fc901c6b656cd4dafdf3264c2a5c0542b6fbe88f11b1fcf2873d8ec93f52f133

Analysis

max time kernel
155s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61d1290fa0f45f3c59763b2199e640f0_NeikiAnalytics.exe
Size

78KB
MD5

61d1290fa0f45f3c59763b2199e640f0
SHA1

7a93d74847707fd6298cab1b822ecccc1abaf91a
SHA256

fc901c6b656cd4dafdf3264c2a5c0542b6fbe88f11b1fcf2873d8ec93f52f133
SHA512

ba600b241c07805704d3ebf8173f5bc387b48864f02fff8b91f739d68f3891dc4c11f82562c1a9f19cf2efe4c193f509ec41727609cc0a20f6a664c728e36ab9
SSDEEP

1536:MDcfLfIb5Ep1uzgyXVdtnqHNWnnnJXXXcnGGGG1:MD2LTnuzgyXVd1mmXXXcd

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2248 attrib.exe

pid	process
2248	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

61d1290fa0f45f3c59763b2199e640f0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	61d1290fa0f45f3c59763b2199e640f0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

ouchost.exe

pid process

224 ouchost.exe

pid	process
224	ouchost.exe

Drops file in Windows directory 3 IoCs

Processes:

61d1290fa0f45f3c59763b2199e640f0_NeikiAnalytics.exeattrib.exe

description	ioc	process
File created	C:\Windows\Debug\ouchost.exe	61d1290fa0f45f3c59763b2199e640f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Debug\ouchost.exe	61d1290fa0f45f3c59763b2199e640f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Debug\ouchost.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ouchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ouchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ouchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

61d1290fa0f45f3c59763b2199e640f0_NeikiAnalytics.exe

description pid process

Token: SeIncBasePriorityPrivilege 2772 61d1290fa0f45f3c59763b2199e640f0_NeikiAnalytics.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2772	61d1290fa0f45f3c59763b2199e640f0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

61d1290fa0f45f3c59763b2199e640f0_NeikiAnalytics.exe

description	pid	process	target process
PID 2772 wrote to memory of 2248	2772	61d1290fa0f45f3c59763b2199e640f0_NeikiAnalytics.exe	attrib.exe
PID 2772 wrote to memory of 2248	2772	61d1290fa0f45f3c59763b2199e640f0_NeikiAnalytics.exe	attrib.exe
PID 2772 wrote to memory of 2248	2772	61d1290fa0f45f3c59763b2199e640f0_NeikiAnalytics.exe	attrib.exe
PID 2772 wrote to memory of 2560	2772	61d1290fa0f45f3c59763b2199e640f0_NeikiAnalytics.exe	cmd.exe
PID 2772 wrote to memory of 2560	2772	61d1290fa0f45f3c59763b2199e640f0_NeikiAnalytics.exe	cmd.exe
PID 2772 wrote to memory of 2560	2772	61d1290fa0f45f3c59763b2199e640f0_NeikiAnalytics.exe	cmd.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2248 attrib.exe

pid	process
2248	attrib.exe

C:\Users\Admin\AppData\Local\Temp\61d1290fa0f45f3c59763b2199e640f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\61d1290fa0f45f3c59763b2199e640f0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\SysWOW64\attrib.exe
attrib +a +s +h +r C:\Windows\Debug\ouchost.exe
2⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:2248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\61D129~1.EXE > nul
2⤵
PID:2560

C:\Windows\Debug\ouchost.exe
C:\Windows\Debug\ouchost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:2200

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\debug\ouchost.exe
Filesize
78KB

MD5
93ce9cd3a3420325de47dc48a79a4010

SHA1
caf1d3135de423e3ae3a164f6a36f9a165603af9

SHA256
bd192b02b025e0884744b8f2c35c31a2f9fd19c42ca059b8838939c14e394bd0

SHA512
d66356125794c7fddff2b61d92c50cce741784bf308812a482730dfaabbb9d5d15355781c9c68e8ae7a3675354987dd55dd13e4a19c86f4c4e7ecfc67af4c0ce

Download Submit