Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 10:16
Behavioral task
behavioral1
Sample
da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe
-
Size
391KB
-
MD5
da38401f466916b9b1fad24d2628e560
-
SHA1
51c308d8632ff052737ff1950fac0cbcc8d195df
-
SHA256
5f0bc350b5a7f4bb23b518a3674d7a4a731c6bfdfa0cab0f149ddd8565e92f6c
-
SHA512
b0d790c33124daa00134e99942d546f400b4f3a24b25078ba6ebdde05e1659c1cf32ec0ed48279abb5714b41a418c3efdd42ac9e710a50859af21ada0607645c
-
SSDEEP
6144:eQiWreSUbn8y5+l/bRzBiw5G4DrA3vpt6t3tj5xC6qpbb+18:eMr6bwzRF75G44vpt6XjCKq
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
resource yara_rule behavioral2/files/0x0008000000023408-30.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation xotyk.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation niquiz.exe -
Executes dropped EXE 3 IoCs
pid Process 2068 xotyk.exe 1960 niquiz.exe 2380 pikuj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe 2380 pikuj.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3596 wrote to memory of 2068 3596 da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe 85 PID 3596 wrote to memory of 2068 3596 da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe 85 PID 3596 wrote to memory of 2068 3596 da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe 85 PID 3596 wrote to memory of 2488 3596 da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe 86 PID 3596 wrote to memory of 2488 3596 da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe 86 PID 3596 wrote to memory of 2488 3596 da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe 86 PID 2068 wrote to memory of 1960 2068 xotyk.exe 88 PID 2068 wrote to memory of 1960 2068 xotyk.exe 88 PID 2068 wrote to memory of 1960 2068 xotyk.exe 88 PID 1960 wrote to memory of 2380 1960 niquiz.exe 105 PID 1960 wrote to memory of 2380 1960 niquiz.exe 105 PID 1960 wrote to memory of 2380 1960 niquiz.exe 105 PID 1960 wrote to memory of 5092 1960 niquiz.exe 106 PID 1960 wrote to memory of 5092 1960 niquiz.exe 106 PID 1960 wrote to memory of 5092 1960 niquiz.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\xotyk.exe"C:\Users\Admin\AppData\Local\Temp\xotyk.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\niquiz.exe"C:\Users\Admin\AppData\Local\Temp\niquiz.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\pikuj.exe"C:\Users\Admin\AppData\Local\Temp\pikuj.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2380
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:5092
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵PID:2488
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
306B
MD5b0ea948c370acb40d26aea807d4fea21
SHA1b76acfdd09d4f7276e68414b1efc2686c89c546b
SHA25672fe00a86a95404247763982b8f6086e93886fb118b068567e03460f8a868055
SHA5122bc8df94b22c43d77f1eb516c01dd837a57c161823af8096ffa5c5dc885d5da4821faaf06931873a17c8febee51d364a2274d9ca005ad4c01fea7a782ccf8ed2
-
Filesize
224B
MD5e88f13cde741c5508fe668fd15cd78b4
SHA1098cb00bf1f04e382580dcfffb84a748ea25a886
SHA256d067b26a73c27157da02a7efd2ea5ddf80363038ddd50bbd74f8a6814df74cf7
SHA512821a7200290e7e62a95e065ba93bf2c0d3e11fcc34792733fcfef08cddaa1fc5baf44f0f8cfe0705c088874813ec5f8c519d69fcd4a85a0549b000fde990a67b
-
Filesize
512B
MD56257716b78899e2197f9f8bddd8cfdf0
SHA1611e94dcf38b9ff0b8c99c090cf2dee76ffded8b
SHA2569a1a575cc0aee3669d700f5e27c1ed49e7b5595cca2b55bda59364d9e3f24036
SHA512d4acd041bcb0b3ec05f83bbd4b8df8a9078dc82c3b90f330d2aa4ccda76e694f95cc8b14af828f7aa06ca57fa0c7bfbb8f17376e5ec37c39facd680c748198ec
-
Filesize
221KB
MD5c398387bbbf5bb722abd38f18f41c24d
SHA105d412e276acca21f51db69c8abda72102da4526
SHA256a1ece47fa9fccbc0aa50144c84c696e8f856e7c12da6e9c941f848d9b8ab5ca9
SHA51228ab0dfda0b1213515180bc440d6d5a41ea6d23dd1f6fd0be5d26c709d2406511c35bd55e1f31495d4251b94dacf3a415fc0566934ad2d9e9276742c6e5a3a9d
-
Filesize
391KB
MD59132d11af1b63b0e5b8fe5f4d3d25726
SHA1f080fee02ac0a60cac47ec68eed266c6128410a2
SHA2564dcd567a6989003d1f0cb4ff826d5997f327aa44ecb35b0f9af372013b143cda
SHA512ea31862dcedfd47c1c70f1a916b66659432a6dfa340c24384565d7f37b04c7529b8692ed792cb98f45abf0ae356352e4b5d4f9681f4216ea9c7cdfdc14d4074c