Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2024, 01:10
Behavioral task
behavioral1
Sample
edfbc0c5073f338dac135558b5421d20_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
edfbc0c5073f338dac135558b5421d20_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
edfbc0c5073f338dac135558b5421d20_NeikiAnalytics.exe
-
Size
99KB
-
MD5
edfbc0c5073f338dac135558b5421d20
-
SHA1
2f195b2a03b132b981f4d27c53d239da7ee9ab36
-
SHA256
65a253187fe1060de4a7ba0e2efbaee4836630264c5cb6501438f15b9680e577
-
SHA512
fea8098fac0de161d0c2cda663d6bef3c0dcb0d18c3e0b05cce98639a8c3661a1661b1d11916db66e4b31b874c21e6d858370884b284525c899a2c5f205f498a
-
SSDEEP
1536:4Cd+qitb0bt+FTCQ2j9EvHsdX+u1X20n2eN6wrBXBuOX8pK6fXU:H4b0hR9EE1+u1X2q2e3rB
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation edfbc0c5073f338dac135558b5421d20_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
pid Process 860 conwurm.exe -
resource yara_rule behavioral2/memory/3560-0-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral2/files/0x000c0000000233be-7.dat upx behavioral2/memory/860-10-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral2/memory/3560-12-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral2/memory/860-15-0x0000000000400000-0x0000000000415000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3560 wrote to memory of 860 3560 edfbc0c5073f338dac135558b5421d20_NeikiAnalytics.exe 82 PID 3560 wrote to memory of 860 3560 edfbc0c5073f338dac135558b5421d20_NeikiAnalytics.exe 82 PID 3560 wrote to memory of 860 3560 edfbc0c5073f338dac135558b5421d20_NeikiAnalytics.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\edfbc0c5073f338dac135558b5421d20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\edfbc0c5073f338dac135558b5421d20_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Users\Admin\AppData\Local\Temp\conwurm.exe"C:\Users\Admin\AppData\Local\Temp\conwurm.exe"2⤵
- Executes dropped EXE
PID:860
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD56051e1f067420b0f52909ccfeff3ba76
SHA1fcf809976a0bbd116841b50b5915d16d53812c90
SHA256e197735cb2a55a5c034d4696ae31e477d61094e751f5fefec75ee5d8fedfd5d7
SHA5124bbb36fff40f5e30a6d843d457ce79940c00904736d2082571b18897e4904020130d935149aae4dba1895b5a05658b53f236f1b46d49679784b00402fee91d6d