Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 08:19
Behavioral task
behavioral1
Sample
42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe
-
Size
40KB
-
MD5
04ca884a9dfccd6baaee58f2177080d0
-
SHA1
c10be9c9b0ec84918aaecc237683cb199af0265b
-
SHA256
42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414
-
SHA512
8827a87f4062af43b5f3d2c9c48533c8e9962e88163e3979c42e597918cefc8090860dd8b6c10b67af643bd7f5f60dcfd6f1adf258fa28b41a59f4481613994c
-
SSDEEP
768:YNfPMSk3K/EzTb/0X8WuFZ4ZJF5PC9O9L68OMh43/Ol:Yf05a/CTjS89wFc9UL68OMui
Malware Config
Extracted
xworm
5.0
156.225.129.219:7000
UgCHSjyyhcAoKoh0
-
Install_directory
%Userprofile%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3192-1-0x0000000000C10000-0x0000000000C20000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1064 powershell.exe 3324 powershell.exe 3004 powershell.exe 3756 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe -
Drops startup file 2 IoCs
Processes:
42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk 42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk 42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exe42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exepid process 1064 powershell.exe 1064 powershell.exe 3324 powershell.exe 3324 powershell.exe 3004 powershell.exe 3004 powershell.exe 3756 powershell.exe 3756 powershell.exe 3192 42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3192 42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe Token: SeDebugPrivilege 1064 powershell.exe Token: SeDebugPrivilege 3324 powershell.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeDebugPrivilege 3756 powershell.exe Token: SeDebugPrivilege 3192 42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exepid process 3192 42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exedescription pid process target process PID 3192 wrote to memory of 1064 3192 42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe powershell.exe PID 3192 wrote to memory of 1064 3192 42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe powershell.exe PID 3192 wrote to memory of 3324 3192 42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe powershell.exe PID 3192 wrote to memory of 3324 3192 42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe powershell.exe PID 3192 wrote to memory of 3004 3192 42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe powershell.exe PID 3192 wrote to memory of 3004 3192 42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe powershell.exe PID 3192 wrote to memory of 3756 3192 42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe powershell.exe PID 3192 wrote to memory of 3756 3192 42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '42adba2c72643ecee2f1b0cfd16d79c065eafcd1640c4bdbce23afdd46c09414_NeikiAnalytics.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\csrss'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5f4038903775bd49192beef39594c3614
SHA1db4d190d86ea4a231ce6b5408860220a1020077f
SHA25697a71179aa74dbcd1c58694ee6d2fa7faa432312db4f803611ac478d9c0256ec
SHA512059cf3c5afc9cc7eace9a6a9ae05db5ad1f7620e6def9885a317c377eb6cfe2056e4f3aa03c7a2035d21a332626d292116594303d97c5c82b8c5b0eedcbb9332
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d298fb959e456936bab85c646ae01f62
SHA134b7adb3a4da5ef84f81101c13a293b7fd059a7d
SHA2560a173048ea747b64f3495f90a8f76c51711be0d1725f2fb95dbfc269ceccb85a
SHA5122ea3879d98e961e9398ff3007531f65a4b1022c844d6204df8589382ebdb2cb37c9d70d8ce6e97aed088d6e73e60072951a458a62154a7af8a23c8ca86d7ab87
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5ba169f4dcbbf147fe78ef0061a95e83b
SHA192a571a6eef49fff666e0f62a3545bcd1cdcda67
SHA2565ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1
SHA5128d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD534f595487e6bfd1d11c7de88ee50356a
SHA14caad088c15766cc0fa1f42009260e9a02f953bb
SHA2560f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA51210976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i0za2nza.j0p.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/1064-18-0x00007FF816410000-0x00007FF816ED1000-memory.dmpFilesize
10.8MB
-
memory/1064-12-0x00000252DD960000-0x00000252DD982000-memory.dmpFilesize
136KB
-
memory/1064-15-0x00007FF816410000-0x00007FF816ED1000-memory.dmpFilesize
10.8MB
-
memory/1064-14-0x00007FF816410000-0x00007FF816ED1000-memory.dmpFilesize
10.8MB
-
memory/1064-13-0x00007FF816410000-0x00007FF816ED1000-memory.dmpFilesize
10.8MB
-
memory/3004-45-0x00000253E7390000-0x00000253E75AC000-memory.dmpFilesize
2.1MB
-
memory/3004-44-0x00000253E7260000-0x00000253E72A8000-memory.dmpFilesize
288KB
-
memory/3192-2-0x00007FF816410000-0x00007FF816ED1000-memory.dmpFilesize
10.8MB
-
memory/3192-0-0x00007FF816413000-0x00007FF816415000-memory.dmpFilesize
8KB
-
memory/3192-1-0x0000000000C10000-0x0000000000C20000-memory.dmpFilesize
64KB
-
memory/3192-60-0x00007FF816413000-0x00007FF816415000-memory.dmpFilesize
8KB
-
memory/3192-61-0x00007FF816410000-0x00007FF816ED1000-memory.dmpFilesize
10.8MB
-
memory/3324-31-0x000002C2E9F80000-0x000002C2E9FC8000-memory.dmpFilesize
288KB
-
memory/3324-32-0x000002C2EA030000-0x000002C2EA24C000-memory.dmpFilesize
2.1MB