Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 19:30
Static task
static1
Behavioral task
behavioral1
Sample
07ff6106d412fe626112d89216353930_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
07ff6106d412fe626112d89216353930_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
07ff6106d412fe626112d89216353930_NeikiAnalytics.exe
-
Size
29KB
-
MD5
07ff6106d412fe626112d89216353930
-
SHA1
b1b7f98313a3945c454c548463bdf1ee568a9cd0
-
SHA256
245b916426db931f04992c14e2934f331c406c067a76dd62b99125520ab2a670
-
SHA512
eaca8a63780cb936443ba8c4cf7254a34d98f45d1ce66ca8666d33644bb1ddfe93be8d3ac75aa9ae08226eefa4c37c4800e84ae8a15231dd54ed29c0b87d8e41
-
SSDEEP
768:fzQL/qXL7g5AQRBIFGEjvDgtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGWSd:fUL/o7EjR2HgtdgI2MyzNORQtOflIwoh
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
07ff6106d412fe626112d89216353930_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 07ff6106d412fe626112d89216353930_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
ghyte.exepid process 3400 ghyte.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
07ff6106d412fe626112d89216353930_NeikiAnalytics.exedescription pid process target process PID 4328 wrote to memory of 3400 4328 07ff6106d412fe626112d89216353930_NeikiAnalytics.exe ghyte.exe PID 4328 wrote to memory of 3400 4328 07ff6106d412fe626112d89216353930_NeikiAnalytics.exe ghyte.exe PID 4328 wrote to memory of 3400 4328 07ff6106d412fe626112d89216353930_NeikiAnalytics.exe ghyte.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07ff6106d412fe626112d89216353930_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\07ff6106d412fe626112d89216353930_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Users\Admin\AppData\Local\Temp\ghyte.exe"C:\Users\Admin\AppData\Local\Temp\ghyte.exe"2⤵
- Executes dropped EXE
PID:3400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5122b6d2a136a62ae7ca76164c7f87825
SHA1286319fec8e9d21c234331754828504286525fc0
SHA256ccfe62e17d5457e284263104b1d5fa68751395465c88bdd4d5bc8cdc4fdcee36
SHA51280cd8c8fadbea6b276a7bc529124794eedaa6dbef4f1f63e1d2cf5f545b1918849b637cae45e19cd144c94eadfc70e0a3775bd144a0506bf893d01ac076ce762