.exe PID 4332 wrote to memory of 4592 4332 sqRLkphNDkWHwD.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sqRLkphNDkWHwD.exe"C:\Users\Admin\AppData\Local\Temp\sqRLkphNDkWHwD.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 8243⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\sqRLkphNDkWHwD.exeFilesize
100KB
MD5d1d73678477e150ceebbfc9daec53070
SHA15f8597ad91251c6f13d13596864a5dfd542872b4
SHA25625b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59
SHA512bf70ce0429791261c030dff001077fdc950d5183b1afac03e0cfe5ef75115243e24f878c1eaead7d9bdcc1b6353c550e2c7fd78d33ead300b12c4cd2b54c837d
-
memory/3492-0-0x00007FFB1AF95000-0x00007FFB1AF96000-memory.dmpFilesize
4KB
-
memory/3492-1-0x00007FFB1ACE0000-0x00007FFB1B681000-memory.dmpFilesize
9.6MB
-
memory/3492-4-0x00007FFB1ACE0000-0x00007FFB1B681000-memory.dmpFilesize
9.6MB
-
memory/3492-17-0x00007FFB1ACE0000-0x00007FFB1B681000-memory.dmpFilesize
9.6MB
-
memory/4332-16-0x000000001BB20000-0x000000001BB3B000-memory.dmpFilesize
108KB
-
memory/4332-18-0x00007FFB1ACE0000-0x00007FFB1B681000-memory.dmpFilesize
9.6MB
-
memory/4332-19-0x00007FFB1ACE0000-0x00007FFB1B681000-memory.dmpFilesize
9.6MB
-
memory/4332-26-0x00007FFB1ACE0000-0x00007FFB1B681000-memory.dmpFilesize
9.6MB