b5e9c1ac582edee24c21ce06d16b2f88097ca43fe440c1920ae13c3e77a02377

General

Target

63647c0a8e82ac920a94682790346900_NeikiAnalytics.exe
Size

2.3MB
MD5

63647c0a8e82ac920a94682790346900
SHA1

075d726baadbc0c2f3bf30a6856068f40cb643b3
SHA256

b5e9c1ac582edee24c21ce06d16b2f88097ca43fe440c1920ae13c3e77a02377
SHA512

07524714521cf6702111d0855d45a4d17008c316ba1b02575718a525478e2d2e75af3bc24e757eb65c6adc559a1ab80e564936eada73fea3206433cd2c815233
SSDEEP

49152:WcKVDBe/gOs61xz/b1WkHlerfJgQmy2EWsb4AYj8UFop3pAWXry9:nKpBnOs61p5Ip9Ve8UFEXry9

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	63647c0a8e82ac920a94682790346900_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
3960	jusched.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

pid	Process
448	63647c0a8e82ac920a94682790346900_NeikiAnalytics.exe
448	63647c0a8e82ac920a94682790346900_NeikiAnalytics.exe
3960	jusched.exe
3960	jusched.exe
3960	jusched.exe
3960	jusched.exe
3960	jusched.exe
3960	jusched.exe
3960	jusched.exe
3960	jusched.exe
3960	jusched.exe
3960	jusched.exe
3960	jusched.exe
3960	jusched.exe
3960	jusched.exe
3960	jusched.exe
3960	jusched.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\b5fb1f06\jusched.exe	63647c0a8e82ac920a94682790346900_NeikiAnalytics.exe
File created	C:\Program Files (x86)\b5fb1f06\b5fb1f06	63647c0a8e82ac920a94682790346900_NeikiAnalytics.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	63647c0a8e82ac920a94682790346900_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
448	63647c0a8e82ac920a94682790346900_NeikiAnalytics.exe
3960	jusched.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 3960	448	63647c0a8e82ac920a94682790346900_NeikiAnalytics.exe	80
PID 448 wrote to memory of 3960	448	63647c0a8e82ac920a94682790346900_NeikiAnalytics.exe	80
PID 448 wrote to memory of 3960	448	63647c0a8e82ac920a94682790346900_NeikiAnalytics.exe	80

C:\Users\Admin\AppData\Local\Temp\63647c0a8e82ac920a94682790346900_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\63647c0a8e82ac920a94682790346900_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:448
- C:\Program Files (x86)\b5fb1f06\jusched.exe
  "C:\Program Files (x86)\b5fb1f06\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\b5fb1f06\b5fb1f06

Filesize
17B

MD5
552bb86ed2797d3fd12ac0d273afaf75

SHA1
6e8633f9c24590779acbd3dd14c60f856320bc0a

SHA256
3ef9ff5da8272fd1b14c83f12c8d28fd9dbf32d56bcb714921032b02557fe789

SHA512
dab57227de02f4667cc8e2ec47566088b473caa0387caffbdfde37f3400da7d4f67dd222e83a4fa93592694bbcff7c52a2bcec074868baf221bc47d9370c8d2c

Download Submit
C:\Program Files (x86)\b5fb1f06\jusched.exe

Filesize
2.3MB

MD5
cc3245c5fc050862aca5a2b142a905f0

SHA1
0322b17dfc49052f4ccd2030678530766df1472f

SHA256
f695f9b8c0afb63878c2cdfd3ecfd02e8b85b551122edb2fe864a649487edcb2

SHA512
017ecb5c4d6ca6e7379befc10df5c41e2653ef120d6937b5193f99b87042af403aa8359069cee730204425570f3dfd12152d71aed9bbe11433f1c475024c3f88

Download Submit
memory/448-0-0x0000000000400000-0x0000000000DF0000-memory.dmp

Filesize
9.9MB

Download
memory/448-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/448-16-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/448-14-0x0000000000400000-0x0000000000DF0000-memory.dmp

Filesize
9.9MB

Download
memory/3960-22-0x0000000000400000-0x0000000000DF0000-memory.dmp

Filesize
9.9MB

Download
memory/3960-27-0x0000000000400000-0x0000000000DF0000-memory.dmp

Filesize
9.9MB

Download
memory/3960-20-0x0000000000400000-0x0000000000DF0000-memory.dmp

Filesize
9.9MB

Download
memory/3960-21-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/3960-18-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/3960-23-0x0000000000400000-0x0000000000DF0000-memory.dmp

Filesize
9.9MB

Download
memory/3960-24-0x0000000000400000-0x0000000000DF0000-memory.dmp

Filesize
9.9MB

Download
memory/3960-17-0x0000000000400000-0x0000000000DF0000-memory.dmp

Filesize
9.9MB

Download
memory/3960-26-0x0000000000400000-0x0000000000DF0000-memory.dmp

Filesize
9.9MB

Download
memory/3960-19-0x0000000000400000-0x0000000000DF0000-memory.dmp

Filesize
9.9MB

Download
memory/3960-28-0x0000000000400000-0x0000000000DF0000-memory.dmp

Filesize
9.9MB

Download
memory/3960-29-0x0000000000400000-0x0000000000DF0000-memory.dmp

Filesize
9.9MB

Download
memory/3960-30-0x0000000000400000-0x0000000000DF0000-memory.dmp

Filesize
9.9MB

Download
memory/3960-31-0x0000000000400000-0x0000000000DF0000-memory.dmp

Filesize
9.9MB

Download
memory/3960-32-0x0000000000400000-0x0000000000DF0000-memory.dmp

Filesize
9.9MB

Download
memory/3960-33-0x0000000000400000-0x0000000000DF0000-memory.dmp

Filesize
9.9MB

Download
memory/3960-34-0x0000000000400000-0x0000000000DF0000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing