e002d16bd678b96d6393f58875621aa57b9bea730c28a7b23aa5684b5a842aea

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4749b36a1abe39558e39ffe15c0a3f0_NeikiAnalytics.exe
Size

280KB
MD5

d4749b36a1abe39558e39ffe15c0a3f0
SHA1

b80979449900942a18e63af551887c1920e2e0a6
SHA256

e002d16bd678b96d6393f58875621aa57b9bea730c28a7b23aa5684b5a842aea
SHA512

23a817e1933bcabf74966b33b4d7a4d2e150a93bc3d8700640f47592b811b79e832d12fb4032788ebfab58eec4ec72d2a7cfb89f29b900ade293c7b4c5d83d4b
SSDEEP

6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkfk:boSeGUA5YZazpXUmZhZ6Sd

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d4749b36a1abe39558e39ffe15c0a3f0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	d4749b36a1abe39558e39ffe15c0a3f0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

a1punf5t2of.exe

pid process

3576 a1punf5t2of.exe

pid	process
3576	a1punf5t2of.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d4749b36a1abe39558e39ffe15c0a3f0_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe"	d4749b36a1abe39558e39ffe15c0a3f0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

d4749b36a1abe39558e39ffe15c0a3f0_NeikiAnalytics.exea1punf5t2of.exe

description	pid	process	target process
PID 2564 wrote to memory of 3576	2564	d4749b36a1abe39558e39ffe15c0a3f0_NeikiAnalytics.exe	a1punf5t2of.exe
PID 2564 wrote to memory of 3576	2564	d4749b36a1abe39558e39ffe15c0a3f0_NeikiAnalytics.exe	a1punf5t2of.exe
PID 2564 wrote to memory of 3576	2564	d4749b36a1abe39558e39ffe15c0a3f0_NeikiAnalytics.exe	a1punf5t2of.exe
PID 3576 wrote to memory of 4740	3576	a1punf5t2of.exe	a1punf5t2of.exe
PID 3576 wrote to memory of 4740	3576	a1punf5t2of.exe	a1punf5t2of.exe
PID 3576 wrote to memory of 4740	3576	a1punf5t2of.exe	a1punf5t2of.exe

C:\Users\Admin\AppData\Local\Temp\d4749b36a1abe39558e39ffe15c0a3f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d4749b36a1abe39558e39ffe15c0a3f0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2564

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
3⤵
PID:4740

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
Filesize
280KB

MD5
d6aca1d19b5438184759bd9bedd2c236

SHA1
a66d7da86f166e4aa77fac54e66efd64b9ba1716

SHA256
5dd34dd671d6c8a27384409d670f42d1a24b937f33b9fbdc28f9876540341b5f

SHA512
737879de8ef090ef95691bbc27455fa6b4f5a12c612f3d332781cc4a091e1dc0c42b081bb4b750c921dbf8616bb43e8e70596bb51d6e265d39c97e1dec5ed2c2

Download Submit
memory/2564-0-0x0000000075132000-0x0000000075133000-memory.dmp

Filesize
4KB

Download
memory/2564-1-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/2564-2-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/2564-3-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/2564-17-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/3576-18-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/3576-19-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/3576-20-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/3576-21-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/3576-23-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download