22ea4e497b8c342d01dd85edfd3cb1ffb2171685b154e7858898a8caa1be59a5

General

Target

a5c431f15cbbbaedcc4e244f7665b660_NeikiAnalytics.exe
Size

1.8MB
MD5

a5c431f15cbbbaedcc4e244f7665b660
SHA1

f4988c0d5c7c1a3ca61bc8496f73c492af402381
SHA256

22ea4e497b8c342d01dd85edfd3cb1ffb2171685b154e7858898a8caa1be59a5
SHA512

175c299681f5313c6fd2dbda20003ce6a9ab797ab2e71962603ed2365182d77f208bae2123157e337a46f65f28184df05846b91bd1b0f1d2e81ddce04275afe0
SSDEEP

24576:C1HkstfYbs+HMddYIpiwKYdH2YAxYI1MpRMTFBzLDJ6Fo3a40Wfm2b4bl1Rq5qle:C1Hkb0dMwf2lxKGVkoKM+xc523Ay2

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	3B34.tmp

Executes dropped EXE 1 IoCs

pid	Process
2672	3B34.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	3B34.tmp

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4732	WINWORD.EXE
4732	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2672	3B34.tmp

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4732	WINWORD.EXE
4732	WINWORD.EXE
4732	WINWORD.EXE
4732	WINWORD.EXE
4732	WINWORD.EXE
4732	WINWORD.EXE
4732	WINWORD.EXE
4732	WINWORD.EXE
4732	WINWORD.EXE
4732	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 2672	3192	a5c431f15cbbbaedcc4e244f7665b660_NeikiAnalytics.exe	83
PID 3192 wrote to memory of 2672	3192	a5c431f15cbbbaedcc4e244f7665b660_NeikiAnalytics.exe	83
PID 3192 wrote to memory of 2672	3192	a5c431f15cbbbaedcc4e244f7665b660_NeikiAnalytics.exe	83
PID 2672 wrote to memory of 4732	2672	3B34.tmp	87
PID 2672 wrote to memory of 4732	2672	3B34.tmp	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a5c431f15cbbbaedcc4e244f7665b660_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a5c431f15cbbbaedcc4e244f7665b660_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Local\Temp\3B34.tmp
  "C:\Users\Admin\AppData\Local\Temp\3B34.tmp" --pingC:\Users\Admin\AppData\Local\Temp\a5c431f15cbbbaedcc4e244f7665b660_NeikiAnalytics.exe 0A5E69C24A519C5FD31497295383C3377389E059FD6DCC0919815AAE992BBEF04F32276FD0D1C8F9A599F73070F92E336DF12A0547404F770923D7A0B949DD75
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a5c431f15cbbbaedcc4e244f7665b660_NeikiAnalytics.docx" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3B34.tmp

Filesize
1.8MB

MD5
bf8df7a252dbaa6ba7459a65f0303ed6

SHA1
b9e7c20660693760a6b900bea032dff2f564a5bd

SHA256
0a9cec45dd2bd0eb2bf60f72c4b3e6f34dc85b61e0a59cc1d0764f48d19201e8

SHA512
fad9ca0656b52860daed60f2f33807672855f293a1ee6f35a3cdabc96f64240cd3b1400bf43404fc652c5e4d1441daab2d45be078ca5b629a76d0c059df557ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5c431f15cbbbaedcc4e244f7665b660_NeikiAnalytics.docx

Filesize
19KB

MD5
4046ff080673cffac6529512b8d3bdbb

SHA1
d3cbc39065b7a55e995fa25397da2140bdac80c1

SHA256
f0c1b360c0b24b5450a79138650e6ee254afae6ce8f6c68da7d1f32f91582680

SHA512
453f70730b7560e3d3e23ddfa0fe74e014753f8b34b45254c1c0cf5fec0546a2b8b109a4f9d096e91711b6d02cb383a7136c2cb7bd6600d0598acf7c90c25418

Download Submit
memory/4732-9-0x00007FFB38F10000-0x00007FFB38F20000-memory.dmp

Filesize
64KB

Download
memory/4732-10-0x00007FFB38F10000-0x00007FFB38F20000-memory.dmp

Filesize
64KB

Download
memory/4732-12-0x00007FFB38F10000-0x00007FFB38F20000-memory.dmp

Filesize
64KB

Download
memory/4732-14-0x00007FFB78F2D000-0x00007FFB78F2E000-memory.dmp

Filesize
4KB

Download
memory/4732-13-0x00007FFB38F10000-0x00007FFB38F20000-memory.dmp

Filesize
64KB

Download
memory/4732-11-0x00007FFB38F10000-0x00007FFB38F20000-memory.dmp

Filesize
64KB

Download
memory/4732-15-0x00007FFB78E90000-0x00007FFB79085000-memory.dmp

Filesize
2.0MB

Download
memory/4732-16-0x00007FFB78E90000-0x00007FFB79085000-memory.dmp

Filesize
2.0MB

Download
memory/4732-17-0x00007FFB78E90000-0x00007FFB79085000-memory.dmp

Filesize
2.0MB

Download
memory/4732-18-0x00007FFB78E90000-0x00007FFB79085000-memory.dmp

Filesize
2.0MB

Download
memory/4732-19-0x00007FFB78E90000-0x00007FFB79085000-memory.dmp

Filesize
2.0MB

Download
memory/4732-20-0x00007FFB78E90000-0x00007FFB79085000-memory.dmp

Filesize
2.0MB

Download
memory/4732-21-0x00007FFB78E90000-0x00007FFB79085000-memory.dmp

Filesize
2.0MB

Download
memory/4732-23-0x00007FFB78E90000-0x00007FFB79085000-memory.dmp

Filesize
2.0MB

Download
memory/4732-25-0x00007FFB78E90000-0x00007FFB79085000-memory.dmp

Filesize
2.0MB

Download
memory/4732-24-0x00007FFB78E90000-0x00007FFB79085000-memory.dmp

Filesize
2.0MB

Download
memory/4732-22-0x00007FFB78E90000-0x00007FFB79085000-memory.dmp

Filesize
2.0MB

Download
memory/4732-26-0x00007FFB368D0000-0x00007FFB368E0000-memory.dmp

Filesize
64KB

Download
memory/4732-27-0x00007FFB368D0000-0x00007FFB368E0000-memory.dmp

Filesize
64KB

Download
memory/4732-40-0x00007FFB78E90000-0x00007FFB79085000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads