Overview

overview

8

Static

static

3

46f9d12382...cs.exe

windows7-x64

8

46f9d12382...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 22:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    46f9d12382c372b74afb8976d9b2f8a0_NeikiAnalytics.exe

  • Size

    74KB

  • MD5

    46f9d12382c372b74afb8976d9b2f8a0

  • SHA1

    26279eb061e7fd2d37dac6be58e92c78165d495b

  • SHA256

    3633bb7362b26e43bc0c08aed434e4cdde5efd72069ad6d1d46b9d407d5b87cb

  • SHA512

    55aa092bb2c030fd475346c9c613b7d80f3d7346c00b3709d572f8bbb124bae94a2a9b7bf9e930cf78c505512f585699694a06c919708cd8247001a590f75573

  • SSDEEP

    384:+41DuuOFZyUVpULCgDb2prxVTn24X/m7Q6Al6z+yXpC:fDcZyUpULCgo24T96ayXQ

Score
8/10
evasion

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\46f9d12382c372b74afb8976d9b2f8a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\46f9d12382c372b74afb8976d9b2f8a0_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3196
    • C:\Windows\SysWOW64\attrib.exe
      attrib +a +s +h +r C:\Windows\Debug\egkhost.exe
      2⤵
      • Sets file to hidden
      • Drops file in Windows directory
      • Views/modifies file attributes
      PID:432
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\46F9D1~1.EXE > nul
      2⤵
        PID:2552
    • C:\Windows\Debug\egkhost.exe
      C:\Windows\Debug\egkhost.exe
      1⤵
      • Executes dropped EXE
      PID:5000

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\debug\egkhost.exe
      Filesize

      74KB

      MD5

      69c2e48ac79da47e77f4e35487fbe5b1

      SHA1

      d77041aa7a2c2ee4a5fe875b17834bb9311fb03a

      SHA256

      fe1d08ade0da0b9770e5c28719dffda9b7179095c3bdc19d289cfa93c1062395

      SHA512

      59bb6f32efae752575acf620922b1f6bd74beee3fdfa37b90a13ae1e4e9d9695ea139b46ac0c322aeb6b2561ae1c428029ffb8c751cf6e11d8f7f4c3bca3107f

      Download Submit

    • memory/3196-0-0x0000000000400000-0x0000000000413000-memory.dmp

      Filesize

      76KB

      Download

    • memory/5000-5-0x0000000000400000-0x0000000000413000-memory.dmp

      Filesize

      76KB

      Download

    • memory/5000-6-0x0000000000400000-0x0000000000413000-memory.dmp

      Filesize

      76KB

      Download