Overview

overview

7

Static

static

3

7b443b8f64...cs.exe

windows7-x64

7

7b443b8f64...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 15:50 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7b443b8f64de4145923bf413fe3a15c0_NeikiAnalytics.exe

  • Size

    71KB

  • MD5

    7b443b8f64de4145923bf413fe3a15c0

  • SHA1

    b18f907780198a153360cca8dff4a50b148422e6

  • SHA256

    d9084242f673cfe57fb2e8c9245a450ca9e50915c90ebf216384b1dca31f9a37

  • SHA512

    d970268561f67786dd44f7201f9dbf4f6939f0b891f4823c68de32cacd0ff7ac11c30a34d6d606ba0efb86f26c70c2b8ce719dbbbc30e8ab3addd64df564eb7b

  • SSDEEP

    384:MdPnITsHlTxk7ETVAyPyAtatgTkeI8rlHfuDLLfFGY2rXdSkxzyuafqr9KpteyNK:MdAT05xk7HKQ8xccJjIVqrzyuX

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b443b8f64de4145923bf413fe3a15c0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\7b443b8f64de4145923bf413fe3a15c0_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4588
    • C:\Users\Admin\AppData\Local\Temp\hfdfjdk.exe
      "C:\Users\Admin\AppData\Local\Temp\hfdfjdk.exe"
      2⤵
      • Executes dropped EXE
      PID:2020

Network

  • flag-us
    DNS
    ce-cloud.com
    hfdfjdk.exe
    Remote address:
    8.8.8.8:53
    Request
    ce-cloud.com
    IN A
    Response
    ce-cloud.com
    IN A
    77.72.4.110
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    149.177.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.177.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    99.58.20.217.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    99.58.20.217.in-addr.arpa
    IN PTR
    Response
  • flag-be
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    2.17.196.72:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Thu, 09 May 2024 15:51:01 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.44c41102.1715269861.10f76e61
  • flag-us
    DNS
    72.196.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.196.17.2.in-addr.arpa
    IN PTR
    Response
    72.196.17.2.in-addr.arpa
    IN PTR
    a2-17-196-72deploystaticakamaitechnologiescom
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    107.211.222.173.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    107.211.222.173.in-addr.arpa
    IN PTR
    Response
    107.211.222.173.in-addr.arpa
    IN PTR
    a173-222-211-107deploystaticakamaitechnologiescom
  • flag-us
    DNS
    77.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    77.190.18.2.in-addr.arpa
    IN PTR
    Response
    77.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-77deploystaticakamaitechnologiescom
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 77.72.4.110:443
    ce-cloud.com
    hfdfjdk.exe
    260 B
     5
  • 2.17.196.72:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.4kB
     6.3kB
     16
    11

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 77.72.4.110:443
    ce-cloud.com
    hfdfjdk.exe
    260 B
     5
  • 77.72.4.110:443
    ce-cloud.com
    hfdfjdk.exe
    260 B
     5
  • 77.72.4.110:443
    ce-cloud.com
    hfdfjdk.exe
    260 B
     5
  • 77.72.4.110:443
    ce-cloud.com
    hfdfjdk.exe
    260 B
     5
  • 77.72.4.110:443
    ce-cloud.com
    hfdfjdk.exe
    260 B
     5
  • 77.72.4.110:443
    ce-cloud.com
    hfdfjdk.exe
    260 B
     5
  • 77.72.4.110:443
    ce-cloud.com
    hfdfjdk.exe
    104 B
     2
  • 8.8.8.8:53
    ce-cloud.com
    dns
    hfdfjdk.exe
    58 B
     74 B
     1
    1

    DNS Request

    ce-cloud.com

    DNS Response

    77.72.4.110

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    149.177.190.20.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    149.177.190.20.in-addr.arpa

  • 8.8.8.8:53
    99.58.20.217.in-addr.arpa
    dns
    71 B
     131 B
     1
    1

    DNS Request

    99.58.20.217.in-addr.arpa

  • 8.8.8.8:53
    72.196.17.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    72.196.17.2.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    56.126.166.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    56.126.166.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    107.211.222.173.in-addr.arpa
    dns
    74 B
     141 B
     1
    1

    DNS Request

    107.211.222.173.in-addr.arpa

  • 8.8.8.8:53
    77.190.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    77.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hfdfjdk.exe
    Filesize

    71KB

    MD5

    6069d40dc7d6d798421ba1d9bdc089f3

    SHA1

    262cb3f7f533ba101412e9ef73038a6a0b0e884e

    SHA256

    0a81d07100b12836840b9b3913cda45eac902bcf9249982d08875b52cf21d14c

    SHA512

    ec0d0738cece8349d943a04f87c9b43977337f60d6cd9632aae3b8b09a5483331e89135602827e54f620ed2b5fe99d642ea3b30748055940d2d11259eed0a609

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.