Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 22:30
Behavioral task
behavioral1
Sample
080084c285683066d6c5b41f76b3b430_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
080084c285683066d6c5b41f76b3b430_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
080084c285683066d6c5b41f76b3b430_NeikiAnalytics.exe
-
Size
205KB
-
MD5
080084c285683066d6c5b41f76b3b430
-
SHA1
524b4631a18e977c93c474c09b32f806129d165c
-
SHA256
c4f30b93fd4341190482e6d81ac4bb149be4647dd994b0919e96c20312167004
-
SHA512
a8561a0edc32d4f5d28942cabd5b6c45b8c666bceb6a0a983e1a90f34f91894598a3c056ae5d29a6d3b4db560ac5b6ae469cd10ed118799c605b7c9df5570edd
-
SSDEEP
3072:CXkSckkHbzG1iXAt60p0zuNmnKG7peNMQbuZAItb2y3xfpT:8kSDAzG1iciuInRexuZAIvx
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
080084c285683066d6c5b41f76b3b430_NeikiAnalytics.exerugen.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 080084c285683066d6c5b41f76b3b430_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation rugen.exe -
Executes dropped EXE 3 IoCs
Processes:
rugen.exerugen.exerugen.exepid process 2072 rugen.exe 4036 rugen.exe 1028 rugen.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
080084c285683066d6c5b41f76b3b430_NeikiAnalytics.exerugen.execmd.exedescription pid process target process PID 2428 wrote to memory of 2072 2428 080084c285683066d6c5b41f76b3b430_NeikiAnalytics.exe rugen.exe PID 2428 wrote to memory of 2072 2428 080084c285683066d6c5b41f76b3b430_NeikiAnalytics.exe rugen.exe PID 2428 wrote to memory of 2072 2428 080084c285683066d6c5b41f76b3b430_NeikiAnalytics.exe rugen.exe PID 2072 wrote to memory of 4904 2072 rugen.exe schtasks.exe PID 2072 wrote to memory of 4904 2072 rugen.exe schtasks.exe PID 2072 wrote to memory of 4904 2072 rugen.exe schtasks.exe PID 2072 wrote to memory of 2632 2072 rugen.exe cmd.exe PID 2072 wrote to memory of 2632 2072 rugen.exe cmd.exe PID 2072 wrote to memory of 2632 2072 rugen.exe cmd.exe PID 2632 wrote to memory of 2872 2632 cmd.exe cmd.exe PID 2632 wrote to memory of 2872 2632 cmd.exe cmd.exe PID 2632 wrote to memory of 2872 2632 cmd.exe cmd.exe PID 2632 wrote to memory of 1812 2632 cmd.exe cacls.exe PID 2632 wrote to memory of 1812 2632 cmd.exe cacls.exe PID 2632 wrote to memory of 1812 2632 cmd.exe cacls.exe PID 2632 wrote to memory of 3508 2632 cmd.exe cacls.exe PID 2632 wrote to memory of 3508 2632 cmd.exe cacls.exe PID 2632 wrote to memory of 3508 2632 cmd.exe cacls.exe PID 2632 wrote to memory of 2856 2632 cmd.exe cmd.exe PID 2632 wrote to memory of 2856 2632 cmd.exe cmd.exe PID 2632 wrote to memory of 2856 2632 cmd.exe cmd.exe PID 2632 wrote to memory of 1452 2632 cmd.exe cacls.exe PID 2632 wrote to memory of 1452 2632 cmd.exe cacls.exe PID 2632 wrote to memory of 1452 2632 cmd.exe cacls.exe PID 2632 wrote to memory of 4248 2632 cmd.exe cacls.exe PID 2632 wrote to memory of 4248 2632 cmd.exe cacls.exe PID 2632 wrote to memory of 4248 2632 cmd.exe cacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\080084c285683066d6c5b41f76b3b430_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\080084c285683066d6c5b41f76b3b430_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe"C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rugen.exe /TR "C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rugen.exe" /P "Admin:N"&&CACLS "rugen.exe" /P "Admin:R" /E&&echo Y|CACLS "..\200f691d32" /P "Admin:N"&&CACLS "..\200f691d32" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rugen.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rugen.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\200f691d32" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\200f691d32" /P "Admin:R" /E4⤵
-
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exeC:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exeC:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exeFilesize
205KB
MD5080084c285683066d6c5b41f76b3b430
SHA1524b4631a18e977c93c474c09b32f806129d165c
SHA256c4f30b93fd4341190482e6d81ac4bb149be4647dd994b0919e96c20312167004
SHA512a8561a0edc32d4f5d28942cabd5b6c45b8c666bceb6a0a983e1a90f34f91894598a3c056ae5d29a6d3b4db560ac5b6ae469cd10ed118799c605b7c9df5570edd