cf817c9798297a3bd7d7a7504485f28fe8cab862797fc5fad8393b708c1a5c51

Analysis

max time kernel
93s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db466b068b64c9e66ef1ace0a12f73d0_NeikiAnalytics.exe
Size

15KB
MD5

db466b068b64c9e66ef1ace0a12f73d0
SHA1

ac0f630486dcfa2f482de83af093746acf7f641d
SHA256

cf817c9798297a3bd7d7a7504485f28fe8cab862797fc5fad8393b708c1a5c51
SHA512

754032c8010d7a6e11ec02581d2a6c39327cd75a50e35a1ff7a2992eb72f4bb9e06ce16262a37e32666b8e91b8afb7cc16e9769df72db6b47f82bf8b00075dec
SSDEEP

192:5SN0JkITWQJRkHTsNojx3+PXaiYCZ6lbmX1hgQSXhlspmqG:2ITWBHTJd3EIMMbmzg1Xhlua

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	hfdfjdk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	db466b068b64c9e66ef1ace0a12f73d0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
3844	hfdfjdk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 3844	1472	db466b068b64c9e66ef1ace0a12f73d0_NeikiAnalytics.exe	83
PID 1472 wrote to memory of 3844	1472	db466b068b64c9e66ef1ace0a12f73d0_NeikiAnalytics.exe	83
PID 1472 wrote to memory of 3844	1472	db466b068b64c9e66ef1ace0a12f73d0_NeikiAnalytics.exe	83

C:\Users\Admin\AppData\Local\Temp\db466b068b64c9e66ef1ace0a12f73d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\db466b068b64c9e66ef1ace0a12f73d0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Local\Temp\hfdfjdk.exe
  "C:\Users\Admin\AppData\Local\Temp\hfdfjdk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hfdfjdk.exe

Filesize
16KB

MD5
79372cd5ad18bad168bb1040efca38f0

SHA1
250b33457e44c82065ca75672b3c461a2fd86a7d

SHA256
3b1475701baa0d089b38446dad2d439238fb89ce41c41a7322b5e750f51644a4

SHA512
57f10afb7733c78e5c73dfa7a38783d0e5d84d4fc1afdb28d8b0872d5f723d3f05bd2920906d5e22803bf97e3e3a6acb0e13699f733ee9225d86137173a0c70a

Download Submit