b5fa7dfeb71455b8ef6082b6ab84375b495670ebc6593ee0ad30f3a5153b628e

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ed9c9232bb75eeaa7c25bd056029200_NeikiAnalytics.exe
Size

280KB
MD5

6ed9c9232bb75eeaa7c25bd056029200
SHA1

2c05eab97dadece4b1f66d9a0aaf43d80f6dd22a
SHA256

b5fa7dfeb71455b8ef6082b6ab84375b495670ebc6593ee0ad30f3a5153b628e
SHA512

a27c74002494282bd27ec8a1e90a5d2d0c682094bbb089aed4e09c91119e8401c3189a1c051d0963f7495919c882627ca4043377c5d6b2e68e304cb66665f81d
SSDEEP

6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkfW:boSeGUA5YZazpXUmZhZ6S7

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6ed9c9232bb75eeaa7c25bd056029200_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	6ed9c9232bb75eeaa7c25bd056029200_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

a1punf5t2of.exe

pid process

3416 a1punf5t2of.exe

pid	process
3416	a1punf5t2of.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6ed9c9232bb75eeaa7c25bd056029200_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe"	6ed9c9232bb75eeaa7c25bd056029200_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6ed9c9232bb75eeaa7c25bd056029200_NeikiAnalytics.exea1punf5t2of.exe

description	pid	process	target process
PID 4876 wrote to memory of 3416	4876	6ed9c9232bb75eeaa7c25bd056029200_NeikiAnalytics.exe	a1punf5t2of.exe
PID 4876 wrote to memory of 3416	4876	6ed9c9232bb75eeaa7c25bd056029200_NeikiAnalytics.exe	a1punf5t2of.exe
PID 4876 wrote to memory of 3416	4876	6ed9c9232bb75eeaa7c25bd056029200_NeikiAnalytics.exe	a1punf5t2of.exe
PID 3416 wrote to memory of 4920	3416	a1punf5t2of.exe	a1punf5t2of.exe
PID 3416 wrote to memory of 4920	3416	a1punf5t2of.exe	a1punf5t2of.exe
PID 3416 wrote to memory of 4920	3416	a1punf5t2of.exe	a1punf5t2of.exe

C:\Users\Admin\AppData\Local\Temp\6ed9c9232bb75eeaa7c25bd056029200_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6ed9c9232bb75eeaa7c25bd056029200_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4876

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
3⤵
PID:4920

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
Filesize
280KB

MD5
8f28c746f408013207f3e769abdb9fd0

SHA1
41997f1e052fbb79e612babfdf6e725d7d3cd3ca

SHA256
7a426cb03acec26f6e773e35a7cb0e7da822ea66b3c81160c117d3cab56869c5

SHA512
5baac33d07baf3a905e83dc8d66b77aeb64e156dd8d50c547ae2c357ac5e1f84f08afd9f664a45d2bfd0d39ab9802231693dd61321890fdfa9ed164c1fb531e2

Download Submit
memory/3416-19-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/3416-18-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/3416-20-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/3416-22-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/4876-0-0x00000000750F2000-0x00000000750F3000-memory.dmp

Filesize
4KB

Download
memory/4876-1-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/4876-2-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/4876-3-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download
memory/4876-17-0x00000000750F0000-0x00000000756A1000-memory.dmp

Filesize
5.7MB

Download