Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 12:11
Static task
static1
Behavioral task
behavioral1
Sample
c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe
-
Size
78KB
-
MD5
c63b49da763fd0470e4ab20c99307850
-
SHA1
be94bebff9f438defcb55738dfd7941abf90cf9b
-
SHA256
0b40b8fb59834f4cf3a5a3a21b3cfbc1154edbd61164f99ff07c2a39433771d9
-
SHA512
847a78e7c3a196dadd3b78b6e38f95389b519c2cd3ec9f0f3ff6cd67e4ffccf5bee6a15a768ad524e1b8a8176022c1dbd9e570ef564e46e53a1deeb8f0fff56f
-
SSDEEP
768:EflihXrHKpVhKvtxwYHwVFoeAQDmucwUbfVAThsf4vvvWTDoNMl:6lsrHKprVuQDofVAhNO
Malware Config
Extracted
Protocol: ftp- Host:
ftp.tripod.com - Port:
21 - Username:
onthelinux - Password:
741852abc
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
pid Process 2748 jusched.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\165ef51d\jusched.exe c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe File created C:\Program Files (x86)\165ef51d\165ef51d c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe 2748 jusched.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3856 wrote to memory of 2748 3856 c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe 90 PID 3856 wrote to memory of 2748 3856 c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe 90 PID 3856 wrote to memory of 2748 3856 c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Program Files (x86)\165ef51d\jusched.exe"C:\Program Files (x86)\165ef51d\jusched.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13B
MD5f253efe302d32ab264a76e0ce65be769
SHA1768685ca582abd0af2fbb57ca37752aa98c9372b
SHA25649dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd
SHA5121990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4
-
Filesize
78KB
MD5ff139e0b4ce49ca2b801b3922b24af1c
SHA1c420f25c25ccd9c59eff28e5815528363707f8e0
SHA25627c0beb666b837c7e27503084e490095c9fec115214f6902bf5c283f8c4efbcb
SHA512b345b29702f69b16779a327909f8600535868fe4ce848c221e6e7e94c534bbacd8790b43b479c66e96663fa67c1947ec32e8d81af6de22cb1cda940d51c332e1