850e7eea76fc1f8c1029f2f0c5f0ac56adef962610b1d9514267a785eb3aae17

Analysis

max time kernel
128s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

770467b3465de046f5da7929537db950_NeikiAnalytics.exe
Size

41KB
MD5

770467b3465de046f5da7929537db950
SHA1

8338cbfc5361f903d0615d5a5e42ec41fbb464c2
SHA256

850e7eea76fc1f8c1029f2f0c5f0ac56adef962610b1d9514267a785eb3aae17
SHA512

99096a2d98dc2a5bae130325e3264b8686b33bd7ccce401b1dae16a9e3472baba167d9eb76d7818ffb19a2e6de6a7d0255691faf4862257a75badcdc197e54e8
SSDEEP

384:cl+ApZPfdyLARu1h0KjSyC8bARyur1xeMu/4XFN3he4sswtzPeRsao+ZNnTaiJtu:pGbu1hJSyC8MmGkqEPGsr+ZFTw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	770467b3465de046f5da7929537db950_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
3884	lssad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 3884	2652	770467b3465de046f5da7929537db950_NeikiAnalytics.exe	82
PID 2652 wrote to memory of 3884	2652	770467b3465de046f5da7929537db950_NeikiAnalytics.exe	82
PID 2652 wrote to memory of 3884	2652	770467b3465de046f5da7929537db950_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\770467b3465de046f5da7929537db950_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\770467b3465de046f5da7929537db950_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Local\Temp\lssad.exe
  "C:\Users\Admin\AppData\Local\Temp\lssad.exe"
  2⤵
  - Executes dropped EXE
  PID:3884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2IX84YPE\2703UKc[1].htm

Filesize
114B

MD5
e89f75f918dbdcee28604d4e09dd71d7

SHA1
f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

SHA256
6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

SHA512
8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\lssad.exe

Filesize
41KB

MD5
7c8cefc53b52d8026578cb4e9cbb1f45

SHA1
bd6b670385f3d11529e0ea53dca6912174fe3e3a

SHA256
41f098601d32e9ca0638f83e103f93b51b19b85ac60e8ae8b91a81d290967706

SHA512
c01e50b5783b43d39d7585efd5095f30d8d41bb7c548784a1f8ab98040abbb6b7379edeb35968c65ced6d4b95c506c37ece444824d7c8223f6d05b81bb7c75bd

Download Submit
memory/2652-1-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/3884-9-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download