Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/05/2024, 08:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a9ba08d7069992a37365e69f3e2cc940_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
a9ba08d7069992a37365e69f3e2cc940_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
a9ba08d7069992a37365e69f3e2cc940_NeikiAnalytics.exe
-
Size
77KB
-
MD5
a9ba08d7069992a37365e69f3e2cc940
-
SHA1
4e134f610fd59410f57c7c82171edbfa2acb3f8f
-
SHA256
cea44802804cdf57c792af629c62a52994f06850ec9eaec0a9143fca617273ad
-
SHA512
ae5e1ef4f84677b8f711d16dc62855a77c758a82aec7c8a026665a0ac0e06ebfd5f1a2f33b7f39e11b104760adcb26e9588cafd923e10bcecfaa5dda9d326138
-
SSDEEP
1536:+9M0Erd15Bx8pEttgdO/mXpgWXOJgQmmogDcMH5fCVsJVafuegWXAi+oX9tWV0RX:+9M0Erd15Bx8pEttgdO/mXpgWXOJgQm/
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" heoutij.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation a9ba08d7069992a37365e69f3e2cc940_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
pid Process 4812 heoutij.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heoutij = "C:\\Users\\Admin\\heoutij.exe" heoutij.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe 4812 heoutij.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4668 a9ba08d7069992a37365e69f3e2cc940_NeikiAnalytics.exe 4812 heoutij.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4668 wrote to memory of 4812 4668 a9ba08d7069992a37365e69f3e2cc940_NeikiAnalytics.exe 87 PID 4668 wrote to memory of 4812 4668 a9ba08d7069992a37365e69f3e2cc940_NeikiAnalytics.exe 87 PID 4668 wrote to memory of 4812 4668 a9ba08d7069992a37365e69f3e2cc940_NeikiAnalytics.exe 87 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80 PID 4812 wrote to memory of 4668 4812 heoutij.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9ba08d7069992a37365e69f3e2cc940_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a9ba08d7069992a37365e69f3e2cc940_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Users\Admin\heoutij.exe"C:\Users\Admin\heoutij.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4812
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD503e355884b97c88dabf0cc376f064340
SHA181436d34e8494d134035207908341ee7093a60f4
SHA256086452e0ad6fb2f6df68d0165e4191cb5279ca05fa15aac63387a6236d72297c
SHA512021bed8283aa2db0ee6f688f3e0a3978f0c731a8ecf8fb825b18ea7c8cc2d239dada1ac7861dc14189152bf490e59f11d69c35479388211c3ee73de6a96672b2