12d1746d00af8ec47564e80eaf947aa8253d18bf24a01d53f9846d2641b47636

Analysis

max time kernel
122s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfbc776ceeec6e6355dc7028e292b950_NeikiAnalytics.exe
Size

54KB
MD5

dfbc776ceeec6e6355dc7028e292b950
SHA1

bc3c94ef154d231f33a5571a15b61a130c94b3ea
SHA256

12d1746d00af8ec47564e80eaf947aa8253d18bf24a01d53f9846d2641b47636
SHA512

35fb8abafcc727eaf36581eb0b0a11c2dfac9d192a8a1b82c22ab42349c9c86ce2292e4f4104152a57e40c607a3fc252f432fdd9554ef88f982ded48f940d8e8
SSDEEP

768:r8eRH+MlFh0pDpuJ84WEi+U6sh7iQroCHmyf+RjFBSuB2Xpfs5:r9l+W8xFt6sh7iQroCoRB0u0s5

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	dfbc776ceeec6e6355dc7028e292b950_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
4420	bkgrnd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4364-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x0006000000023276-7.dat	upx
behavioral2/memory/4364-10-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4420-22-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 4420	4364	dfbc776ceeec6e6355dc7028e292b950_NeikiAnalytics.exe	82
PID 4364 wrote to memory of 4420	4364	dfbc776ceeec6e6355dc7028e292b950_NeikiAnalytics.exe	82
PID 4364 wrote to memory of 4420	4364	dfbc776ceeec6e6355dc7028e292b950_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\dfbc776ceeec6e6355dc7028e292b950_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\dfbc776ceeec6e6355dc7028e292b950_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Users\Admin\AppData\Local\Temp\bkgrnd.exe
  "C:\Users\Admin\AppData\Local\Temp\bkgrnd.exe"
  2⤵
  - Executes dropped EXE
  PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bkgrnd.exe

Filesize
55KB

MD5
e8e067d0607417c68422a7914dd37d74

SHA1
bdd22012c6d2318d170927612c58a49633552c28

SHA256
a59a763342dfb418c7bf1f5bd549c16f9dd1460f299a1f8c804662ae56254c77

SHA512
d6396a3f676fda9c34902dedcb00ee8e8d02dd86a84ab790e33bab42ad69db445521a5e47a4c96e1bbd03b4df4be542e693916f7330d1e779ff4e036ede3ffbe

Download Submit
memory/4364-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4364-1-0x0000000004000000-0x0000000004006000-memory.dmp

Filesize
24KB

Download
memory/4364-2-0x0000000004000000-0x0000000004006000-memory.dmp

Filesize
24KB

Download
memory/4364-10-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4420-22-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download