Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/05/2024, 22:10

General

  • Target

    27f7cacd5988bfbc08cfdf11f9a30cd0_NeikiAnalytics.exe

  • Size

    53KB

  • MD5

    27f7cacd5988bfbc08cfdf11f9a30cd0

  • SHA1

    bb50d8f49e88eeaf34db2aa15fcaa5e08866be6f

  • SHA256

    5664067697ffb038fb997f5dc88a4378eb1f5c7ec2c9329657529c0ed9801fb3

  • SHA512

    c35c126c451af47404f9bf28426e7e29ec74ab4345976f2397f268ce2455a8461d044d3fc478e26137bd6f4d8c3d97dd22cd76706cfb33846d2d2e36a5634445

  • SSDEEP

    1536:vN+g8r8Q6VcLX17Kp3StjEMjmLM3ztDJWZsXy4JzxPME:TVcZJJjmLM3zRJWZsXy4Jt

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27f7cacd5988bfbc08cfdf11f9a30cd0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\27f7cacd5988bfbc08cfdf11f9a30cd0_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:8
    • C:\Users\Admin\nsmiag.exe
      "C:\Users\Admin\nsmiag.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:952

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\nsmiag.exe

          Filesize

          53KB

          MD5

          0657886ed27879c43d2942dda2eed623

          SHA1

          952ba7378b50bb233f7344e8333c25913aafe3f3

          SHA256

          5a84dd3b328c40a10d63d8383df6f9c74f1f020515fcc1872d72efaf558df2fc

          SHA512

          2350a1f523c592dff001b8dd1feae74267e35df704dff25cf81ca1a928a4b5c4ec22d2dbcffe622a0fdb140a68aa883cab0e4601d943d9afc7965abad5de6b7b

        • memory/8-0-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

        • memory/952-33-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB