Analysis

  • max time kernel
    149s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/05/2024, 10:38

General

  • Target

    b3002a49c930e4095fd31ff31a4fbc80_NeikiAnalytics.exe

  • Size

    135KB

  • MD5

    b3002a49c930e4095fd31ff31a4fbc80

  • SHA1

    6c77334a6cc4c88fe2ce4b70c7495b1453e286ed

  • SHA256

    406b2d75f880dec47dbfbd6e454a8f026f5d26dcdcd6cd49d4652d76fe0e95c7

  • SHA512

    ea4bd969096fb7f1b4ea97e81ca3dcda01eb0cf89c21044fb7a0b4edfaf623844105b360af0721a72db091b7d75ec528460f869b3233e0432638e229f8b9c50e

  • SSDEEP

    3072:dNQSeN8BqUPb1WpXVxAaGBvbNvNbNJkvmhyPQbaDTUXGIDbwKDqCtrwdAxaVTtV6:fQqoIDbByGPMsMP

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b3002a49c930e4095fd31ff31a4fbc80_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\b3002a49c930e4095fd31ff31a4fbc80_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4920
    • C:\Users\Admin\teogaay.exe
      "C:\Users\Admin\teogaay.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4752

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\teogaay.exe

          Filesize

          135KB

          MD5

          64db3525ec6e7af61ff2fe42684346a9

          SHA1

          2f82515df466e339d49ea029c264b847520caf58

          SHA256

          fb4681dcc54ed900755b17c67ff95bf46f932c9d35b3217a22fdd26e3d58a802

          SHA512

          694537f901f483560f270b4d458be5505318ecc6f17372d053dc9dfb43eab59cff3a293b5499dc39ed9895d20f27c614b667a9189cda94b1c3b82fe536a3fc60

        • memory/4752-34-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

        • memory/4752-38-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

        • memory/4920-0-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

        • memory/4920-37-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB