Analysis
-
max time kernel
149s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 18:39
Behavioral task
behavioral1
Sample
179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
-
Size
440KB
-
MD5
179a3747b82b58a9c3589974e145adf0
-
SHA1
80af51f31d6492945a846bd19f773005717f5c2c
-
SHA256
d67dd66d7f97cca8e9091c6f59e8bc9b4973d73df1f5fdc13fd7e68211679d32
-
SHA512
09aff14d940db5c491bba80e46f93ba2251505c092eb8b915f6da1b0b7d81b39a81041cfbe8e5685bf500460f15ebbbd777864f84869d6242b17b1ced4721fe2
-
SSDEEP
6144:xozXQKqfmiiyWwuiFOLeyOV0R7YRXxMSaAt:xgXQKSLpOCtV0R8xMSaAt
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Syslemtkdfz.exe family_blackmoon -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe -
Deletes itself 1 IoCs
Processes:
Syslemtkdfz.exepid process 4824 Syslemtkdfz.exe -
Executes dropped EXE 1 IoCs
Processes:
Syslemtkdfz.exepid process 4824 Syslemtkdfz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exeSyslemtkdfz.exepid process 4404 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe 4404 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe 4404 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe 4404 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe 4404 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe 4404 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe 4404 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe 4404 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe 4404 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe 4404 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe 4404 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe 4404 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe 4404 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe 4404 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe 4404 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe 4404 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe 4824 Syslemtkdfz.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exedescription pid process target process PID 4404 wrote to memory of 4824 4404 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe Syslemtkdfz.exe PID 4404 wrote to memory of 4824 4404 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe Syslemtkdfz.exe PID 4404 wrote to memory of 4824 4404 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe Syslemtkdfz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\Syslemtkdfz.exe"C:\Users\Admin\AppData\Local\Temp\Syslemtkdfz.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4824
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
440KB
MD54c5a5be459de8c3d4337200262d00496
SHA14f3c89e27f155a0186a8185a5d3a0ef6a7ac2658
SHA25627b75cf01e3e5eec11a5da70d5271de1458b37ce24bff79d73a6eb8c6b5c2072
SHA512b7fdb330a6cdd920bad43fa5b37f522b2232488826eb92653dc36f380f4e81db52450c44b47d88ddf8c5d25d6ea9cb97552bceacac39a7b5393650ccd5411a13
-
Filesize
85B
MD554d41c70346c63fe3c979fde34619245
SHA167b3fb2513cb6139cc59fc2f3e8d2a7dda90075e
SHA25678bdb350a85957d40c526bcac8ee71f821376600c40c8d21b08628a38b5f4797
SHA51250f6e2acc57cd9793d20503d842736b9b97802082872d50d0c293d5551b79e805a2c7c213df6de3dca5306bfa497f03a64fda3c902158c2236b189242e0e4df8