Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 13:49
Behavioral task
behavioral1
Sample
d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe
Resource
win7-20231129-en
General
-
Target
d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe
-
Size
355KB
-
MD5
d1522c355d1ec4696eea35498389ad80
-
SHA1
277b214fb3c635fe4ab3d57fc31a50e719df6e39
-
SHA256
fc7722f549ca808898965510f3b39a288314c7913204fef1f1f43b1b3de150d4
-
SHA512
466df8010620aac5d690195930d119a837987fa438024cb6334c7a18b9a1f757694a8fc5b574ead9642d21ffbfa6040c74ff56b6df0e0ad2b0939367827ac21f
-
SSDEEP
6144:/qvk3Q5ibjnNuuXckaL7pbRBkce97aw/N4L7og:/qvMQ5ibjnwka3pbRC19Gw/Nsog
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
resource yara_rule behavioral2/files/0x0005000000022970-8.dat family_blackmoon -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe -
Deletes itself 1 IoCs
pid Process 864 Systemriwwd.exe -
Executes dropped EXE 1 IoCs
pid Process 864 Systemriwwd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2232 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 2232 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 2232 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 2232 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 2232 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 2232 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 2232 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 2232 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 2232 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 2232 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 2232 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 2232 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe 864 Systemriwwd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2232 wrote to memory of 864 2232 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 87 PID 2232 wrote to memory of 864 2232 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 87 PID 2232 wrote to memory of 864 2232 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\Systemriwwd.exe"C:\Users\Admin\AppData\Local\Temp\Systemriwwd.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
355KB
MD56baa2494981900654587eaef76792708
SHA1ff5357a96a62f673eb9de69715d46f9e5c4027b9
SHA256f007350593dd857cc124c0403994caed130e9f65d6c3cadf5639bd58b766947a
SHA512940d694c895d1620324bed7291e1eb769b4e4e01eea2109eca360d9a62e3837174309a268e110f4e0ccf655195ec317194d282330f0bb87875fd95c71ee90ccf
-
Filesize
85B
MD5cac8f47d93a5cca20160366f21cc5589
SHA176b39ae065f3fe14863f843a5bac5e1e1c4eef66
SHA256e1615f5084bb8bca90b68a128348356e9b0c04ee1f91ae31bbc74b8823f6a502
SHA5126c6c2b1f0e9a09c2ea4f70272c9e8f31a8c9e810f73a6c8e41d85986819416d7e360b2ac29f1efbd4c1a055551b9d6f37711ad3e598365994a922c98f6d46320