d26da5d824f993aba49294e220c3bc4db6555299ba173cce8b1b5c2fdc384963

Analysis

max time kernel
132s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 00:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

633449cfe2b1d2ffc9af1b5dadaaf310_NeikiAnalytics.exe
Size

48KB
MD5

633449cfe2b1d2ffc9af1b5dadaaf310
SHA1

10a08fff4369258e05cf9ad96da7a60181fe4fc2
SHA256

d26da5d824f993aba49294e220c3bc4db6555299ba173cce8b1b5c2fdc384963
SHA512

95f98cefb66bf1e0f5a8f7859c2bf5fab011549d86b75b363a12e1904b1c1f97a4058f739e2b6a93a067242eab054a9ca74d0d8f46255e2f7d2400de8e0ae38c
SSDEEP

768:dD2oV2AJblQRNLzFrSNTVebqxjxMQhMk6Cr3H3g:dCoVXGRTuhBxj/hH3Hw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

633449cfe2b1d2ffc9af1b5dadaaf310_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	633449cfe2b1d2ffc9af1b5dadaaf310_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

supdater.exe

pid process

2856 supdater.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2856	supdater.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

633449cfe2b1d2ffc9af1b5dadaaf310_NeikiAnalytics.exe

description	pid	process	target process
PID 3900 wrote to memory of 2856	3900	633449cfe2b1d2ffc9af1b5dadaaf310_NeikiAnalytics.exe	supdater.exe
PID 3900 wrote to memory of 2856	3900	633449cfe2b1d2ffc9af1b5dadaaf310_NeikiAnalytics.exe	supdater.exe
PID 3900 wrote to memory of 2856	3900	633449cfe2b1d2ffc9af1b5dadaaf310_NeikiAnalytics.exe	supdater.exe

C:\Users\Admin\AppData\Local\Temp\633449cfe2b1d2ffc9af1b5dadaaf310_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\633449cfe2b1d2ffc9af1b5dadaaf310_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3900

C:\Users\Admin\AppData\Local\Temp\supdater.exe
"C:\Users\Admin\AppData\Local\Temp\supdater.exe"
2⤵
- Executes dropped EXE
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\supdater.exe

Filesize
48KB

MD5
76d8b3e842aed981df14ec40282100fa

SHA1
a066cc2e3e0efeea9d056e11582554541fe315f2

SHA256
79349f7ba51d7965937a04425e19e47f58e680685ec2711b44ef829a95dc6ca1

SHA512
0b68bc756f9c0dc4006491d333079eff318108ebe1b4a1c5c34b4028366471423a5a257d52bb0732de9b71e482abca7e9f0c83bf0a5030b5eea1c264339b806e

Download Submit
memory/2856-9-0x0000000000500000-0x0000000000507000-memory.dmp

Filesize
28KB

Download
memory/3900-1-0x0000000000501000-0x0000000000502000-memory.dmp

Filesize
4KB

Download