a537775693835bcb7faf5df32a53cc4b0e13ca1ad654b9d4ecb594783e5c70f9

Analysis

max time kernel
135s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

815e66cd30f5cf0e569245cd9408e940_NeikiAnalytics.exe
Size

280KB
MD5

815e66cd30f5cf0e569245cd9408e940
SHA1

344adc99cc2e69d748cba72d0c27cae203534a7d
SHA256

a537775693835bcb7faf5df32a53cc4b0e13ca1ad654b9d4ecb594783e5c70f9
SHA512

e70583b1e5254ea0cdc9b8642a0aa9af41162207bfaf5661f0c419a939f9ea0a51415231ffd9ee6e038bd647725a8660f41ec7a397edf053fda8c6d2c657e1a4
SSDEEP

6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkfo:boSeGUA5YZazpXUmZhZ6S5

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

815e66cd30f5cf0e569245cd9408e940_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	815e66cd30f5cf0e569245cd9408e940_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

a1punf5t2of.exe

pid process

540 a1punf5t2of.exe

pid	process
540	a1punf5t2of.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

815e66cd30f5cf0e569245cd9408e940_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe"	815e66cd30f5cf0e569245cd9408e940_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

815e66cd30f5cf0e569245cd9408e940_NeikiAnalytics.exea1punf5t2of.exe

description	pid	process	target process
PID 3988 wrote to memory of 540	3988	815e66cd30f5cf0e569245cd9408e940_NeikiAnalytics.exe	a1punf5t2of.exe
PID 3988 wrote to memory of 540	3988	815e66cd30f5cf0e569245cd9408e940_NeikiAnalytics.exe	a1punf5t2of.exe
PID 3988 wrote to memory of 540	3988	815e66cd30f5cf0e569245cd9408e940_NeikiAnalytics.exe	a1punf5t2of.exe
PID 540 wrote to memory of 2088	540	a1punf5t2of.exe	a1punf5t2of.exe
PID 540 wrote to memory of 2088	540	a1punf5t2of.exe	a1punf5t2of.exe
PID 540 wrote to memory of 2088	540	a1punf5t2of.exe	a1punf5t2of.exe

C:\Users\Admin\AppData\Local\Temp\815e66cd30f5cf0e569245cd9408e940_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\815e66cd30f5cf0e569245cd9408e940_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3988

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
3⤵
PID:2088

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
Filesize
280KB

MD5
21536d4bdd37c06530953577e932960e

SHA1
924c893b178466f3b7f0edeabaf3684aca055940

SHA256
741cb464e7b0d73afdfcfb32c2b7a6fd5a6a75956f5e8e5b25b530c1dee1c9af

SHA512
893cbc4b1b70684c2b26706378d46fea211570ed61016aabce87e9dfd052258f4f8a210e49ab9ab1235a4366fe20d8329d67b81dc094dee333417c917f2c61d9

Download Submit
memory/540-19-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/540-17-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/540-20-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/540-21-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/540-23-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/3988-0-0x0000000074662000-0x0000000074663000-memory.dmp

Filesize
4KB

Download
memory/3988-1-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/3988-2-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/3988-3-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/3988-18-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download