Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/05/2024, 13:49

General

  • Target

    d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe

  • Size

    355KB

  • MD5

    d1522c355d1ec4696eea35498389ad80

  • SHA1

    277b214fb3c635fe4ab3d57fc31a50e719df6e39

  • SHA256

    fc7722f549ca808898965510f3b39a288314c7913204fef1f1f43b1b3de150d4

  • SHA512

    466df8010620aac5d690195930d119a837987fa438024cb6334c7a18b9a1f757694a8fc5b574ead9642d21ffbfa6040c74ff56b6df0e0ad2b0939367827ac21f

  • SSDEEP

    6144:/qvk3Q5ibjnNuuXckaL7pbRBkce97aw/N4L7og:/qvMQ5ibjnwka3pbRC19Gw/Nsog

Score
10/10

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Users\Admin\AppData\Local\Temp\Systemriwwd.exe
      "C:\Users\Admin\AppData\Local\Temp\Systemriwwd.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:864

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Systemriwwd.exe

          Filesize

          355KB

          MD5

          6baa2494981900654587eaef76792708

          SHA1

          ff5357a96a62f673eb9de69715d46f9e5c4027b9

          SHA256

          f007350593dd857cc124c0403994caed130e9f65d6c3cadf5639bd58b766947a

          SHA512

          940d694c895d1620324bed7291e1eb769b4e4e01eea2109eca360d9a62e3837174309a268e110f4e0ccf655195ec317194d282330f0bb87875fd95c71ee90ccf

        • C:\Users\Admin\AppData\Local\Temp\fpath.ini

          Filesize

          85B

          MD5

          cac8f47d93a5cca20160366f21cc5589

          SHA1

          76b39ae065f3fe14863f843a5bac5e1e1c4eef66

          SHA256

          e1615f5084bb8bca90b68a128348356e9b0c04ee1f91ae31bbc74b8823f6a502

          SHA512

          6c6c2b1f0e9a09c2ea4f70272c9e8f31a8c9e810f73a6c8e41d85986819416d7e360b2ac29f1efbd4c1a055551b9d6f37711ad3e598365994a922c98f6d46320