9d9629dc6f6ece6615f80b629f7944a33b9fc1fb8ebaf2e64ae8e053e76fdcb3

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe
Size

1.7MB
MD5

65791fb5028800be7a2be147b5363400
SHA1

e1780566adbaa93ceca2e879840cce86f19e4536
SHA256

9d9629dc6f6ece6615f80b629f7944a33b9fc1fb8ebaf2e64ae8e053e76fdcb3
SHA512

4856d274b4672a2b6a5490e6ff1c135b805097b724ca86808118e85bfaeb30d99c7a016c05be4faa596953aa79834d8c8c9e50977cfec70ee2c3f9ff71b8dbda
SSDEEP

49152:mbTChxKCnFnQXBbrtgb/iQvu0UHOaYmLH:m6hxvWbrtUTrUHO2L

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

65791fb5028800be7a2be147b5363400_NeikiAnalytics.exeWdExt.exelaunch.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WdExt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	launch.exe

Executes dropped EXE 4 IoCs

Processes:

WdExt.exelaunch.exewtmps.exemscaps.exe

pid process

2040 WdExt.exe
4296 launch.exe
3580 wtmps.exe
2876 mscaps.exe
Loads dropped DLL 2 IoCs

Processes:

65791fb5028800be7a2be147b5363400_NeikiAnalytics.exeWdExt.exe

pid process

4868 65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe
2040 WdExt.exe

pid	process
2040	WdExt.exe
4296	launch.exe
3580	wtmps.exe
2876	mscaps.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

launch.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Defender\\launch.exe\""	launch.exe

Drops file in System32 directory 2 IoCs

Processes:

wtmps.exe

description ioc process

File created C:\Windows\SysWOW64\mscaps.exe wtmps.exe
File opened for modification C:\Windows\SysWOW64\mscaps.exe wtmps.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\mscaps.exe	wtmps.exe
File opened for modification	C:\Windows\SysWOW64\mscaps.exe	wtmps.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

65791fb5028800be7a2be147b5363400_NeikiAnalytics.exeWdExt.exelaunch.exe

pid	process
4868	65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe
4868	65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe
2040	WdExt.exe
2040	WdExt.exe
4296	launch.exe
4296	launch.exe
4296	launch.exe
4296	launch.exe
4296	launch.exe
4296	launch.exe
4296	launch.exe
4296	launch.exe
4296	launch.exe
4296	launch.exe
4296	launch.exe
4296	launch.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

65791fb5028800be7a2be147b5363400_NeikiAnalytics.execmd.exeWdExt.execmd.exelaunch.execmd.exewtmps.exe

description	pid	process	target process
PID 4868 wrote to memory of 2920	4868	65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe	cmd.exe
PID 4868 wrote to memory of 2920	4868	65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe	cmd.exe
PID 4868 wrote to memory of 2920	4868	65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe	cmd.exe
PID 4868 wrote to memory of 2440	4868	65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe	cmd.exe
PID 4868 wrote to memory of 2440	4868	65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe	cmd.exe
PID 4868 wrote to memory of 2440	4868	65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe	cmd.exe
PID 2920 wrote to memory of 2040	2920	cmd.exe	WdExt.exe
PID 2920 wrote to memory of 2040	2920	cmd.exe	WdExt.exe
PID 2920 wrote to memory of 2040	2920	cmd.exe	WdExt.exe
PID 2040 wrote to memory of 4912	2040	WdExt.exe	cmd.exe
PID 2040 wrote to memory of 4912	2040	WdExt.exe	cmd.exe
PID 2040 wrote to memory of 4912	2040	WdExt.exe	cmd.exe
PID 4912 wrote to memory of 4296	4912	cmd.exe	launch.exe
PID 4912 wrote to memory of 4296	4912	cmd.exe	launch.exe
PID 4912 wrote to memory of 4296	4912	cmd.exe	launch.exe
PID 4296 wrote to memory of 5008	4296	launch.exe	cmd.exe
PID 4296 wrote to memory of 5008	4296	launch.exe	cmd.exe
PID 4296 wrote to memory of 5008	4296	launch.exe	cmd.exe
PID 5008 wrote to memory of 3580	5008	cmd.exe	wtmps.exe
PID 5008 wrote to memory of 3580	5008	cmd.exe	wtmps.exe
PID 5008 wrote to memory of 3580	5008	cmd.exe	wtmps.exe
PID 3580 wrote to memory of 2876	3580	wtmps.exe	mscaps.exe
PID 3580 wrote to memory of 2876	3580	wtmps.exe	mscaps.exe
PID 3580 wrote to memory of 2876	3580	wtmps.exe	mscaps.exe

C:\Users\Admin\AppData\Local\Temp\65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2920

C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4912

C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 2040
5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:5008

C:\Users\Admin\AppData\Local\Temp\wtmps.exe
"C:\Users\Admin\AppData\Local\Temp\wtmps.exe"
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\SysWOW64\mscaps.exe
"C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe
8⤵
- Executes dropped EXE
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
2⤵
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2F58.tmp

