5b16d0a79784c13822e0c636ca09358ac89985eb522708f2225a40edfeb44b6a

Analysis

max time kernel
126s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4359077919a018bdaa7cfc6b7e53f0c0_NeikiAnalytics.exe
Size

25KB
MD5

4359077919a018bdaa7cfc6b7e53f0c0
SHA1

bb5877a23f1bc8b3590ea035e0f0fa50a4f6ada8
SHA256

5b16d0a79784c13822e0c636ca09358ac89985eb522708f2225a40edfeb44b6a
SHA512

4eca16ea2c2cbe40f386783203a0499d2a37f4d581a9c80480721bc0fde15b22aa02d86fb374791d9dc0368a0c41fa162e2f86393ca4702b4e1bfd9663197fd3
SSDEEP

384:kzFouStKf7l1VRrNSeQc46+G9TTE0TIhuDsAoJ:IouFffo/c4lcTTEgfgAi

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	4359077919a018bdaa7cfc6b7e53f0c0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
3764	codecsupdater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 3764	228	4359077919a018bdaa7cfc6b7e53f0c0_NeikiAnalytics.exe	84
PID 228 wrote to memory of 3764	228	4359077919a018bdaa7cfc6b7e53f0c0_NeikiAnalytics.exe	84
PID 228 wrote to memory of 3764	228	4359077919a018bdaa7cfc6b7e53f0c0_NeikiAnalytics.exe	84

C:\Users\Admin\AppData\Local\Temp\4359077919a018bdaa7cfc6b7e53f0c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4359077919a018bdaa7cfc6b7e53f0c0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:228
- C:\Users\Admin\AppData\Local\Temp\codecsupdater.exe
  "C:\Users\Admin\AppData\Local\Temp\codecsupdater.exe"
  2⤵
  - Executes dropped EXE
  PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\codecsupdater.exe

Filesize
25KB

MD5
33b2050517474686fab0e908499ed351

SHA1
bcd81e8371b4b9551d6b8184921d6c4132aaf22d

SHA256
412324aa8b60faf72e80136e38e097fa913c6d7aabc3e8e6f6d3befabe6d5ee7

SHA512
9cf754df2bc5e482b4ed87e5062a8c124a7b0f1b384a4b5e9295a490cbf6eb455950145f67c2b9f6c13f9274993f0579052d76fbec35c6f2c3d54229fe67b512

Download Submit
memory/228-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/228-2-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/228-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3764-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download