Overview

overview

10

Static

static

3

aa70cd3579...cs.exe

windows7-x64

10

aa70cd3579...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/05/2024, 09:20

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    aa70cd35793c58e9a5013b5bccae3830_NeikiAnalytics.exe

  • Size

    156KB

  • MD5

    aa70cd35793c58e9a5013b5bccae3830

  • SHA1

    9133f9677cdbd63193620faa6925235af3e979f2

  • SHA256

    c7b96befa2710ce894dd4b6a239d9e15c425138e9f0fe4194a4aa96f7119bb45

  • SHA512

    e8697f113c22ad63e0c1627fa07bb23351c523c312216a9b81a211de29e6b3d8281d8c3f4e31ea1202cf72c392d1777a3de716f8665052d45f6b8f6b9cf23810

  • SSDEEP

    3072:tKzhSpGbGb6JUBGnvZHpXtNLdZkkVYaZvLStH/h7yc2dV4oQZiEi9XJFoO:YdjbGb6JaGnvZZtNLdZkRapLmH8c2dnp

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 51 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa70cd35793c58e9a5013b5bccae3830_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\aa70cd35793c58e9a5013b5bccae3830_NeikiAnalytics.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3424
    • C:\Users\Admin\piiaqu.exe
      "C:\Users\Admin\piiaqu.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4084

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\piiaqu.exe
          Filesize

          156KB

          MD5

          ec427c71c49b40b1aa8774cde5f910ad

          SHA1

          c7b9a9f06730bded7b9953fd75b48a32e7d6ef22

          SHA256

          92c46e0d7ce7101c8211b0bf5d62cdedb880896777c16f1db3a37559dfffa0aa

          SHA512

          c8449cf9b6103c8bca96ab05c0433e0396eb9463f183bd513e558068c5dc5cdd88cb2656d0e1ea130d92ec0292be9d9ecd86075cd8645b81f48448db083a6948

          Download Submit