ff84c7fdfea719ecc7db836441063282adb4de8f8e669e4af7c2fe23c133818b

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b155c8d5122c9ac5ba82bdc8a9def60_NeikiAnalytics.exe
Size

6KB
MD5

5b155c8d5122c9ac5ba82bdc8a9def60
SHA1

ff90e6e5605a0475cd7218b93fe855f2c84295cb
SHA256

ff84c7fdfea719ecc7db836441063282adb4de8f8e669e4af7c2fe23c133818b
SHA512

71e8c34f937d4660dee36ad2e27554f019e09b0dac37d433d0e0223455c0e8ad7797e575be3ecffdbad8014a94c4287238b1c1678c4b718f281c0365b2550325
SSDEEP

96:DJOqSXslYquHnnwR2UM2ClAhxnqXU8v5MjjYHQagJQ:XS8AnwR2FBAukYrwax

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	5b155c8d5122c9ac5ba82bdc8a9def60_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
1220	huty.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 1220	228	5b155c8d5122c9ac5ba82bdc8a9def60_NeikiAnalytics.exe	82
PID 228 wrote to memory of 1220	228	5b155c8d5122c9ac5ba82bdc8a9def60_NeikiAnalytics.exe	82
PID 228 wrote to memory of 1220	228	5b155c8d5122c9ac5ba82bdc8a9def60_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\5b155c8d5122c9ac5ba82bdc8a9def60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5b155c8d5122c9ac5ba82bdc8a9def60_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:228
- C:\Users\Admin\AppData\Local\Temp\huty.exe
  "C:\Users\Admin\AppData\Local\Temp\huty.exe"
  2⤵
  - Executes dropped EXE
  PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\huty.exe

Filesize
7KB

MD5
4bc169261ba245e7e7b21ecc26ff395c

SHA1
0798620f9b30e7afaba6c53177b17d40b86ae9b2

SHA256
9c13a24e9a7cd9059b4671c99922f3bc4e8430bd88738f72eb690b0caeececa9

SHA512
9910d5864845f7b5f384bbe69798d5128fd3456cdd8f54ae40a220dc9236d917d11d532e8873a0ef960c7aa91abac35bbf97fb8be4d9604fbf8f4aabd1ed30a6

Download Submit