Filesize
406B

MD5
37512bcc96b2c0c0cf0ad1ed8cfae5cd

SHA1
edf7f17ce28e1c4c82207cab8ca77f2056ea545c

SHA256
27e678bf5dc82219d6edd744f0b82567a26e40f8a9dcd6487205e13058e3ed1f

SHA512
6d4252ab5aa441a76ce2127224fefcb221259ab4d39f06437b269bd6bfdaae009c8f34e9603ec734159553bc9f1359bdd70316cd426d73b171a9f17c41077641

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtmps.exe

Filesize
276KB

MD5
75c1467042b38332d1ea0298f29fb592

SHA1
f92ea770c2ddb04cf0d20914578e4c482328f0f8

SHA256
3b20c853d4ca23240cd338b8cab16f1027c540ddfe9c4ffdca1624d2f923b373

SHA512
5c47c59ad222e2597ccdf2c100853c48f022e933f44c279154346eacf9e7e6f54214ada541d43a10424035f160b56131aab206c11512a9fd6ea614fbd3160aa0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe

Filesize
172KB

MD5
daac1781c9d22f5743ade0cb41feaebf

SHA1
e2549eeeea42a6892b89d354498fcaa8ffd9cac4

SHA256
6a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c

SHA512
190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

Filesize
1.7MB

MD5
65791fb5028800be7a2be147b5363400

SHA1
e1780566adbaa93ceca2e879840cce86f19e4536

SHA256
9d9629dc6f6ece6615f80b629f7944a33b9fc1fb8ebaf2e64ae8e053e76fdcb3

SHA512
4856d274b4672a2b6a5490e6ff1c135b805097b724ca86808118e85bfaeb30d99c7a016c05be4faa596953aa79834d8c8c9e50977cfec70ee2c3f9ff71b8dbda

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

Filesize
1.7MB

MD5
c1525bbade3ea78ccf846f09d3a132b1

SHA1
43ca48fad74e0c39fbdfffc623af18b2b030e705

SHA256
c132431350d276377392fe3e8f4298ce5be1b2cdf053539ec77b4877922dc11c

SHA512
9e5345636906176fed3f3cd5d3a239947cf705ce01943129348529d5947aa2b70514b44f68071fe5a478b1381c682666460a301b47a7334409b5de53fbbf5601

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
129B

MD5
d1073c9b34d1bbd570928734aacff6a5

SHA1
78714e24e88d50e0da8da9d303bec65b2ee6d903

SHA256
b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020

SHA512
4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
102B

MD5
1d68f046cd6a9197038fb2445d2bea05

SHA1
d8dca54cfa0b2ad404bce32d5d94634bcfc9b2d7

SHA256
9cddd4b2ac719f01052deef3aa558fbfbcd21d5728215651345c3d2b9ba250d9

SHA512
2720d071fd02b2cf0d9f1de8dd19117fd128f213dd7f66fa8adb00d7873a5de58d2f2618100d28eec85db707d9e34d20258f9a1f76acf75fe668e66722e1cc4c

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
268B

MD5
ce83ab2dfe2e8b399c3d812ad8efe5d3

SHA1
dc67585ae14361030b65db227b5ca6073f1383e4

SHA256
4c6b44b19a63040bbe7df84a353ef204c57a5d7843f7bb3e3460e70b1948bfa0

SHA512
24276740c7a6c8d004f09318ba1a654eb62db66253ce4c65ae807873808712bd9bd096d16a8701ed1c3389105429e99df2439e99689108042f75b695d26e4153

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
126B

MD5
b09987426dabcbdcfc8bd8c3039dbcf7

SHA1
cb4637d9dfe5e1ad255aaf8d327e666c988eebb9

SHA256
96543cd9dab21b63dc62bab640e3c67e67f6a78501a5c5ecced8654bc5f0cde7

SHA512
238c3caf93ad19de8468eada73a2fd41266eee8caf21638e65c327aade7601574a16a6f01f64fdd1544c28bcde372cac80e7f27257c68722e594ba873faff73d

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
388KB

MD5
e1e47695a0b98432911311352b63eaed

SHA1
836142e550301e0fc13c1a047aae5a2f4481d7cd

SHA256
c67ed34d9254b31e611ee830125c3f2572a1e686f82deb69e1580fb9a4614cd0

SHA512
da49234ee2e1d8f9956ba59d4a49fe04d3ab154f5dd60cf7a6c72e9d42defe8a4b0aeb38845444fe3a8d9c80976467d2101f7c992a48f98f6a9317d0e61ca961

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
388KB

MD5
8d7db101a7211fe3309dc4dc8cf2dd0a

SHA1
6c2781eadf53b3742d16dab2f164baf813f7ac85

SHA256
93db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a

SHA512
8b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83

Download Submit
C:\Windows\SysWOW64\mscaps.exe

Filesize
200KB

MD5
78d3c8705f8baf7d34e6a6737d1cfa18

SHA1
9f09e248a29311dbeefae9d85937b13da042a010

SHA256
2c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905

SHA512
9a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609

Download Submit
memory/4868-0-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download