9887dcd61cb035734f66a1ddc4540ba7e1ae019e8a79634a67e0af1b7f8ef71a

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61c4e424a1ba8b7b970372d879f3e600_NeikiAnalytics.exe
Size

39KB
MD5

61c4e424a1ba8b7b970372d879f3e600
SHA1

0dee471ceef9afe6f116b3287bea524c32bd68e4
SHA256

9887dcd61cb035734f66a1ddc4540ba7e1ae019e8a79634a67e0af1b7f8ef71a
SHA512

5f57f72f6440ac792b956986ed8c4d09a9ff18d0f613c68fdaeb1739bd89d44d584dc3912e59e3a6bb6dec288e3582136a4de2964f5c9cc547605f6639fb65e0
SSDEEP

768:2mdB+lOuTDTb3JjOtdgI2MyzNORQtOflIwoHNV2XBFV72B4lA7ZsiZ+3/QYsuRCP:ndoAtdgI2MyzNORQtOflIwoHNV2XBFVm

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	61c4e424a1ba8b7b970372d879f3e600_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
752	ffengh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 752	2904	61c4e424a1ba8b7b970372d879f3e600_NeikiAnalytics.exe	82
PID 2904 wrote to memory of 752	2904	61c4e424a1ba8b7b970372d879f3e600_NeikiAnalytics.exe	82
PID 2904 wrote to memory of 752	2904	61c4e424a1ba8b7b970372d879f3e600_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\61c4e424a1ba8b7b970372d879f3e600_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\61c4e424a1ba8b7b970372d879f3e600_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\ffengh.exe
  "C:\Users\Admin\AppData\Local\Temp\ffengh.exe"
  2⤵
  - Executes dropped EXE
  PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ffengh.exe

Filesize
39KB

MD5
d05e78e8cf38f69880c6c4da0535eeac

SHA1
c13a037df71f9b288aeafe5bbccaba970965ee82

SHA256
4739e5686f21014dac85288e3adf491ba45c2a21232233998297ea3128d232c1

SHA512
6f0b3c001683179a9d7027c4194896e599682fa2b5a97ab1b8f9845e8aa763b0259224ad22779b1e5799eeb2f24cf68b56d5b2455f8cb19d9fe2f37ccbd9488f

Download Submit
memory/752-16-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/752-23-0x0000000000480000-0x0000000000487000-memory.dmp

Filesize
28KB

Download
memory/2904-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2904-1-0x0000000002130000-0x0000000002137000-memory.dmp

Filesize
28KB

Download
memory/2904-2-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2904-7-0x0000000002130000-0x0000000002137000-memory.dmp

Filesize
28KB

Download