Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2024 07:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cb585c611c5027b7eef337b602f0e700_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
cb585c611c5027b7eef337b602f0e700_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
cb585c611c5027b7eef337b602f0e700_NeikiAnalytics.exe
-
Size
53KB
-
MD5
cb585c611c5027b7eef337b602f0e700
-
SHA1
76a0215bc3d5dd9daeb91be56f6d973b93a4a0b9
-
SHA256
403222646e3585a1762aae15c6cb2ed028b94183a86c3904163790309c2d8602
-
SHA512
2849782befdb5133d34f17a200ee5cf5e4ba51a6c6cc86f0b86e27f249baf1d5ac10ff77f6c29164fe152bc5764df66314385df893d0eaf38e79f69f42320f19
-
SSDEEP
1536:vNjBg8r8QBs2kdMu7P7Kp3StjEMjmLM3ztDJWZsXy4JzxPMk:l3s2kdMuLJJjmLM3zRJWZsXy4JN
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hfveog.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation cb585c611c5027b7eef337b602f0e700_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
pid Process 3396 hfveog.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hfveog = "C:\\Users\\Admin\\hfveog.exe" hfveog.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe 3396 hfveog.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1616 cb585c611c5027b7eef337b602f0e700_NeikiAnalytics.exe 3396 hfveog.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1616 wrote to memory of 3396 1616 cb585c611c5027b7eef337b602f0e700_NeikiAnalytics.exe 91 PID 1616 wrote to memory of 3396 1616 cb585c611c5027b7eef337b602f0e700_NeikiAnalytics.exe 91 PID 1616 wrote to memory of 3396 1616 cb585c611c5027b7eef337b602f0e700_NeikiAnalytics.exe 91 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82 PID 3396 wrote to memory of 1616 3396 hfveog.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb585c611c5027b7eef337b602f0e700_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\cb585c611c5027b7eef337b602f0e700_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\hfveog.exe"C:\Users\Admin\hfveog.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3396
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD557fd3eb06b2b266e89caa81b2bf38dc1
SHA1d7a0c18405e8cd9213fe0723e6dd86f37bb8685d
SHA25650fcf964200c725086c5eeba4a01e9e5b0597d8158a12fa40308e35e9aabb5c2
SHA5129bcbfd0a66966bcd7c3444679342f898591eca4fe27affdbfa9590fe2dd64cd1af4a7cc5180d1f6f75149bda1659386fbec2dc02e6a95a687789da542d5ac799