e573ddf2987e9db3d19f6166cee22f44c851cd69fa1d4b89232eecdfb2b5940f

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 17:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
Size

40KB
MD5

128eef13c62f907057675374a28c5ca0
SHA1

b020d4f613b5ecfb224a122f16ba112e9bea3677
SHA256

e573ddf2987e9db3d19f6166cee22f44c851cd69fa1d4b89232eecdfb2b5940f
SHA512

5118491c7f4abe2ce173799aa7155e54cf5d5f83f1d9608d0ef93da92604c61a391f1d89f70101ccf3cba9089a3d98ac9b83e3fbe90bb6ccf6d0a0799be0c10d
SSDEEP

768:k/fko/XyGtJk+FBp8F9bdHXtHs7CQpcdHoCCvc:kUAtK+N8F95NWee1vc

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Admin.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
920	Admin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe"	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe"	Admin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
920	Admin.exe
920	Admin.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
920	Admin.exe
920	Admin.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
920	Admin.exe
920	Admin.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
920	Admin.exe
920	Admin.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
920	Admin.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
920	Admin.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
920	Admin.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
920	Admin.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
920	Admin.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
920	Admin.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
920	Admin.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
920	Admin.exe
920	Admin.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
920	Admin.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
920	Admin.exe
920	Admin.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
920	Admin.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
920	Admin.exe
920	Admin.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
920	Admin.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
920	Admin.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
920	Admin.exe
920	Admin.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
920	Admin.exe
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
920	Admin.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 920	1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe	100
PID 1012 wrote to memory of 920	1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe	100
PID 1012 wrote to memory of 920	1012	128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe	100

C:\Users\Admin\AppData\Local\Temp\128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\128eef13c62f907057675374a28c5ca0_NeikiAnalytics.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Users\Admin\Admin.exe
  "C:\Users\Admin\Admin.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1748,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=4152 /prefetch:8
1⤵
PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Admin.exe

Filesize
40KB

MD5
d2d890dad88f7e1989589bbbdfbea34c

SHA1
f098b097cb1c4fffd260b8cb3764af83b2525a91

SHA256
f9f33d9f702dda553edddc4a3e54692087f2dd2ce96efb115de1cfc47e5259d2

SHA512
b6680e45a46266aaf2ac61ef7d4dc2f97426710d8a72f73d5e2c9df97ce01bc7f0a6675e04bd78f76e004a2c1c0e6960056797d2c0ac8981be79ebc2ae8aeee9

Download Submit