Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 03:26
Static task
static1
Behavioral task
behavioral1
Sample
31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe
-
Size
90KB
-
MD5
13eff7025902a43d033a7dd6bc94d800
-
SHA1
2051a81c87c5a738b86f93f03dc489bc8dcd1c60
-
SHA256
31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35
-
SHA512
e818bc3b480968ff31f70f7160d62cf4b4042730e1bbc4d186b059d72279bb99f70a25b7de45eac4ea52f11b9ca80343030c110bbea6ab3ca32baece5b9b43ee
-
SSDEEP
1536:t3x85+Ks2gc/Ndu0PaxkawA5f2DkZoWdxcO6z/nCmbuFYlCVu6xw5:th85+KsoN00Cxp92D32xx6z/nC+CVm
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
bQH4b64fwWKnwvi.exesvhost.exepid process 1968 bQH4b64fwWKnwvi.exe 1580 svhost.exe -
Loads dropped DLL 2 IoCs
Processes:
31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exepid process 568 31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe 568 31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exesvhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" 31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" svhost.exe -
Drops file in Windows directory 2 IoCs
Processes:
31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exesvhost.exedescription ioc process File created C:\Windows\svhost.exe 31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe File created C:\Windows\svhost.exe svhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exesvhost.exedescription pid process Token: SeDebugPrivilege 568 31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe Token: SeDebugPrivilege 1580 svhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exedescription pid process target process PID 568 wrote to memory of 1968 568 31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe bQH4b64fwWKnwvi.exe PID 568 wrote to memory of 1968 568 31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe bQH4b64fwWKnwvi.exe PID 568 wrote to memory of 1968 568 31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe bQH4b64fwWKnwvi.exe PID 568 wrote to memory of 1968 568 31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe bQH4b64fwWKnwvi.exe PID 568 wrote to memory of 1580 568 31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe svhost.exe PID 568 wrote to memory of 1580 568 31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe svhost.exe PID 568 wrote to memory of 1580 568 31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe svhost.exe PID 568 wrote to memory of 1580 568 31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\31ed34a52cbc233f7d610b6cf0239661bb0bd843d1c7d482e4e546b194a19b35_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bQH4b64fwWKnwvi.exeC:\Users\Admin\AppData\Local\Temp\bQH4b64fwWKnwvi.exe2⤵
- Executes dropped EXE
-
C:\Windows\svhost.exe"C:\Windows\svhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bQH4b64fwWKnwvi.exeFilesize
90KB
MD54d47be3a8b102a9a74059b59587d264e
SHA1642f44774172e0bedea63c3911d6d739343beafa
SHA2568633bb730c58e4c8a3d3aad2f967061978c96120f76b31d8b167e89c5a6ef1aa
SHA512493897bde2ca464c5dc5e9f86c6703e44e130c6c6a614b6aa1395f3bbfb4d6db80ab89f64ba66b0953d2129eec64f292ef6efc8dc0a0749920cbe879bf41fff6
-
C:\Users\Admin\AppData\Local\Temp\bQH4b64fwWKnwvi.exeFilesize
90KB
MD55e3353cf9132ac68c834028afbafc0ba
SHA134f21c8a373c690fede56606421f405fc5de046f
SHA25626a12f32b89ca3e24e32fff49de615df44dbec087c554351656fb18d5f472fa9
SHA5129207d8e0bfd7673b8da7c420beb120c6f31624fc118e3151d7ac87878ef32a9b55ff40a76d6c664ef18e23dcf709ac3a6fd56b7c2f5ce8d8d6e791d1a5137704
-
C:\Users\Admin\AppData\Local\Temp\bQH4b64fwWKnwvi.exeFilesize
73KB
MD52ffc9a24492c0a1af4d562f0c7608aa5
SHA11fd5ff6136fba36e9ee22598ecd250af3180ee53
SHA25669828c857d4824b9f850b1e0597d2c134c91114b7a0774c41dffe33b0eb23721
SHA51203806d162931b1dcf036a51e753ff073a43664491a3cd2e649e55dd77d5e910f7bcf1e217eb0889ef606457b679428640e975ee227de941a200f652417bc6d5d
-
C:\Windows\svhost.exeFilesize
16KB
MD576fd02b48297edb28940bdfa3fa1c48a
SHA1bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA25607abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA51228c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0