335c1ebd4c2b96a061e699b9d670d6d1ee6b6fa74470c34fd5c099b6543723c7

Analysis

max time kernel
92s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 00:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2764c7a7213d58e667c511e522c15990_NeikiAnalytics.exe
Size

94KB
MD5

2764c7a7213d58e667c511e522c15990
SHA1

13b8ac573833d35e1a03077d8a187ab47e91b652
SHA256

335c1ebd4c2b96a061e699b9d670d6d1ee6b6fa74470c34fd5c099b6543723c7
SHA512

6e4f5318625374ed61d0bb4387e6633136228ff504f3333d33f7130b13b5d2c080426490f96bbc35d545ce2057cb3cdb449f3437495c589b641ae170aee3dd3b
SSDEEP

1536:PGYU/W2/HG6QMauSV3ixJHABLrmhH7i9CO+WHg7zRZICrWaGZh7uj:PfU/WF6QMauSuiWNi9CO+WARJrWNZY

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	2764c7a7213d58e667c511e522c15990_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
3468	wuauclt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run"	2764c7a7213d58e667c511e522c15990_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 3468	2520	2764c7a7213d58e667c511e522c15990_NeikiAnalytics.exe	81
PID 2520 wrote to memory of 3468	2520	2764c7a7213d58e667c511e522c15990_NeikiAnalytics.exe	81
PID 2520 wrote to memory of 3468	2520	2764c7a7213d58e667c511e522c15990_NeikiAnalytics.exe	81
PID 2520 wrote to memory of 1404	2520	2764c7a7213d58e667c511e522c15990_NeikiAnalytics.exe	90
PID 2520 wrote to memory of 1404	2520	2764c7a7213d58e667c511e522c15990_NeikiAnalytics.exe	90
PID 2520 wrote to memory of 1404	2520	2764c7a7213d58e667c511e522c15990_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\2764c7a7213d58e667c511e522c15990_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2764c7a7213d58e667c511e522c15990_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2520
- C:\ProgramData\Update\wuauclt.exe
  "C:\ProgramData\Update\wuauclt.exe" /run
  2⤵
  - Executes dropped EXE
  PID:3468
- C:\windows\SysWOW64\cmd.exe
  "C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\2764c7a7213d58e667c511e522c15990_NeikiAnalytics.exe" >> NUL
  2⤵
  PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Update\wuauclt.exe

Filesize
94KB

MD5
c0a040eb5073ae4d222aec139a710f30

SHA1
57e697a139eeab0bad733aa80bd4a4cec36b1beb

SHA256
d7fec7949295b374746230e936695c3016130b76bc56076643eb68a94cd506b2

SHA512
241cadcc79f36bdd85c69f7fe1102a578261fabd7aa2c3c611a9b2904dcbba719c3ffef22f704cf5496e16f15effe7fdaea299007cfc838fbfaeacfa45f6610d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads