636af629e9014596da13895a9449d6752d69c0386166f7b62bb3ef8707360dd2

General

Target

217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe
Size

144KB
MD5

217666beef3a41d0caa8033721e4e430
SHA1

9510a3c797b954c6568bf32b26c494e735d1b90f
SHA256

636af629e9014596da13895a9449d6752d69c0386166f7b62bb3ef8707360dd2
SHA512

5f030ebaf11a8d9ad9e3b061bf1ee549c809b6697bd6f2fb565bcf58baebbb9e5492b31f94c88cda03f42e59d3824f5930b058fa26fdcdf678e8b0d6205828db
SSDEEP

3072:l5SVkkgUgXC7AdYzrV+Dljy/32ubwZ/qJ:SUFCkdYzrVolu/J0Z/

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
2096	WindowsService.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2852-4-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2852-6-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2852-7-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2852-10-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2852-17-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2852-24-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2852-39-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sidebar = "C:\\Users\\Admin\\AppData\\Roaming\\SystemWindows\\WindowsService.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4336 set thread context of 2852	4336	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4336	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe
2852	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe
2096	WindowsService.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 2852	4336	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	99
PID 4336 wrote to memory of 2852	4336	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	99
PID 4336 wrote to memory of 2852	4336	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	99
PID 4336 wrote to memory of 2852	4336	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	99
PID 4336 wrote to memory of 2852	4336	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	99
PID 4336 wrote to memory of 2852	4336	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	99
PID 4336 wrote to memory of 2852	4336	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	99
PID 4336 wrote to memory of 2852	4336	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	99
PID 2852 wrote to memory of 4492	2852	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	103
PID 2852 wrote to memory of 4492	2852	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	103
PID 2852 wrote to memory of 4492	2852	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	103
PID 4492 wrote to memory of 712	4492	cmd.exe	106
PID 4492 wrote to memory of 712	4492	cmd.exe	106
PID 4492 wrote to memory of 712	4492	cmd.exe	106
PID 2852 wrote to memory of 2096	2852	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	107
PID 2852 wrote to memory of 2096	2852	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	107
PID 2852 wrote to memory of 2096	2852	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	107

C:\Users\Admin\AppData\Local\Temp\217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Users\Admin\AppData\Local\Temp\217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQNVH.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe" /f
      4⤵
      Adds Run key to start application
      PID:712
- - C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
    "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3704 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PQNVH.txt

Filesize
157B

MD5
f6a90c20834f271a907a4e2bc28184c2

SHA1
36c9d1602b74f622346fbb22693597d7889df48d

SHA256
73f29cd953eee40cea4de67842556ffd96efe8094a6a9b70f33a35df2582febd

SHA512
39cabae19fe1faa37455e4bd242c868be60d6252b07f01224b3f7501c3cf734e503300b840d83381a452707cab6df2f95f920655884be56d4024676b26943804

Download Submit
C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe

Filesize
144KB

MD5
795d4f62f0b30a6d64faefe5931faaa5

SHA1
921b497d2c4199abb5df6cca33dd2afe79fa4675

SHA256
a17c2df755a0112514de298b7f7a2308ea4b6247ee21a43d6ddb87fc7ac84658

SHA512
dcd29ef081778d5961909130cfa227624e1dd22958ff6054b9c71b6583591d1b7fc0b8732a4eb179c765ff04a307a76296119271e957472b66c5d654f1d620b2

Download Submit
memory/2852-4-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2852-6-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2852-7-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2852-10-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2852-17-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2852-24-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2852-39-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4336-3-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/4336-2-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads