Overview

overview

10

Static

static

3

69eb360aef...cs.exe

windows7-x64

10

69eb360aef...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 01:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69eb360aef9981cc408159809ea10360_NeikiAnalytics.exe

  • Size

    40KB

  • MD5

    69eb360aef9981cc408159809ea10360

  • SHA1

    cb45b92fbf9483df6f2b10565bf5e709a569399c

  • SHA256

    61acb6fc65d8b24d20e36ffd821c7fee15bd2830089224804939e8ac824ef6f7

  • SHA512

    99df5eb73275e8d5a04bab7f340b94ba2672281387089f43588e0b5b7e0810670275ba398c336949b429cc406a34b6729984971b372dc39018d319991cfe8322

  • SSDEEP

    768:cnfko/XychRmMp8F9bdHXtHs7CQpcdHoCCvc:ccK3b8F95NWee1vc

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69eb360aef9981cc408159809ea10360_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\69eb360aef9981cc408159809ea10360_NeikiAnalytics.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4800
    • C:\Users\Admin\Admin.exe
      "C:\Users\Admin\Admin.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Admin.exe
    Filesize

    40KB

    MD5

    89116ed71d172a16c5d87eb5b0d7c677

    SHA1

    dd48b01cd66ffed2e11a4f1f20f18d17276abce1

    SHA256

    43f47b73f963390934321e9b384f4b569cd1d695c0c54293279757ef7318b9a1

    SHA512

    f47306589640fb3d538636a7b608734c2c5a482a46245830e571ffa6bd05f68c9e8249e369fdb92bb9697401f85e0f9b678980567c0234df1defc6988fb52c5c

    Download Submit