General

  • Target

    762ed0a27d3f400bdd81d7de464dbbe0_NeikiAnalytics.exe

  • Size

    130KB

  • Sample

    240519-faxngaba23

  • MD5

    762ed0a27d3f400bdd81d7de464dbbe0

  • SHA1

    943ea1cce24991c60ad19caa247450f55160d392

  • SHA256

    1b470f2f5e80b0505c2f00d7603d36b38a8580f1ad42761e41dcde66dad3e30a

  • SHA512

    5bc877b4be86bbf745790c4479349e7bb47bbf4acb5aeb108021f78b0f6d44204e5acbbe9c80035b9bbb06e19fe3fe0749ed4ca330c98e80a5af0ed9005d9ff9

  • SSDEEP

    1536:eH1ZaQvR1KiX3NK6I+hZhYrt/w5Q6G6IpiRYzz9qJHhhnm0yG5aP/5UROXTmZ2:SKQJcinxphkG5Q6GdpIOkJHhKRyOXK8

Malware Config

Targets

    • Target

      762ed0a27d3f400bdd81d7de464dbbe0_NeikiAnalytics.exe

    • Size

      130KB

    • MD5

      762ed0a27d3f400bdd81d7de464dbbe0

    • SHA1

      943ea1cce24991c60ad19caa247450f55160d392

    • SHA256

      1b470f2f5e80b0505c2f00d7603d36b38a8580f1ad42761e41dcde66dad3e30a

    • SHA512

      5bc877b4be86bbf745790c4479349e7bb47bbf4acb5aeb108021f78b0f6d44204e5acbbe9c80035b9bbb06e19fe3fe0749ed4ca330c98e80a5af0ed9005d9ff9

    • SSDEEP

      1536:eH1ZaQvR1KiX3NK6I+hZhYrt/w5Q6G6IpiRYzz9qJHhhnm0yG5aP/5UROXTmZ2:SKQJcinxphkG5Q6GdpIOkJHhKRyOXK8

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • ModiLoader Second Stage

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks