neshta | 25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59

Analysis

max time kernel
145s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe
Size

100KB
MD5

d1d73678477e150ceebbfc9daec53070
SHA1

5f8597ad91251c6f13d13596864a5dfd542872b4
SHA256

25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59
SHA512

bf70ce0429791261c030dff001077fdc950d5183b1afac03e0cfe5ef75115243e24f878c1eaead7d9bdcc1b6353c550e2c7fd78d33ead300b12c4cd2b54c837d
SSDEEP

1536:YyYCkvjnFk/6jW8JX/3jtzUYx5QRpeTi+ORyBeRQ2R:YyY1bFCcW8JX/zeYxVT8RMeye

Score

10^/10

neshta xworm persistence rat spyware trojan

Malware Config

Signatures

Detect Neshta payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/4332-16-0x000000001BB20000-0x000000001BB3B000-memory.dmp family_neshta
Detect Xworm Payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/4332-16-0x000000001BB20000-0x000000001BB3B000-memory.dmp family_xworm
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

resource	yara_rule
behavioral2/memory/4332-16-0x000000001BB20000-0x000000001BB3B000-memory.dmp	family_neshta

resource	yara_rule
behavioral2/memory/4332-16-0x000000001BB20000-0x000000001BB3B000-memory.dmp	family_xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

sqRLkphNDkWHwD.exe

pid process

4332 sqRLkphNDkWHwD.exe

pid	process
4332	sqRLkphNDkWHwD.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sqRLkphNDkWHwD.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqRLkphNDkWHwD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqRLkphNDkWHwD.exe"	sqRLkphNDkWHwD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqRLkphNDkWHwD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqRLkphNDkWHwD.exe"	sqRLkphNDkWHwD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

dw20.exe

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exesqRLkphNDkWHwD.exedw20.exe

description	pid	process
Token: SeDebugPrivilege	3492	25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe
Token: SeDebugPrivilege	4332	sqRLkphNDkWHwD.exe
Token: SeBackupPrivilege	4592	dw20.exe
Token: SeBackupPrivilege	4592	dw20.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exesqRLkphNDkWHwD.exe

description	pid	process	target process
PID 3492 wrote to memory of 4332	3492	25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe	sqRLkphNDkWHwD.exe
PID 3492 wrote to memory of 4332	3492	25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe	sqRLkphNDkWHwD.exe
PID 4332 wrote to memory of 4592	4332	sqRLkphNDkWHwD.exe	dw20.exe
PID 4332 wrote to memory of 4592	4332	sqRLkphNDkWHwD.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3492

C:\Users\Admin\AppData\Local\Temp\sqRLkphNDkWHwD.exe
"C:\Users\Admin\AppData\Local\Temp\sqRLkphNDkWHwD.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 824
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4592

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sqRLkphNDkWHwD.exe
Filesize
100KB

MD5
d1d73678477e150ceebbfc9daec53070

SHA1
5f8597ad91251c6f13d13596864a5dfd542872b4

SHA256
25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59

SHA512
bf70ce0429791261c030dff001077fdc950d5183b1afac03e0cfe5ef75115243e24f878c1eaead7d9bdcc1b6353c550e2c7fd78d33ead300b12c4cd2b54c837d

Download Submit
memory/3492-0-0x00007FFB1AF95000-0x00007FFB1AF96000-memory.dmp

Filesize
4KB

Download
memory/3492-1-0x00007FFB1ACE0000-0x00007FFB1B681000-memory.dmp

Filesize
9.6MB

Download
memory/3492-4-0x00007FFB1ACE0000-0x00007FFB1B681000-memory.dmp

Filesize
9.6MB

Download
memory/3492-17-0x00007FFB1ACE0000-0x00007FFB1B681000-memory.dmp

Filesize
9.6MB

Download
memory/4332-16-0x000000001BB20000-0x000000001BB3B000-memory.dmp

Filesize
108KB

Download
memory/4332-18-0x00007FFB1ACE0000-0x00007FFB1B681000-memory.dmp

Filesize
9.6MB

Download
memory/4332-19-0x00007FFB1ACE0000-0x00007FFB1B681000-memory.dmp

Filesize
9.6MB

Download
memory/4332-26-0x00007FFB1ACE0000-0x00007FFB1B681000-memory.dmp

Filesize
9.6MB

Download