General
-
Target
1abb16b7c5ee027bdbe4146ea7afe3a0_NeikiAnalytics.exe
-
Size
336KB
-
Sample
240524-sqpzsaaf78
-
MD5
1abb16b7c5ee027bdbe4146ea7afe3a0
-
SHA1
4d1cdf16ff56ebea28faf8c5b5adf9da03c98d48
-
SHA256
d24df945a8c781573c1a1172241ae9fc8fd8a8cca1e599754bac66b9a590ee0a
-
SHA512
558ac04dcfb2f69a4ed7d61b6ea180f33c9b976569f2e51a79f866099376bcac41c9f6a7c7fccaa1607a5d5b7370e8f29f73aa3f5f7f7070614992b75237a4d0
-
SSDEEP
6144:+FN336YMFYfVcT7/9ju3iuUtZhckmEAhzNKGQXHJxb780y2LFkN:q5n9W7/1tZhcIAhZKGQXHJxf8wLSN
Static task
static1
Behavioral task
behavioral1
Sample
1abb16b7c5ee027bdbe4146ea7afe3a0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1abb16b7c5ee027bdbe4146ea7afe3a0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+wwcmj.txt
http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/B1EFB6A41BC05B9A
http://b4youfred5485jgsa3453f.italazudda.com/B1EFB6A41BC05B9A
http://5rport45vcdef345adfkksawe.bematvocal.at/B1EFB6A41BC05B9A
http://fwgrhsao3aoml7ej.onion/B1EFB6A41BC05B9A
http://fwgrhsao3aoml7ej.ONION/B1EFB6A41BC05B9A
Extracted
C:\PerfLogs\Recovery+asmal.txt
http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/143076EF8371183B
http://b4youfred5485jgsa3453f.italazudda.com/143076EF8371183B
http://5rport45vcdef345adfkksawe.bematvocal.at/143076EF8371183B
http://fwgrhsao3aoml7ej.onion/143076EF8371183B
http://fwgrhsao3aoml7ej.ONION/143076EF8371183B
Targets
-
-
Target
1abb16b7c5ee027bdbe4146ea7afe3a0_NeikiAnalytics.exe
-
Size
336KB
-
MD5
1abb16b7c5ee027bdbe4146ea7afe3a0
-
SHA1
4d1cdf16ff56ebea28faf8c5b5adf9da03c98d48
-
SHA256
d24df945a8c781573c1a1172241ae9fc8fd8a8cca1e599754bac66b9a590ee0a
-
SHA512
558ac04dcfb2f69a4ed7d61b6ea180f33c9b976569f2e51a79f866099376bcac41c9f6a7c7fccaa1607a5d5b7370e8f29f73aa3f5f7f7070614992b75237a4d0
-
SSDEEP
6144:+FN336YMFYfVcT7/9ju3iuUtZhckmEAhzNKGQXHJxb780y2LFkN:q5n9W7/1tZhcIAhZKGQXHJxf8wLSN
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (373) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-