40abd5657434ae3a13d0991e79459f0bfcc3c971b91781facf9581578bf440a7

Analysis

max time kernel
131s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d6bfb1fe0e4f4f6402b836099f80490_NeikiAnalytics.exe
Size

55KB
MD5

0d6bfb1fe0e4f4f6402b836099f80490
SHA1

82e54970268b054bd814565c7256e83db348b7a9
SHA256

40abd5657434ae3a13d0991e79459f0bfcc3c971b91781facf9581578bf440a7
SHA512

593174fc25324f84043a90825a05975ec38f1f6d08c8860e2de1cc4062eae54c019d72fe76a409d065e10527550188f09605c35a0497539814b38f48d1863cb3
SSDEEP

768:r8eRH+MlFh0pDpuJ84WEi+U6sh7iQroCHmyf+RjFBSuB2XpfsQC:r9l+W8xFt6sh7iQroCoRB0u0sQC

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0d6bfb1fe0e4f4f6402b836099f80490_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
4136	bkgrnd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/780-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x000700000002328e-7.dat	upx
behavioral2/memory/780-11-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4136-12-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 4136	780	0d6bfb1fe0e4f4f6402b836099f80490_NeikiAnalytics.exe	82
PID 780 wrote to memory of 4136	780	0d6bfb1fe0e4f4f6402b836099f80490_NeikiAnalytics.exe	82
PID 780 wrote to memory of 4136	780	0d6bfb1fe0e4f4f6402b836099f80490_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\0d6bfb1fe0e4f4f6402b836099f80490_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0d6bfb1fe0e4f4f6402b836099f80490_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\Temp\bkgrnd.exe
  "C:\Users\Admin\AppData\Local\Temp\bkgrnd.exe"
  2⤵
  - Executes dropped EXE
  PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bkgrnd.exe

Filesize
55KB

MD5
278a6fc6ae3838fe84d7c78d7f940524

SHA1
679972054ac729f6c697c3a7b87ee08eaced3ab6

SHA256
98c2128603b5854c11bf78350e1d59d5f6321557385254803e7abf8fa8ee8c38

SHA512
a85669c7923713078c520f8ca75d46370dc2225ca1834d1588970a5ea70082a9a189fe26fd0b28c2b5010de27a05d82d5f1ed4f8a8954ea49b84f622cb5702ce

Download Submit
memory/780-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/780-2-0x0000000004000000-0x0000000004006000-memory.dmp

Filesize
24KB

Download
memory/780-1-0x0000000004000000-0x0000000004006000-memory.dmp

Filesize
24KB

Download
memory/780-11-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4136-12-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download