582ce3baaeb21085ad885c3c731d6c227e8d80fe51ed39d1d5d413a5d95e2310

Analysis

max time kernel
149s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f369c0c2f1f345c8b7980a615518640_NeikiAnalytics.exe
Size

38KB
MD5

5f369c0c2f1f345c8b7980a615518640
SHA1

62fe87f4ceb32f2d7f14e4f5e38369bc567599e6
SHA256

582ce3baaeb21085ad885c3c731d6c227e8d80fe51ed39d1d5d413a5d95e2310
SHA512

d662b76242aff43a65b7db2d69c1c801acf0fede93d308872e23a445e4747dcba7c9e4fbe46b1371f499eea881d87e04d72ef5d9b2ccfd982f55bcda73ed8b63
SSDEEP

768:JybDkdsqw8guzZFcWiVEaByckWiVECtu1MJXOs26nGMAc:JGMG8tz3cFE2kFECDzgc

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	5f369c0c2f1f345c8b7980a615518640_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
5076	ykqie.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 716 wrote to memory of 5076	716	5f369c0c2f1f345c8b7980a615518640_NeikiAnalytics.exe	92
PID 716 wrote to memory of 5076	716	5f369c0c2f1f345c8b7980a615518640_NeikiAnalytics.exe	92
PID 716 wrote to memory of 5076	716	5f369c0c2f1f345c8b7980a615518640_NeikiAnalytics.exe	92

C:\Users\Admin\AppData\Local\Temp\5f369c0c2f1f345c8b7980a615518640_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5f369c0c2f1f345c8b7980a615518640_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:716
- C:\Users\Admin\AppData\Local\Temp\ykqie.exe
  "C:\Users\Admin\AppData\Local\Temp\ykqie.exe"
  2⤵
  - Executes dropped EXE
  PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ykqie.exe

Filesize
38KB

MD5
7e3896f9498cda31a35bbd20f0a4c0ef

SHA1
2ef10ee18ed2a7f5aa1c51876c3da684a508f8a3

SHA256
cce031a71f80652a4580051df791dd6f3d3d0ae41a5be89a5a3f79da21e021a5

SHA512
8bffe5bdf7ec493c3921fa238bf1af85a2d14a41aaf650b990fc6c38d22626c24f02bb2a09a86c0e8bdc5f17ebaee70f47832f103d58610fc96941d72a255579

Download Submit
memory/716-1-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/716-8-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5076-10-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download