Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/05/2024, 10:22

General

  • Target

    b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe

  • Size

    256KB

  • MD5

    b254fc8144e93fafc5e3bdab1cc94f00

  • SHA1

    eb213621f16d418ecb687be9b13c3344ce715b1c

  • SHA256

    245fe448bbd5a16b56c50c42819d9f475a8c27b51ccc08858d61121d1161a4f1

  • SHA512

    b0aba02c5d613f5e058b5fef630e15cab01426e74181e5aaf7772a7a51611fc1a63268a3350a55c2ed397fee67e1c1457e3fbf1cb8a77f491c39601c2edeb5c1

  • SSDEEP

    6144:1vg98eNTb/UoKHU8iN2iYty5Y+tG91K09YEuOFcU0b:1vg9JxVSU8iN2iYty6+tG91yEuOdq

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 54 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Users\Admin\loeruaj.exe
      "C:\Users\Admin\loeruaj.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:3304
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    PID:1340
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    PID:1216

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\loeruaj.exe

          Filesize

          256KB

          MD5

          a8009a7b86c41ae8dac76aab64e7e4e3

          SHA1

          1f77c531fa410530b30c7d47dc1bd755083e6800

          SHA256

          a40aa852e4a93fbae459489bee0209b6c2a0d97ec6ee80422ff9c8697e4ba8b9

          SHA512

          a5057f137f73cd3a2826239cd0a98f1a48b112247d0695c32e9e873366d0eb98d41ea6b12acc4d85a7f4bac0e0f2477a94beb7b09ff8d0c39f27b507d33849cc