Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23/05/2024, 22:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
954bd9514b6a8e84eeb0a0b17c1139d0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
954bd9514b6a8e84eeb0a0b17c1139d0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
954bd9514b6a8e84eeb0a0b17c1139d0_NeikiAnalytics.exe
-
Size
53KB
-
MD5
954bd9514b6a8e84eeb0a0b17c1139d0
-
SHA1
48eab341dbc49cc504a1797493976930ef9e2b7d
-
SHA256
a8fb740f1d4b7080daff1038db95b9a7d634fdbddad6b5fa81ef741e8d3801ae
-
SHA512
75e1f45756c5644a1858f2668152487eb2005453f8c44ba5a0434fe370ece50988551a3da446e80c2d1d59c9a02b50306553552c181839b55b7d06fdbdaa46e3
-
SSDEEP
1536:vN5g8r8Qi4iYav7Kp3StjEMjmLM3ztDJWZsXy4JzxPMk:i4iYavJJjmLM3zRJWZsXy4Jt
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" seudu.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 954bd9514b6a8e84eeb0a0b17c1139d0_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
pid Process 3960 seudu.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seudu = "C:\\Users\\Admin\\seudu.exe" seudu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe 3960 seudu.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3588 954bd9514b6a8e84eeb0a0b17c1139d0_NeikiAnalytics.exe 3960 seudu.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3588 wrote to memory of 3960 3588 954bd9514b6a8e84eeb0a0b17c1139d0_NeikiAnalytics.exe 88 PID 3588 wrote to memory of 3960 3588 954bd9514b6a8e84eeb0a0b17c1139d0_NeikiAnalytics.exe 88 PID 3588 wrote to memory of 3960 3588 954bd9514b6a8e84eeb0a0b17c1139d0_NeikiAnalytics.exe 88 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81 PID 3960 wrote to memory of 3588 3960 seudu.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\954bd9514b6a8e84eeb0a0b17c1139d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\954bd9514b6a8e84eeb0a0b17c1139d0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Users\Admin\seudu.exe"C:\Users\Admin\seudu.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3960
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5157ad35886f95213d9f24639aa9fa6b0
SHA1e1493543b8844a276389a3d54bcd0b635b1c2f00
SHA25600246df80601680ec5b825daa1d91063b222c6278682b74b16c9c3d18a0932c5
SHA512307854c7483bf6c260bdcb6052314e087719f8851063c4f8afba469f2d9a92aeff62a17fd9caaeb1d59ecf8262cf29d72813d22439c04a336834a64f7484fbea