3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9_NeikiAnalytics.exe
Size

52KB
MD5

4069bd2db2c39cb8b411e016a0c613a0
SHA1

0207ca5c986b6d1f15131ce57323e6b49e1038dd
SHA256

3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9
SHA512

5b30a3e51a33d688f56fceaf8c3dba3116f30a36db787f2cbfc5b2670bdd1a5f5654ad262e03c149b7c79c336b19043032ae1deb8bf9a08a503e75343e9d55c4
SSDEEP

1536:N5VzcfA/6LrVpL74gfh16ngIh0rVUt+KZaQDyHPcAcmy:/V2A/gVh74gpggIh4cZ0Pcmy

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

CTS.exeESyeDj6kGXeNM4g.exe

pid process

2264 CTS.exe
2096 ESyeDj6kGXeNM4g.exe
Loads dropped DLL 3 IoCs

Processes:

3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9_NeikiAnalytics.exe

pid process

1860 3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9_NeikiAnalytics.exe
1860 3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9_NeikiAnalytics.exe
2648
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2264	CTS.exe
2096	ESyeDj6kGXeNM4g.exe

pid	process
1860	3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9_NeikiAnalytics.exe
1860	3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9_NeikiAnalytics.exe
2648

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1860-0-0x0000000001290000-0x00000000012A8000-memory.dmp	upx
behavioral1/memory/2264-17-0x00000000010D0000-0x00000000010E8000-memory.dmp	upx
C:\Windows\CTS.exe	upx
behavioral1/memory/1860-13-0x0000000001290000-0x00000000012A8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9_NeikiAnalytics.exeCTS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

Processes:

3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9_NeikiAnalytics.exeCTS.exe

description ioc process

File created C:\Windows\CTS.exe 3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9_NeikiAnalytics.exe
File created C:\Windows\CTS.exe CTS.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9_NeikiAnalytics.exeCTS.exe

description pid process

Token: SeDebugPrivilege 1860 3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9_NeikiAnalytics.exe
Token: SeDebugPrivilege 2264 CTS.exe

description	ioc	process
File created	C:\Windows\CTS.exe	3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9_NeikiAnalytics.exe
File created	C:\Windows\CTS.exe	CTS.exe

description	pid	process
Token: SeDebugPrivilege	1860	3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9_NeikiAnalytics.exe
Token: SeDebugPrivilege	2264	CTS.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9_NeikiAnalytics.exe

description	pid	process	target process
PID 1860 wrote to memory of 2096	1860	3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9_NeikiAnalytics.exe	ESyeDj6kGXeNM4g.exe
PID 1860 wrote to memory of 2096	1860	3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9_NeikiAnalytics.exe	ESyeDj6kGXeNM4g.exe
PID 1860 wrote to memory of 2096	1860	3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9_NeikiAnalytics.exe	ESyeDj6kGXeNM4g.exe
PID 1860 wrote to memory of 2096	1860	3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9_NeikiAnalytics.exe	ESyeDj6kGXeNM4g.exe
PID 1860 wrote to memory of 2264	1860	3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9_NeikiAnalytics.exe	CTS.exe
PID 1860 wrote to memory of 2264	1860	3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9_NeikiAnalytics.exe	CTS.exe
PID 1860 wrote to memory of 2264	1860	3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9_NeikiAnalytics.exe	CTS.exe
PID 1860 wrote to memory of 2264	1860	3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9_NeikiAnalytics.exe	CTS.exe

C:\Users\Admin\AppData\Local\Temp\3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3771d2a411f238623f61e5e499976f177d161417e08108614b622af710ae67c9_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860

C:\Users\Admin\AppData\Local\Temp\ESyeDj6kGXeNM4g.exe
C:\Users\Admin\AppData\Local\Temp\ESyeDj6kGXeNM4g.exe
2⤵
- Executes dropped EXE
PID:2096

C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2264

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\CTS.exe
Filesize
27KB

MD5
a6749b968461644db5cc0ecceffb224a

SHA1
2795aa37b8586986a34437081351cdd791749a90

SHA256
720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2

SHA512
2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

Download Submit
\Users\Admin\AppData\Local\Temp\ESyeDj6kGXeNM4g.exe
Filesize
25KB

MD5
abbd49c180a2f8703f6306d6fa731fdc

SHA1
d63f4bfe7f74936b2fbace803e3da6103fbf6586

SHA256
5f411c0bd9ed9a42b0f07ed568c7d0cf358a83063b225a1f8f7da3296dde90f1

SHA512
290dd984acc451b778f3db8c510bae7aec1d9547c3ad0a1829df731c136e4ecc9a37dc6a786cf8f1ecc4d14339aed1288af25055f450f6f953138c8d4d5c36e9

Download Submit
memory/1860-0-0x0000000001290000-0x00000000012A8000-memory.dmp

Filesize
96KB

Download
memory/1860-13-0x0000000001290000-0x00000000012A8000-memory.dmp

Filesize
96KB

Download
memory/2096-19-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2264-17-0x00000000010D0000-0x00000000010E8000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads