Analysis
-
max time kernel
141s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 22:45
Static task
static1
Behavioral task
behavioral1
Sample
2dd4c7105c13ef07fba4aa155e081840_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
2dd4c7105c13ef07fba4aa155e081840_NeikiAnalytics.exe
-
Size
270KB
-
MD5
2dd4c7105c13ef07fba4aa155e081840
-
SHA1
e8d328c9e163490b0d22f781bc6fbaa481b97ad7
-
SHA256
441e5e59d01f656d8cb69cf40ee60938e91f422c03b2556de953f811a839df92
-
SHA512
53998bc7f2b227a63a559db41e2587d3e318667e1c9abeed937a10e0661bdfba1d34e70ca543ef45aa8d7311f56047cf483f61b0ed7221bca5245b578090f833
-
SSDEEP
3072:Es2Fhz52XsaRmJ+w+JkAu/heWp0gaWOsGI7b8nrvD3UD7hLSe8140QYtJqUAsZ/3:WccymjqBW65YGIsnrAX14tOMF
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.64.56
185.172.128.69
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2dd4c7105c13ef07fba4aa155e081840_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 2dd4c7105c13ef07fba4aa155e081840_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 11 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2160 4728 WerFault.exe 2dd4c7105c13ef07fba4aa155e081840_NeikiAnalytics.exe 620 4728 WerFault.exe 2dd4c7105c13ef07fba4aa155e081840_NeikiAnalytics.exe 1604 4728 WerFault.exe 2dd4c7105c13ef07fba4aa155e081840_NeikiAnalytics.exe 4324 4728 WerFault.exe 2dd4c7105c13ef07fba4aa155e081840_NeikiAnalytics.exe 3140 4728 WerFault.exe 2dd4c7105c13ef07fba4aa155e081840_NeikiAnalytics.exe 1808 4728 WerFault.exe 2dd4c7105c13ef07fba4aa155e081840_NeikiAnalytics.exe 3452 4728 WerFault.exe 2dd4c7105c13ef07fba4aa155e081840_NeikiAnalytics.exe 640 4728 WerFault.exe 2dd4c7105c13ef07fba4aa155e081840_NeikiAnalytics.exe 2156 4728 WerFault.exe 2dd4c7105c13ef07fba4aa155e081840_NeikiAnalytics.exe 844 4728 WerFault.exe 2dd4c7105c13ef07fba4aa155e081840_NeikiAnalytics.exe 1148 4728 WerFault.exe 2dd4c7105c13ef07fba4aa155e081840_NeikiAnalytics.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1848 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1848 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2dd4c7105c13ef07fba4aa155e081840_NeikiAnalytics.execmd.exedescription pid process target process PID 4728 wrote to memory of 1648 4728 2dd4c7105c13ef07fba4aa155e081840_NeikiAnalytics.exe cmd.exe PID 4728 wrote to memory of 1648 4728 2dd4c7105c13ef07fba4aa155e081840_NeikiAnalytics.exe cmd.exe PID 4728 wrote to memory of 1648 4728 2dd4c7105c13ef07fba4aa155e081840_NeikiAnalytics.exe cmd.exe PID 1648 wrote to memory of 1848 1648 cmd.exe taskkill.exe PID 1648 wrote to memory of 1848 1648 cmd.exe taskkill.exe PID 1648 wrote to memory of 1848 1648 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2dd4c7105c13ef07fba4aa155e081840_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2dd4c7105c13ef07fba4aa155e081840_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 4522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 4842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 7402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 7682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 7682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 7842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 9122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 9802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 10322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 13602⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "2dd4c7105c13ef07fba4aa155e081840_NeikiAnalytics.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\2dd4c7105c13ef07fba4aa155e081840_NeikiAnalytics.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "2dd4c7105c13ef07fba4aa155e081840_NeikiAnalytics.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 14802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4728 -ip 47281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4728 -ip 47281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4728 -ip 47281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4728 -ip 47281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4728 -ip 47281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4728 -ip 47281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4728 -ip 47281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4728 -ip 47281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4728 -ip 47281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4728 -ip 47281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4728 -ip 47281⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3936 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4728-1-0x0000000002F60000-0x0000000003060000-memory.dmpFilesize
1024KB
-
memory/4728-2-0x0000000004A00000-0x0000000004A3C000-memory.dmpFilesize
240KB
-
memory/4728-3-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/4728-4-0x0000000000400000-0x0000000002CA2000-memory.dmpFilesize
40.6MB
-
memory/4728-6-0x0000000002F60000-0x0000000003060000-memory.dmpFilesize
1024KB
-
memory/4728-9-0x0000000004A00000-0x0000000004A3C000-memory.dmpFilesize
240KB
-
memory/4728-10-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/4728-12-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/4728-11-0x0000000000400000-0x0000000002CA2000-memory.dmpFilesize
40.6MB