2018d6952c057a21cf55318d6aa22871daf2916c655848bffcabfc092e3e03e8

Analysis

max time kernel
13s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4845aa93c6412074c917053cda175170_NeikiAnalytics.exe
Size

63KB
MD5

4845aa93c6412074c917053cda175170
SHA1

6030c1ed31c08f2b25ba5f7f9d0e577216124467
SHA256

2018d6952c057a21cf55318d6aa22871daf2916c655848bffcabfc092e3e03e8
SHA512

dbde0759f5eb605c7169215a434ccea75b1dc07ad5e3f7beba9d3461fc7877c0b415f4d74fbe3958675f9254a27b3d8cefc1e043490d12ca7f58ab6e2d2bf772
SSDEEP

768:TOSEWgI6sRJ0QPk5Cd8NUIu0oWsV1qaZIp/Bj7YcRpaSOovHYxtxdvO:Sf9Uk5CdzGs1stvHYxtH2

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cupen.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	4845aa93c6412074c917053cda175170_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
3712	cupen.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cupen = "C:\\Users\\Admin\\cupen.exe"	cupen.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3712	cupen.exe
3712	cupen.exe
3712	cupen.exe
3712	cupen.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
388	4845aa93c6412074c917053cda175170_NeikiAnalytics.exe
3712	cupen.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 3712	388	4845aa93c6412074c917053cda175170_NeikiAnalytics.exe	89
PID 388 wrote to memory of 3712	388	4845aa93c6412074c917053cda175170_NeikiAnalytics.exe	89
PID 388 wrote to memory of 3712	388	4845aa93c6412074c917053cda175170_NeikiAnalytics.exe	89
PID 3712 wrote to memory of 388	3712	cupen.exe	81
PID 3712 wrote to memory of 388	3712	cupen.exe	81

C:\Users\Admin\AppData\Local\Temp\4845aa93c6412074c917053cda175170_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4845aa93c6412074c917053cda175170_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:388
- C:\Users\Admin\cupen.exe
  "C:\Users\Admin\cupen.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\cupen.exe

Filesize
63KB

MD5
99153fd668e9d883feeebadb790731c1

SHA1
adf19dfd074c0caa987a79bc625f8161afdf17f9

SHA256
3234b4b00cdaf81f3a55a486f69f3b3a7b4f3b9f29f0b8070113750605356c18

SHA512
0ba1f7c60df52b41743f4c55020e4a23a8c67b1c0d801781d50359d5d056c4eb144dff0a6a4da21c1751482bead8919db24e23585aa1834f921dbd8a5511e97a

Download Submit