Analysis
-
max time kernel
149s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 21:36
Behavioral task
behavioral1
Sample
41c354f1ced98b4a8b39cb0af6482550_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
41c354f1ced98b4a8b39cb0af6482550_NeikiAnalytics.exe
-
Size
355KB
-
MD5
41c354f1ced98b4a8b39cb0af6482550
-
SHA1
b1c731090a1467ad288c30c7af3182aea7fff832
-
SHA256
e6558cbd6922a293e91c0b292ef58494affd161a1e8c61d220fd8d2554505668
-
SHA512
231778cb6de65cbe23f83879d1b218699584d134ca8c7d40035fbf3bc3a764d0ad0d1d7ae17ca10fb5d3d9939f3047457fec50f78dd5fb1b3d7c76de4481415b
-
SSDEEP
6144:/qvk3Q5ibjnNuuXckaL7pbRBkce97aw/N4L7oi:/qvMQ5ibjnwka3pbRC19Gw/Nsoi
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Systemzhnrl.exe family_blackmoon -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
41c354f1ced98b4a8b39cb0af6482550_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 41c354f1ced98b4a8b39cb0af6482550_NeikiAnalytics.exe -
Deletes itself 1 IoCs
Processes:
Systemzhnrl.exepid process 4976 Systemzhnrl.exe -
Executes dropped EXE 1 IoCs
Processes:
Systemzhnrl.exepid process 4976 Systemzhnrl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
41c354f1ced98b4a8b39cb0af6482550_NeikiAnalytics.exeSystemzhnrl.exepid process 940 41c354f1ced98b4a8b39cb0af6482550_NeikiAnalytics.exe 940 41c354f1ced98b4a8b39cb0af6482550_NeikiAnalytics.exe 940 41c354f1ced98b4a8b39cb0af6482550_NeikiAnalytics.exe 940 41c354f1ced98b4a8b39cb0af6482550_NeikiAnalytics.exe 940 41c354f1ced98b4a8b39cb0af6482550_NeikiAnalytics.exe 940 41c354f1ced98b4a8b39cb0af6482550_NeikiAnalytics.exe 940 41c354f1ced98b4a8b39cb0af6482550_NeikiAnalytics.exe 940 41c354f1ced98b4a8b39cb0af6482550_NeikiAnalytics.exe 940 41c354f1ced98b4a8b39cb0af6482550_NeikiAnalytics.exe 940 41c354f1ced98b4a8b39cb0af6482550_NeikiAnalytics.exe 940 41c354f1ced98b4a8b39cb0af6482550_NeikiAnalytics.exe 940 41c354f1ced98b4a8b39cb0af6482550_NeikiAnalytics.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe 4976 Systemzhnrl.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
41c354f1ced98b4a8b39cb0af6482550_NeikiAnalytics.exedescription pid process target process PID 940 wrote to memory of 4976 940 41c354f1ced98b4a8b39cb0af6482550_NeikiAnalytics.exe Systemzhnrl.exe PID 940 wrote to memory of 4976 940 41c354f1ced98b4a8b39cb0af6482550_NeikiAnalytics.exe Systemzhnrl.exe PID 940 wrote to memory of 4976 940 41c354f1ced98b4a8b39cb0af6482550_NeikiAnalytics.exe Systemzhnrl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\41c354f1ced98b4a8b39cb0af6482550_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\41c354f1ced98b4a8b39cb0af6482550_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Systemzhnrl.exe"C:\Users\Admin\AppData\Local\Temp\Systemzhnrl.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Systemzhnrl.exeFilesize
355KB
MD5acb300708b7e001119fa77f8c367eaa7
SHA1f19c8e449df0d085ba92876efe95d131fccc7dbf
SHA25667e9fdd5f702ef9ac7380ebbf7c82c653452751d8900c864964fb878783f2884
SHA51209ab47288c27fc1be75b5ad8b2ad165a4001a010eb51f772f03b211955287d03832d3d683b0583853ad227af66d319e7edbaf4bfd094752379656fcdcff46d7f
-
C:\Users\Admin\AppData\Local\Temp\fpath.iniFilesize
85B
MD5022640d2e08afc57d4f9f434e723f406
SHA16bcd959cd291fc5dec8e2f8a3448e8b01b1c8a5f
SHA256757f0756e7d418c10c2213d57e740153ea7f4d1ea19db18353fc6d669569277f
SHA5127d262b2b1bc2eeac231f355413a631dbfe53f8241a7b1008cf7c196e5c693642459b16ceed6bc62dd30c8928344b20f1f25b5eec373ab0f27fe59428dcbe2136