028a3aa792b60c7c5c4b4c2db190312a9ff8bbb5a51b7d8bdd011b7584f7faf9

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 15:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1437407d51e326ea1e5b71045fa1e0e0_NeikiAnalytics.exe
Size

42KB
MD5

1437407d51e326ea1e5b71045fa1e0e0
SHA1

15f4557b47391c00e7e48bebd586c61379f30af5
SHA256

028a3aa792b60c7c5c4b4c2db190312a9ff8bbb5a51b7d8bdd011b7584f7faf9
SHA512

09da460c6c964205e67673304f3a0a704f15dfa6d64a5b065e7f1340581bc1e65c7730ac76de40118b7ca2a768b56e27ec89ec5b6d04064d65ac4b3c998b0298
SSDEEP

768:gQUGQ9WD4iWhdzv0pu9fWWe53EnFutwJN/OcD:0GQXh+pu9fWWe533cD

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	1437407d51e326ea1e5b71045fa1e0e0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
2816	bneu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 2816	3376	1437407d51e326ea1e5b71045fa1e0e0_NeikiAnalytics.exe	82
PID 3376 wrote to memory of 2816	3376	1437407d51e326ea1e5b71045fa1e0e0_NeikiAnalytics.exe	82
PID 3376 wrote to memory of 2816	3376	1437407d51e326ea1e5b71045fa1e0e0_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\1437407d51e326ea1e5b71045fa1e0e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1437407d51e326ea1e5b71045fa1e0e0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Users\Admin\AppData\Local\Temp\bneu.exe
  "C:\Users\Admin\AppData\Local\Temp\bneu.exe"
  2⤵
  - Executes dropped EXE
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bneu.exe

Filesize
42KB

MD5
942e5b818d3409155937180f266299c0

SHA1
bf27cf9640b888b19c643bb628d56484d3808565

SHA256
d1c409f3ec915d4c3fb8c770ebc91cfcac33505ecd782aaf24a727cb909f49f8

SHA512
5f4664cb07a137d1f408d98ce4ceb834b210c352fb93fcb152ee3fd3cfa8331cf4a9aad2276f5d11b4653b71daf961e183da7db4dfbcef64b5476a0f96899e70

Download Submit
memory/3376-0-0x0000000004000000-0x0000000004010000-memory.dmp

Filesize
64KB

Download