1e3283f3b71ef5a7e3f99405145c7627be672fab7444697f269fbf8a8e4946bc

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38acdf9ff17b1939e2773ebba41ca7b0_NeikiAnalytics.exe
Size

28KB
MD5

38acdf9ff17b1939e2773ebba41ca7b0
SHA1

1f1d016d1b6a3a6dbab64e9f490e686475af8dfc
SHA256

1e3283f3b71ef5a7e3f99405145c7627be672fab7444697f269fbf8a8e4946bc
SHA512

5470a044940c3cd99feb95bd1fffb0ec9551efb67ef2e8e49d90fded39a42fddf874a2053adf9e17e59f25469c996144664ef09d57827d759d02c40cd324a86b
SSDEEP

384:YVeSrFqjmO/3zfNrP1T56TYpMYUzMk9hBcecystKqhMa82c7ky435/tVcOOCWq:YFNy3B1T5CN/zoyst/Mdn43RvcONWq

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

38acdf9ff17b1939e2773ebba41ca7b0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	38acdf9ff17b1939e2773ebba41ca7b0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

update_pdf.exe

pid process

4844 update_pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4844	update_pdf.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

38acdf9ff17b1939e2773ebba41ca7b0_NeikiAnalytics.exe

description	pid	process	target process
PID 3172 wrote to memory of 4844	3172	38acdf9ff17b1939e2773ebba41ca7b0_NeikiAnalytics.exe	update_pdf.exe
PID 3172 wrote to memory of 4844	3172	38acdf9ff17b1939e2773ebba41ca7b0_NeikiAnalytics.exe	update_pdf.exe
PID 3172 wrote to memory of 4844	3172	38acdf9ff17b1939e2773ebba41ca7b0_NeikiAnalytics.exe	update_pdf.exe

C:\Users\Admin\AppData\Local\Temp\38acdf9ff17b1939e2773ebba41ca7b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\38acdf9ff17b1939e2773ebba41ca7b0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Users\Admin\AppData\Local\Temp\update_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\update_pdf.exe"
  2⤵
  - Executes dropped EXE
  PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\update_pdf.exe

Filesize
28KB

MD5
378b185c8774c46437641a386f1ea6a8

SHA1
df0543071f77ee4bcfffff25e227c63774b82e5f

SHA256
98afc52a88b067f4d5c9e5851ec8ba669a3904c5507a7b0eb828f8ef3eb2e7d6

SHA512
8de4b220e6310ed8045ff9d8492cbdf3a253dabe9f4aef424fd0f9e863f4dac8191ecbef510faf6a586d25454e580b2c5aadf4e11bd42ea1cdc03876d08a30aa

Download Submit
memory/3172-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3172-2-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/3172-10-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4844-12-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download