f17ee95e3e9843832c7e27a03dac5db605bcb1624d885005287ee900834491b2

Analysis

max time kernel
141s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

759444e3c79e8f7662457b4bd662feb0_NeikiAnalytics.exe
Size

6.1MB
MD5

759444e3c79e8f7662457b4bd662feb0
SHA1

c966bcfe7f2704c3507c56b8336ea4d0878b1123
SHA256

f17ee95e3e9843832c7e27a03dac5db605bcb1624d885005287ee900834491b2
SHA512

0901aaf04b352c7a001eed1da343caf17d96559518111d91d0fce4c3b3cbc736a3b8203907b6790085344bfa4a34c3da698d18beed5334467dec4231ef5aba1e
SSDEEP

49152:mkB988jwQmEcgxFF7q22WJxdyKv8ySStzKb/3k2OSaLCvE55pCx2WampGjnRzNvo:VFNdPSSE/AL5pCx2HmpGjnRzNv3

Score

9^/10

evasion ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4512	bcdedit.exe
4720	bcdedit.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	759444e3c79e8f7662457b4bd662feb0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4844	759444e3c79e8f7662457b4bd662feb0_NeikiAnalytics.exe
4844	759444e3c79e8f7662457b4bd662feb0_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4844	759444e3c79e8f7662457b4bd662feb0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4844	759444e3c79e8f7662457b4bd662feb0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 3920	4844	759444e3c79e8f7662457b4bd662feb0_NeikiAnalytics.exe	91
PID 4844 wrote to memory of 3920	4844	759444e3c79e8f7662457b4bd662feb0_NeikiAnalytics.exe	91
PID 4844 wrote to memory of 3220	4844	759444e3c79e8f7662457b4bd662feb0_NeikiAnalytics.exe	93
PID 4844 wrote to memory of 3220	4844	759444e3c79e8f7662457b4bd662feb0_NeikiAnalytics.exe	93
PID 3920 wrote to memory of 4720	3920	cmd.exe	97
PID 3220 wrote to memory of 4512	3220	cmd.exe	96
PID 3920 wrote to memory of 4720	3920	cmd.exe	97
PID 3220 wrote to memory of 4512	3220	cmd.exe	96

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	759444e3c79e8f7662457b4bd662feb0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\759444e3c79e8f7662457b4bd662feb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\759444e3c79e8f7662457b4bd662feb0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:3208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads