07e630d14acf3ace10f12ceefd2b636e1d59cddcd22586866f20018887fbfe07

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fe78063d28d0c8990130412eb66aa30_NeikiAnalytics.exe
Size

50KB
MD5

5fe78063d28d0c8990130412eb66aa30
SHA1

16b6b232372ad962b0247585e6cc97f8c7b3483a
SHA256

07e630d14acf3ace10f12ceefd2b636e1d59cddcd22586866f20018887fbfe07
SHA512

7fbeab937d4185a1c446e0c0b4fb9e3a9879babeec2c6dc568b82b57a000a233ca8ca6de845b4b0727ce3bfe8f2d8b861a2b885980da34fe2175623934053cd2
SSDEEP

1536:720V7wdS0P79Jc78x+pu9fWWq53soCjRRMo5Nd5SHQ:7Z9wdV79JXMpu9fWWq53sb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5fe78063d28d0c8990130412eb66aa30_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	5fe78063d28d0c8990130412eb66aa30_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

wefujn.exe

pid process

5108 wefujn.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5108	wefujn.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

5fe78063d28d0c8990130412eb66aa30_NeikiAnalytics.exe

description	pid	process	target process
PID 2840 wrote to memory of 5108	2840	5fe78063d28d0c8990130412eb66aa30_NeikiAnalytics.exe	wefujn.exe
PID 2840 wrote to memory of 5108	2840	5fe78063d28d0c8990130412eb66aa30_NeikiAnalytics.exe	wefujn.exe
PID 2840 wrote to memory of 5108	2840	5fe78063d28d0c8990130412eb66aa30_NeikiAnalytics.exe	wefujn.exe

C:\Users\Admin\AppData\Local\Temp\5fe78063d28d0c8990130412eb66aa30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5fe78063d28d0c8990130412eb66aa30_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Users\Admin\AppData\Local\Temp\wefujn.exe
  "C:\Users\Admin\AppData\Local\Temp\wefujn.exe"
  2⤵
  - Executes dropped EXE
  PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wefujn.exe

Filesize
50KB

MD5
ef71edf7740dbbd5c37422981c408c00

SHA1
dff33e55736cad8434b70335a0a034bd50f5e98c

SHA256
3c02661d34f2cbf73c7e380deb6b4ad47ccba0ba15c38d1d0cdd637ecb65a723

SHA512
dc24f3bdc48d3d13063239346aefda3583ef24e405a735cdff04b8fc165cebd52599c4f6049c9b8c5c6d079c558f3dd564061f0dd439dd65f2c1bfe6a0598f2e

Download Submit
memory/2840-0-0x0000000004000000-0x0000000004010000-memory.dmp

Filesize
64KB

Download