31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe
Size

90KB
MD5

13eff7025902a43d033a7dd6bc94d800
SHA1

2051a81c87c5a738b86f93f03dc489bc8dcd1c60
SHA256

31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35
SHA512

e818bc3b480968ff31f70f7160d62cf4b4042730e1bbc4d186b059d72279bb99f70a25b7de45eac4ea52f11b9ca80343030c110bbea6ab3ca32baece5b9b43ee
SSDEEP

1536:t3x85+Ks2gc/Ndu0PaxkawA5f2DkZoWdxcO6z/nCmbuFYlCVu6xw5:th85+KsoN00Cxp92D32xx6z/nC+CVm

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

bQH4b64fwWKnwvi.exesvhost.exe

pid process

1968 bQH4b64fwWKnwvi.exe
1580 svhost.exe
Loads dropped DLL 2 IoCs

Processes:

31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe

pid process

568 31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe
568 31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1968	bQH4b64fwWKnwvi.exe
1580	svhost.exe

pid	process
568	31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe
568	31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exesvhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe"	svhost.exe

Drops file in Windows directory 2 IoCs

Processes:

31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exesvhost.exe

description ioc process

File created C:\Windows\svhost.exe 31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe
File created C:\Windows\svhost.exe svhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exesvhost.exe

description pid process

Token: SeDebugPrivilege 568 31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe
Token: SeDebugPrivilege 1580 svhost.exe

description	ioc	process
File created	C:\Windows\svhost.exe	31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe
File created	C:\Windows\svhost.exe	svhost.exe

description	pid	process
Token: SeDebugPrivilege	568	31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe
Token: SeDebugPrivilege	1580	svhost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe

description	pid	process	target process
PID 568 wrote to memory of 1968	568	31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe	bQH4b64fwWKnwvi.exe
PID 568 wrote to memory of 1968	568	31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe	bQH4b64fwWKnwvi.exe
PID 568 wrote to memory of 1968	568	31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe	bQH4b64fwWKnwvi.exe
PID 568 wrote to memory of 1968	568	31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe	bQH4b64fwWKnwvi.exe
PID 568 wrote to memory of 1580	568	31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe	svhost.exe
PID 568 wrote to memory of 1580	568	31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe	svhost.exe
PID 568 wrote to memory of 1580	568	31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe	svhost.exe
PID 568 wrote to memory of 1580	568	31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe	svhost.exe

C:\Users\Admin\AppData\Local\Temp\31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Local\Temp\bQH4b64fwWKnwvi.exe
C:\Users\Admin\AppData\Local\Temp\bQH4b64fwWKnwvi.exe
2⤵
- Executes dropped EXE
PID:1968

C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1580

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bQH4b64fwWKnwvi.exe
Filesize
90KB

MD5
4d47be3a8b102a9a74059b59587d264e

SHA1
642f44774172e0bedea63c3911d6d739343beafa

SHA256
8633bb730c58e4c8a3d3aad2f967061978c96120f76b31d8b167e89c5a6ef1aa

SHA512
493897bde2ca464c5dc5e9f86c6703e44e130c6c6a614b6aa1395f3bbfb4d6db80ab89f64ba66b0953d2129eec64f292ef6efc8dc0a0749920cbe879bf41fff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQH4b64fwWKnwvi.exe
Filesize
90KB

MD5
5e3353cf9132ac68c834028afbafc0ba

SHA1
34f21c8a373c690fede56606421f405fc5de046f

SHA256
26a12f32b89ca3e24e32fff49de615df44dbec087c554351656fb18d5f472fa9

SHA512
9207d8e0bfd7673b8da7c420beb120c6f31624fc118e3151d7ac87878ef32a9b55ff40a76d6c664ef18e23dcf709ac3a6fd56b7c2f5ce8d8d6e791d1a5137704

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQH4b64fwWKnwvi.exe
Filesize
73KB

MD5
2ffc9a24492c0a1af4d562f0c7608aa5

SHA1
1fd5ff6136fba36e9ee22598ecd250af3180ee53

SHA256
69828c857d4824b9f850b1e0597d2c134c91114b7a0774c41dffe33b0eb23721

SHA512
03806d162931b1dcf036a51e753ff073a43664491a3cd2e649e55dd77d5e910f7bcf1e217eb0889ef606457b679428640e975ee227de941a200f652417bc6d5d

Download Submit
C:\Windows\svhost.exe
Filesize
16KB

MD5
76fd02b48297edb28940bdfa3fa1c48a

SHA1
bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce

SHA256
07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c

SHA512
28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0

Download Submit