0a543d55bc9b9e51367d65b054bb5e97bab3e08a07604195db075aa4a257d2cb

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98a92335748d7b3a25e98db8f54c6d50_NeikiAnalytics.exe
Size

54KB
MD5

98a92335748d7b3a25e98db8f54c6d50
SHA1

ce1831b2fb3c897858b7061e46e142756807912e
SHA256

0a543d55bc9b9e51367d65b054bb5e97bab3e08a07604195db075aa4a257d2cb
SHA512

90b0873340dbf9ce814e082f2a75c485ec7be38b6fbeee31ea90a08fe1ccd488d03b770d93d9280dfc192d48c23cdc755e959815a1004891da372c45a81480a1
SSDEEP

768:jxDDnyAiIbhn+oRTaFSxjquEDFAnA1tLRNk2djaYoCMHosOAJy:jxDDnd1Raqq2uBNdSCMM

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	98a92335748d7b3a25e98db8f54c6d50_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
228	hcbnaf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 228	4904	98a92335748d7b3a25e98db8f54c6d50_NeikiAnalytics.exe	81
PID 4904 wrote to memory of 228	4904	98a92335748d7b3a25e98db8f54c6d50_NeikiAnalytics.exe	81
PID 4904 wrote to memory of 228	4904	98a92335748d7b3a25e98db8f54c6d50_NeikiAnalytics.exe	81

C:\Users\Admin\AppData\Local\Temp\98a92335748d7b3a25e98db8f54c6d50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\98a92335748d7b3a25e98db8f54c6d50_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe
  "C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe"
  2⤵
  - Executes dropped EXE
  PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe

Filesize
55KB

MD5
417e924b30f783a7570403b8149b1aea

SHA1
4409497d006e43a73cba9d1d96e773f747cf4548

SHA256
772be44acb574d7ccade56a9310f213ef723b72975312f455c297ae8089cf149

SHA512
2f47bdece58de7a684606c0ec350e8090cd61ba77d34f0ebc0353a85a58cd4d2c4ad7e3bc9bc40bf63ce1dbd5eaa0b5f9bd6b1f1817e2c320067226a669fd70f

Download Submit
memory/228-9-0x0000000000E20000-0x0000000000E24000-memory.dmp

Filesize
16KB

Download
memory/4904-1-0x00000000012E0000-0x00000000012E4000-memory.dmp

Filesize
16KB

Download