Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 21:06
Static task
static1
Behavioral task
behavioral1
Sample
3b797617beaa5235b8072aa61135ec60_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
3b797617beaa5235b8072aa61135ec60_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
3b797617beaa5235b8072aa61135ec60_NeikiAnalytics.exe
-
Size
2.7MB
-
MD5
3b797617beaa5235b8072aa61135ec60
-
SHA1
4140377a3e9171e7bb00a3f00e4aa5fb012f1fc0
-
SHA256
32d472dc0e7995808e756b30eed90e82f0f12f95e529eeab40b69558e4d236c9
-
SHA512
ea0c8eebb0cb8cbb1bb8e2007e5e583986b81d8d50dfa27079073149f9aaf3845bbb4f58a082be2b676388049c9c4f4c7cc85268a661957419f07b6b5af95e70
-
SSDEEP
49152:9nvnjz5FTr7wEMP2mQz0qpWTSRkIAo5h4TLbBaoJyL6w6PFObS5CsEXDKN3qL:rF7Y2iSFAM4LZw6423EXONaL
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3b797617beaa5235b8072aa61135ec60_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 3b797617beaa5235b8072aa61135ec60_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
PCCourier.exepid process 2088 PCCourier.exe -
Loads dropped DLL 1 IoCs
Processes:
3b797617beaa5235b8072aa61135ec60_NeikiAnalytics.exepid process 2856 3b797617beaa5235b8072aa61135ec60_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
PCCourier.exepid process 2088 PCCourier.exe 2088 PCCourier.exe 2088 PCCourier.exe 2088 PCCourier.exe 2088 PCCourier.exe 2088 PCCourier.exe 2088 PCCourier.exe 2088 PCCourier.exe 2088 PCCourier.exe 2088 PCCourier.exe 2088 PCCourier.exe 2088 PCCourier.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
3b797617beaa5235b8072aa61135ec60_NeikiAnalytics.exedescription pid process target process PID 2856 wrote to memory of 2088 2856 3b797617beaa5235b8072aa61135ec60_NeikiAnalytics.exe PCCourier.exe PID 2856 wrote to memory of 2088 2856 3b797617beaa5235b8072aa61135ec60_NeikiAnalytics.exe PCCourier.exe PID 2856 wrote to memory of 2088 2856 3b797617beaa5235b8072aa61135ec60_NeikiAnalytics.exe PCCourier.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b797617beaa5235b8072aa61135ec60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3b797617beaa5235b8072aa61135ec60_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\DLa03528\PCCourier.exe"C:\Users\Admin\AppData\Local\Temp\DLa03528\PCCourier.exe" 569888286.pco2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD58adc3ce2c28c443d5b0c462a631bae77
SHA1ba9929a71bb769b5d269b306ae0f2425c5482917
SHA256c4951bff086290f1b5b8827b499171d5be1aa49a64b5ad9d3bfdb188bb6576bb
SHA512d47659d27507fa1ae99f36c60e7fc5a19e126220efb432a2c11c73cff3e906d8d8e36e6a9566e4782c8560045548b9b09ad4284d3bd8d8c8e13766e60cac2b3c
-
Filesize
1.7MB
MD5b05674e4792a70ddc35ba34739acaf07
SHA190532e8d1e6bfeb9895b6cb095cfdf5fa2dc38b0
SHA256efa14a6bb3fcc997e0ceeaf464099edbe3142947da9106338f3a03df79e19ac5
SHA5125d6c5102714cd25e4f331a6a0bf1adbf20b855a3dfe6afdea12112449382803184ae0eba200dc5037fb75508c57cc5b58633b7fa2f80694e11247c5751399cb0
-
Filesize
72KB
MD588f0f96fb8c7072ba5212ef83a417cf8
SHA129dca7c38b31057a134289e610059ef8755befbf
SHA2567b03e8fea3bb787bcf08636f35e8959ee907d62a8f165af08e4feaf52a499158
SHA51269229a4fe76b80f8b99ae5d06036a2ad1cf3c2e4a3af9cc0b92efd3a06052481ab8c028f0b09136471447aadf4d2ffdfb2d32fe25038a6251da0eb3662a0fc6b
-
Filesize
476KB
MD5a9e4d732454d49d343950063ca011b48
SHA19af5efbbcc2b04bd0a62d48926f2a0252ff1b480
SHA256d11485e39c0c9b934e41f349272362d2aac019890f37e2a5b34c1a841b282b14
SHA512c44a1a56620aaf81231f9a13e332588b11fc92de9216ea73a0ce0a1529f823b7d6d077bcd6040bd50f641e8f4bec0fcb147368ca740c0c0f683b0e5eceba4191
-
Filesize
8KB
MD5223532266120c9a0c43788dd021b062d
SHA1ef735bbf225403f8673ec93f94e94b2dd5ec6a4f
SHA2561d32720ee2e52e71b9b37301c839ba9f2af1d9863d6708e19c844dc1e76e1534
SHA512b64e6acc8c05b70507f7426e7a0ffaccade6ada4c30551e3302925f3ecbd6462d1294c3bffabae88a1cb84182f0e24f9a289a8f273f37f5c11e16b289b7d3ef8
-
Filesize
408B
MD5a3a6df9108f5a961966ef7df828740b6
SHA11e97935cafa63515e483baa67ca3f80ce4ccb0db
SHA2563a9ebecd305776da3c838b5a7de6de2b7d72e97a292874a6f6834efd8b9d76c3
SHA5124e4442775cc443f5c9354680b82b0089b6796dd86fb6e65e824e773e5064153c9f7031f5d83152394f3ce279cf6fec0f738f3f8ea2970b46eff1cfffc9ca1e46
-
Filesize
1.1MB
MD5d9afa0c1f4a50009528e94977b32c1d2
SHA19fd912c2fb2c5e3b2163589ad616b7457851c7df
SHA2562d1ed721e365c9300ee8f36a8cef860fb2d3085bece5ecfc53e318e36aee640e
SHA512f54b88e977b4b0477d18a04bbd072a41e8fe59ad907ea1f67b0eb51a65b563e1e033baa20a621380725d26a6d39442635c3a74c427bc27dc85fceb555288c1ef
-
Filesize
140KB
MD57e515cc5178101fd47ea8c1bd6f911ca
SHA154493e3176b2253e529f4550df2d3e33779b6c8c
SHA2560fe54ebe43a83e92cc9d0325b655e85b854e8631fb651af82cb4c58e977916ad
SHA512d21d19481dbf72194e78e56aaa6ca1b7eb738d3cd3b4fb6db824985e611a491473de5c87e9ca4f71f294774444eb97566c8bea77f6302880d1fce8fce8056e4f
-
Filesize
75KB
MD504d90e3a2e20f6206ae5e65a7601db81
SHA1cf346c22ee96cfc54a6116ffe719cc846a713968
SHA256702f416317650f0fef09de0516ca91920c7f855e8bde82d32f4b4e13c34830aa
SHA51204b88b0e8ce0dab52cdcb21da0fedd73da4586d64cb9b8a8c6cf24ea279004c6c30c74f2e7dbb565f5f4e41b3bbbd85be9ba7506bf92307d8b2cc4bb7d7d2882