3690dac3d6bb606f549419ab7fb8d43106616187c055fa945c7ea822875fb491

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60b5a62f113507fc6d3603866e736150_NeikiAnalytics.exe
Size

33KB
MD5

60b5a62f113507fc6d3603866e736150
SHA1

93c725fcefd6065e3b0dd29e315533a7b6d966b9
SHA256

3690dac3d6bb606f549419ab7fb8d43106616187c055fa945c7ea822875fb491
SHA512

62a03a347e7816c7b97c53610f7aad94bfd73d7e227e7a5d66ab5babd9bf114780fee4fe805f0ea09996c5493820ed598bc4938f9d26abf0c115e7e0bd1bb806
SSDEEP

384:MApc8m4e0ovQak4JI341Cdabnk6hJPXA0i:MApQr0ovdFJI34/Tk6hJPXbi

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

60b5a62f113507fc6d3603866e736150_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	60b5a62f113507fc6d3603866e736150_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

sal.exe

pid process

4800 sal.exe
Drops file in System32 directory 1 IoCs

Processes:

60b5a62f113507fc6d3603866e736150_NeikiAnalytics.exe

description ioc process

File created \??\c:\windows\SysWOW64\sal.exe 60b5a62f113507fc6d3603866e736150_NeikiAnalytics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4800	sal.exe

description	ioc	process
File created	\??\c:\windows\SysWOW64\sal.exe	60b5a62f113507fc6d3603866e736150_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

60b5a62f113507fc6d3603866e736150_NeikiAnalytics.exe

description	pid	process	target process
PID 4316 wrote to memory of 4800	4316	60b5a62f113507fc6d3603866e736150_NeikiAnalytics.exe	sal.exe
PID 4316 wrote to memory of 4800	4316	60b5a62f113507fc6d3603866e736150_NeikiAnalytics.exe	sal.exe
PID 4316 wrote to memory of 4800	4316	60b5a62f113507fc6d3603866e736150_NeikiAnalytics.exe	sal.exe

C:\Users\Admin\AppData\Local\Temp\60b5a62f113507fc6d3603866e736150_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\60b5a62f113507fc6d3603866e736150_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4316

C:\windows\SysWOW64\sal.exe
"C:\windows\system32\sal.exe"
2⤵
- Executes dropped EXE
PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sal.exe

Filesize
33KB

MD5
5719c01797a3146cf771f64e8f37bfda

SHA1
cfb4aea9d4d1688dbad6104b0eb6739198e6bfb8

SHA256
91ce81e0e2bbc58bd4160c0ee831c0f331c7ec08997bfe8d605117d3e531ef6f

SHA512
cdfb35a0dee50b8c0ca9f21c8fd1271672e9ce1eba4e140aa30d1d7f9f96f7a978707a9dfdd0c841a0eb4ae28c26d026dba644c968133c0d54550fab91bd66c9

Download Submit
memory/4316-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4316-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4800-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4800-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download