8759940eac5c28e08cb61295b8b1ad82cb4e8ea446d47a62ed85c5513220b5a5

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
Size

219KB
MD5

c2ffbc6280c199f0531b8736778e1a30
SHA1

2023c649b4c44515a79cd56190dab54240644f10
SHA256

8759940eac5c28e08cb61295b8b1ad82cb4e8ea446d47a62ed85c5513220b5a5
SHA512

44cf2244311c0d828178df55d4d9a758754ae285bd7ef08296a1e641455ba1b0025792bd1dfc04b94028061c975bce4f3fc7d3d1c85ea27587427c643995e1bc
SSDEEP

6144:nt8IhVYFVED7l08BkjIf0r9b5if7/F0rCoSM/U16R:nt8vVED3Bk0Mr9Vif7/FcCoSmXR

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	COM7.EXE

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF FoxitReader.exe	COM7.EXE

Executes dropped EXE 4 IoCs

pid	Process
1308	achsv.exe
4320	COM7.EXE
2584	achsv.exe
2728	COM7.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COMLOADER = "\\\\.\\F:\\Program Files\\FoxitReader\\bin\\COM7.EXE"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
764	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
1308	achsv.exe
1308	achsv.exe
4320	COM7.EXE
4320	COM7.EXE
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
2584	achsv.exe
2584	achsv.exe
2728	COM7.EXE
2728	COM7.EXE
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
4320	COM7.EXE
4320	COM7.EXE
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
4320	COM7.EXE
4320	COM7.EXE
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
4320	COM7.EXE
4320	COM7.EXE
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
4320	COM7.EXE
4320	COM7.EXE
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
4320	COM7.EXE
4320	COM7.EXE
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
4320	COM7.EXE
4320	COM7.EXE
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
4320	COM7.EXE
4320	COM7.EXE
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
4320	COM7.EXE
4320	COM7.EXE
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
4320	COM7.EXE
4320	COM7.EXE
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
4320	COM7.EXE
4320	COM7.EXE
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1308	achsv.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 1308	2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe	84
PID 2680 wrote to memory of 1308	2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe	84
PID 2680 wrote to memory of 1308	2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe	84
PID 2680 wrote to memory of 4320	2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe	85
PID 2680 wrote to memory of 4320	2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe	85
PID 2680 wrote to memory of 4320	2680	c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe	85
PID 4320 wrote to memory of 764	4320	COM7.EXE	86
PID 4320 wrote to memory of 764	4320	COM7.EXE	86
PID 4320 wrote to memory of 764	4320	COM7.EXE	86
PID 4320 wrote to memory of 2584	4320	COM7.EXE	88
PID 4320 wrote to memory of 2584	4320	COM7.EXE	88
PID 4320 wrote to memory of 2584	4320	COM7.EXE	88
PID 1308 wrote to memory of 2728	1308	achsv.exe	89
PID 1308 wrote to memory of 2728	1308	achsv.exe	89
PID 1308 wrote to memory of 2728	1308	achsv.exe	89

C:\Users\Admin\AppData\Local\Temp\c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c2ffbc6280c199f0531b8736778e1a30_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2728
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COMLOADER /d "\\.\F:\Program Files\FoxitReader\bin\COM7.EXE"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:764
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
219KB

MD5
5ae7200631949bec49ab93c0394194ac

SHA1
99f501eabc669f3c944c3661a9a0554d03a28020

SHA256
85c53fd460a96635dda7b8fbfcdad1578680254d09e0c1dd367779e996646073

SHA512
dce1f71d3e5b29f72363ded8d3ddc7970d7bce98afa407e6ca8770716424e2fddc9e86f9c8e0a0ce83bb766d1bcc334a406f3d17092ec1327f400850d221797f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
219KB

MD5
ecbdad8f301a2c745747d6e60bfcaa32

SHA1
d730795206c9f332ebdb4dbc7dd7aa3c5c859937

SHA256
dbda738b23e93db2418f4bf66d7ba59bd9c3f336d0e5f3dd520b3525164f18a5

SHA512
75945962fc3216f742791b236aa5b8727fe405a5adf06876204d08f0b50ac4441a470113b5428cfadaf1effe1dc927763e066c386ce74b4916abd777de9baf3d

Download Submit
memory/1308-15-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/1308-30-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2584-23-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2680-12-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2728-26-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/4320-19-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download