Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 03:41
Static task
static1
Behavioral task
behavioral1
Sample
5d97daddfa429ed46259241bc577bbf0_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
5d97daddfa429ed46259241bc577bbf0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
5d97daddfa429ed46259241bc577bbf0_NeikiAnalytics.exe
-
Size
46KB
-
MD5
5d97daddfa429ed46259241bc577bbf0
-
SHA1
472a2e1cc4cbe651417e127c23a20ea5c4c06cad
-
SHA256
5aab99c218ad846611775be3cdac8574245811dc94de322857b1dfb18a97c072
-
SHA512
3602ffa19d9f441709e26d4c8ed4e7d96d777bc5588509b8d7ff037683e895f396de62628b95f32649ae0d3ce82d84e0d1cc35fb1aa717513268ba4123a377ad
-
SSDEEP
384:ODIg+GkEkTfjJGRKthVGQMkqFfJokrvGB5vuv8rHVtsmln08ICHDuAYn1VCzLqE4:OIHfj3hVSRJt+UaVtN908DHDNzNRnC4g
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 5d97daddfa429ed46259241bc577bbf0_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
pid Process 1932 wefi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3088 wrote to memory of 1932 3088 5d97daddfa429ed46259241bc577bbf0_NeikiAnalytics.exe 85 PID 3088 wrote to memory of 1932 3088 5d97daddfa429ed46259241bc577bbf0_NeikiAnalytics.exe 85 PID 3088 wrote to memory of 1932 3088 5d97daddfa429ed46259241bc577bbf0_NeikiAnalytics.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d97daddfa429ed46259241bc577bbf0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5d97daddfa429ed46259241bc577bbf0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Users\Admin\AppData\Local\Temp\wefi.exe"C:\Users\Admin\AppData\Local\Temp\wefi.exe"2⤵
- Executes dropped EXE
PID:1932
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD519eb71470ed5ccd0c632e38ab6eeaf82
SHA18f9c15c2a5bf365e292220be67986de5806154a9
SHA256e4e86a4abaf846c0650617294b9421ce6cc2f0515731839c199233c15cfe3c6f
SHA5124c05d525f4d2779b5ceb71fb1265c69e0b0f8abe7b6dcd97c8bf401012be0f1025c09c1d96c6b027b573a8d026af98ae22dc816259685cedddd544332da00d11