6c33d47077ac155500f11a255f47f2b5c7a71ba08e3368efdb09b35126381b69

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 05:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7321fb4b0b89ebfcd48b4ae338597d70_NeikiAnalytics.exe
Size

37KB
MD5

7321fb4b0b89ebfcd48b4ae338597d70
SHA1

4523d640648cc9274b92efca5f33f284822810a2
SHA256

6c33d47077ac155500f11a255f47f2b5c7a71ba08e3368efdb09b35126381b69
SHA512

a067b570aafc15244762a15f23a27cdc7ff2dbfaefee2e752814ba20c4035b75134b8ffe41f00d6dc8455a1e8252f800ba3246cd8e91dd7f1b4a44781b263bb3
SSDEEP

768:cQv/YOZIgQtz8GEkT9oe2lxNCuxE3u89MtdEI2MyzNORQtOflIwoHNM2XBFV7WBT:Nv/pZIgQtz8GEkT9oe2lxNCEE3tMtdEy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	7321fb4b0b89ebfcd48b4ae338597d70_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
1944	hromi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 1944	1132	7321fb4b0b89ebfcd48b4ae338597d70_NeikiAnalytics.exe	93
PID 1132 wrote to memory of 1944	1132	7321fb4b0b89ebfcd48b4ae338597d70_NeikiAnalytics.exe	93
PID 1132 wrote to memory of 1944	1132	7321fb4b0b89ebfcd48b4ae338597d70_NeikiAnalytics.exe	93

C:\Users\Admin\AppData\Local\Temp\7321fb4b0b89ebfcd48b4ae338597d70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7321fb4b0b89ebfcd48b4ae338597d70_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Users\Admin\AppData\Local\Temp\hromi.exe
  "C:\Users\Admin\AppData\Local\Temp\hromi.exe"
  2⤵
  - Executes dropped EXE
  PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hromi.exe

Filesize
37KB

MD5
bf3c20ffeb191b0d92155a091f4f8d9e

SHA1
f3e5c7dcc47c034e4f2e6e3760bd195eec4fefe6

SHA256
c9f1a28e4cfd3afa4c60589c5f38614db773223ca9d6614f3b4f7622c27430f7

SHA512
559ace4b87c993cdfe8db0db8ae6928f94a1ab31f754e5b25292fe8a60597038b1ac0b3edb909718a5db7889e3a069303851713ca0e45ae925469aba19b8113d

Download Submit
memory/1132-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1132-1-0x0000000002090000-0x0000000002096000-memory.dmp

Filesize
24KB

Download
memory/1132-2-0x0000000002090000-0x0000000002096000-memory.dmp

Filesize
24KB

Download
memory/1132-3-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1944-19-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1944-27-0x0000000000600000-0x0000000000606000-memory.dmp

Filesize
24KB

Download
memory/1944-30-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download