Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14/05/2024, 06:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
94b66b9ba80fce10d901b6b8d6dfe260_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
94b66b9ba80fce10d901b6b8d6dfe260_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
94b66b9ba80fce10d901b6b8d6dfe260_NeikiAnalytics.exe
-
Size
53KB
-
MD5
94b66b9ba80fce10d901b6b8d6dfe260
-
SHA1
22ad8af223e5fe775ba1cde96ec7148b0656f83f
-
SHA256
ea044baa30b8a799ca23d1c4370b8b09b6bf43ec78b6782cbc885be4e2ed0408
-
SHA512
6be67a12cf7309ef610ff6f1504261b3eee21ba637c8ba2969d45f1c76077c8b7ad04c8eeb5118ed17f13dc60b06d3536fb45b1cbd920624f7d4bc366a9c6027
-
SSDEEP
1536:vNTg8r8QXeZWXeN7Kp3StjEMjmLM3ztDJWZsXy4JzxPM0:teZeeNJJjmLM3zRJWZsXy4J9
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" gkveaw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 94b66b9ba80fce10d901b6b8d6dfe260_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
pid Process 3232 gkveaw.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gkveaw = "C:\\Users\\Admin\\gkveaw.exe" gkveaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe 3232 gkveaw.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3380 94b66b9ba80fce10d901b6b8d6dfe260_NeikiAnalytics.exe 3232 gkveaw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3380 wrote to memory of 3232 3380 94b66b9ba80fce10d901b6b8d6dfe260_NeikiAnalytics.exe 88 PID 3380 wrote to memory of 3232 3380 94b66b9ba80fce10d901b6b8d6dfe260_NeikiAnalytics.exe 88 PID 3380 wrote to memory of 3232 3380 94b66b9ba80fce10d901b6b8d6dfe260_NeikiAnalytics.exe 88 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81 PID 3232 wrote to memory of 3380 3232 gkveaw.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\94b66b9ba80fce10d901b6b8d6dfe260_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\94b66b9ba80fce10d901b6b8d6dfe260_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Users\Admin\gkveaw.exe"C:\Users\Admin\gkveaw.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3232
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5348ac71ca30dbf8ed96aa1cf9a9da18e
SHA15ef02d7ddbb7fbb5be3e9690ba44c4c1acbdc9b0
SHA2560a0e30d0db5b917fb31553dfbc03e8ca30f4cbd9cf71c21bfd897edac1ea1aec
SHA512a91af9d3f46f5eac6cc3b936088553cc1722f892379fd595b5dcff9b686cbe258111ad1e7b90f9b9f437c4e073bf10600468a8ff2adff3fada0dc148dda15ad0