592096f1919727b1be5cb0e11302cdf4ef1ea1170dccd64893581afc07cf23a7

Analysis

max time kernel
149s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1451808e039127828dc813b74ac28430_NeikiAnalytics.exe
Size

3KB
MD5

1451808e039127828dc813b74ac28430
SHA1

282a215c72b532e6016490cc862b4a89bf0f3a26
SHA256

592096f1919727b1be5cb0e11302cdf4ef1ea1170dccd64893581afc07cf23a7
SHA512

29dd6473c7de6428898eb3c54819c8aaef2582643cecbb40999aff5b8efa68b9569a0f113a4815b38f05c3d839b407672e9a21c60a9c560f0de87a2fc328757d

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1451808e039127828dc813b74ac28430_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	1451808e039127828dc813b74ac28430_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

yxazj.exe

pid process

4660 yxazj.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4660	yxazj.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1451808e039127828dc813b74ac28430_NeikiAnalytics.exe

description	pid	process	target process
PID 4024 wrote to memory of 4660	4024	1451808e039127828dc813b74ac28430_NeikiAnalytics.exe	yxazj.exe
PID 4024 wrote to memory of 4660	4024	1451808e039127828dc813b74ac28430_NeikiAnalytics.exe	yxazj.exe
PID 4024 wrote to memory of 4660	4024	1451808e039127828dc813b74ac28430_NeikiAnalytics.exe	yxazj.exe

C:\Users\Admin\AppData\Local\Temp\1451808e039127828dc813b74ac28430_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1451808e039127828dc813b74ac28430_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4024

C:\Users\Admin\AppData\Local\Temp\yxazj.exe
"C:\Users\Admin\AppData\Local\Temp\yxazj.exe"
2⤵
- Executes dropped EXE
PID:4660

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yxazj.exe
Filesize
3KB

MD5
4cbadf6eebb948a2ca7466985c0a8753

SHA1
740318d64453dd43d3511c2f1429f2176c321a00

SHA256
e351f8156d20768362b099ee27880dd9aa3552f8c9e9cb3890a3093af6fb6e6b

SHA512
5ba55dcfb1f3ee565f837beabe8b9c401cc732049182a529ac9dd5e85f0bd3d2edcd4bb3dc468d5bd7bb62f1ac0b6ea0f28267efe931d56dff5c5112761296db

Download Submit