203054a655fdb8d37b39a9d65cf81b96660e49d6aa5d310eaa7099beaf0c319e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fb8db5f9d627befcd977ee992b3ffd0_NeikiAnalytics.exe
Size

76KB
MD5

5fb8db5f9d627befcd977ee992b3ffd0
SHA1

8528775ea42951e35d22da71315c5fd3c8df5498
SHA256

203054a655fdb8d37b39a9d65cf81b96660e49d6aa5d310eaa7099beaf0c319e
SHA512

3f9814e9d1d05115259df6440c304b137828943eb0c022b70dbf684ba7827cc21485c7afaea038a794fc970e6468d3051cc054b4589d0eabb027a50b3d0997e0
SSDEEP

1536:MvP69lUyW1UwzJmWRaD1gXI7uMrpzrnacxfzZ1:G69lU2UmWVXI7uMlzTFz7

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	5fb8db5f9d627befcd977ee992b3ffd0_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 5 IoCs

pid	Process
3472	5fb8db5f9d627befcd977ee992b3ffd0_NeikiAnalytics.exe
3584	svchost.exe
1728	svchost.exe
4988	svchost.exe
4572	svchost.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3472-6-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4252-8-0x00000000029C0000-0x00000000029C1000-memory.dmp	upx
behavioral2/memory/3472-10-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3472-11-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3472-37-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1728-52-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3472-57-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1728-87-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Video Driver = "C:\\Users\\Admin\\AppData\\Roaming\\system\\svchost.exe"	reg.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4252 set thread context of 3472	4252	5fb8db5f9d627befcd977ee992b3ffd0_NeikiAnalytics.exe	92
PID 3584 set thread context of 1728	3584	svchost.exe	100
PID 3584 set thread context of 4988	3584	svchost.exe	101
PID 4988 set thread context of 4572	4988	svchost.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1728	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4252	5fb8db5f9d627befcd977ee992b3ffd0_NeikiAnalytics.exe
3472	5fb8db5f9d627befcd977ee992b3ffd0_NeikiAnalytics.exe
3584	svchost.exe
1728	svchost.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 3472	4252	5fb8db5f9d627befcd977ee992b3ffd0_NeikiAnalytics.exe	92
PID 4252 wrote to memory of 3472	4252	5fb8db5f9d627befcd977ee992b3ffd0_NeikiAnalytics.exe	92
PID 4252 wrote to memory of 3472	4252	5fb8db5f9d627befcd977ee992b3ffd0_NeikiAnalytics.exe	92
PID 4252 wrote to memory of 3472	4252	5fb8db5f9d627befcd977ee992b3ffd0_NeikiAnalytics.exe	92
PID 4252 wrote to memory of 3472	4252	5fb8db5f9d627befcd977ee992b3ffd0_NeikiAnalytics.exe	92
PID 4252 wrote to memory of 3472	4252	5fb8db5f9d627befcd977ee992b3ffd0_NeikiAnalytics.exe	92
PID 4252 wrote to memory of 3472	4252	5fb8db5f9d627befcd977ee992b3ffd0_NeikiAnalytics.exe	92
PID 4252 wrote to memory of 3472	4252	5fb8db5f9d627befcd977ee992b3ffd0_NeikiAnalytics.exe	92
PID 3472 wrote to memory of 4996	3472	5fb8db5f9d627befcd977ee992b3ffd0_NeikiAnalytics.exe	95
PID 3472 wrote to memory of 4996	3472	5fb8db5f9d627befcd977ee992b3ffd0_NeikiAnalytics.exe	95
PID 3472 wrote to memory of 4996	3472	5fb8db5f9d627befcd977ee992b3ffd0_NeikiAnalytics.exe	95
PID 4996 wrote to memory of 4436	4996	cmd.exe	98
PID 4996 wrote to memory of 4436	4996	cmd.exe	98
PID 4996 wrote to memory of 4436	4996	cmd.exe	98
PID 3472 wrote to memory of 3584	3472	5fb8db5f9d627befcd977ee992b3ffd0_NeikiAnalytics.exe	99
PID 3472 wrote to memory of 3584	3472	5fb8db5f9d627befcd977ee992b3ffd0_NeikiAnalytics.exe	99
PID 3472 wrote to memory of 3584	3472	5fb8db5f9d627befcd977ee992b3ffd0_NeikiAnalytics.exe	99
PID 3584 wrote to memory of 1728	3584	svchost.exe	100
PID 3584 wrote to memory of 1728	3584	svchost.exe	100
PID 3584 wrote to memory of 1728	3584	svchost.exe	100
PID 3584 wrote to memory of 1728	3584	svchost.exe	100
PID 3584 wrote to memory of 1728	3584	svchost.exe	100
PID 3584 wrote to memory of 1728	3584	svchost.exe	100
PID 3584 wrote to memory of 1728	3584	svchost.exe	100
PID 3584 wrote to memory of 1728	3584	svchost.exe	100
PID 3584 wrote to memory of 4988	3584	svchost.exe	101
PID 3584 wrote to memory of 4988	3584	svchost.exe	101
PID 3584 wrote to memory of 4988	3584	svchost.exe	101
PID 3584 wrote to memory of 4988	3584	svchost.exe	101
PID 3584 wrote to memory of 4988	3584	svchost.exe	101
PID 3584 wrote to memory of 4988	3584	svchost.exe	101
PID 3584 wrote to memory of 4988	3584	svchost.exe	101
PID 4988 wrote to memory of 4572	4988	svchost.exe	102
PID 4988 wrote to memory of 4572	4988	svchost.exe	102
PID 4988 wrote to memory of 4572	4988	svchost.exe	102
PID 4988 wrote to memory of 4572	4988	svchost.exe	102
PID 4988 wrote to memory of 4572	4988	svchost.exe	102
PID 4988 wrote to memory of 4572	4988	svchost.exe	102
PID 4988 wrote to memory of 4572	4988	svchost.exe	102

C:\Users\Admin\AppData\Local\Temp\5fb8db5f9d627befcd977ee992b3ffd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5fb8db5f9d627befcd977ee992b3ffd0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Users\Admin\AppData\Local\Temp\5fb8db5f9d627befcd977ee992b3ffd0_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\5fb8db5f9d627befcd977ee992b3ffd0_NeikiAnalytics.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JASKG.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4996
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Video Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\svchost.exe" /f
      4⤵
      Adds Run key to start application
      PID:4436
- - C:\Users\Admin\AppData\Roaming\system\svchost.exe
    "C:\Users\Admin\AppData\Roaming\system\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3584
  - - C:\Users\Admin\AppData\Roaming\system\svchost.exe
      "C:\Users\Admin\AppData\Roaming\system\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1728
  - - C:\Users\Admin\AppData\Roaming\system\svchost.exe
      "C:\Users\Admin\AppData\Roaming\system\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4988
    - - C:\Users\Admin\AppData\Roaming\system\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\system\svchost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cxz.exe

Filesize
294B

MD5
6be04b7423fd1d2dc51129604b7d8e8e

SHA1
7a0fda938c29607612ca69b471601a1bf3872c64

SHA256
a455ab6b2881d5451762024cb5847991a2b20a1fd88a4958840ce715ea68c10b

SHA512
a8b8e1fa6f6dfb52cd5ea52dd385ff8a9fd09df935ad69ee8f1759af14a524cf4043dab61c3a2bd8793794812b48c17cfe192081d3f80d1649ab41662ee3f255

Download Submit
C:\Users\Admin\AppData\Local\Temp\5fb8db5f9d627befcd977ee992b3ffd0_NeikiAnalytics.exe

Filesize
76KB

MD5
5fb8db5f9d627befcd977ee992b3ffd0

SHA1
8528775ea42951e35d22da71315c5fd3c8df5498

SHA256
203054a655fdb8d37b39a9d65cf81b96660e49d6aa5d310eaa7099beaf0c319e

SHA512
3f9814e9d1d05115259df6440c304b137828943eb0c022b70dbf684ba7827cc21485c7afaea038a794fc970e6468d3051cc054b4589d0eabb027a50b3d0997e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\JASKG.txt

Filesize
148B

MD5
05d958f804a3cb770b18371699915faf

SHA1
82e91a19f4f23340db8bb5c7d271aa0b590ff723

SHA256
61ae6f17d637624fd66d1dfad93a1c6a863aa7caf67d3e267910f4b9212bdf52

SHA512
3ff7be267167f2c447e9aeef2f5e84785dd45d08a10738b1b4c1b01b21d3ea29e637ede50b1091211b97fd40ae5b2bea54e053200778228ffde852f8a19ce921

Download Submit
C:\Users\Admin\AppData\Roaming\system\svchost.exe

Filesize
76KB

MD5
399c7fbb067d40b942a0400c3c58f627

SHA1
496be27be6caef75a9dcd58883aa5ca05a1ada8c

SHA256
b4fe1b0e6383f5e5a652ce36e7750178870c2a1d5c5c3fa2fcb8a9349118423f

SHA512
a84735e9938c0fcf8fd2d76a25b71092dfb70f91c4a5db2e3ac84293dd548e24df199436ca85c7401ed6eb8a0dbfc29f10e862de6a7dbd1515278883f1c4f59d

Download Submit
memory/1728-87-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1728-52-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3472-57-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3472-10-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3472-11-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3472-6-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3472-37-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3584-51-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3584-38-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3584-39-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4252-8-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/4252-4-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/4252-5-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/4252-2-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/4252-3-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/4572-58-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/4572-63-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/4572-85-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/4988-42-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4988-47-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4988-53-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4988-54-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4988-60-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads