Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/05/2024, 22:36

General

  • Target

    2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe

  • Size

    260KB

  • MD5

    2c14a3a6536396c74da88adc5a0b5510

  • SHA1

    3e1ed76d1c87e82be436bd0d7937f10f736f26f8

  • SHA256

    209f663bf3a0860ca4bc2b5e6b565053f8e0235405cfa8f365aced9cdad656fa

  • SHA512

    c1eb3b2d71bbdceaff2327a6aef50ecde07548cf1d5c8c334f268d9139c4023f86ef2cf086229f34117401315e263d1d83aa214fbf7be456d03d9fa5d0788086

  • SSDEEP

    3072:ogfAlNg/vh25n/kZoSUjMqXnpWAkpAmTSrMaIOYt/jo7LAtPhjjtZnfHFEoWBfGs:odVgTSrMaIl/jcLijfHFEHWzXvjT85R

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 51 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3808
    • C:\Users\Admin\xaedo.exe
      "C:\Users\Admin\xaedo.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4824

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\xaedo.exe

          Filesize

          260KB

          MD5

          f30de60cbc3cb2e3bf14ef21d706a9e7

          SHA1

          076ed9140186efdd090324160b33ddd4681ed86c

          SHA256

          95df23ffb5933ab10a1a00963839a9e58e3880d711b206eb107bc1395e3127b5

          SHA512

          345a19c8ead86ebc319e397326f7208f8ab320c7cffceb118d89f5d57224438bc261e716cc34185d5694d58cfb67109297f4bd1c1ce627588adf34d9d173f646