9fb1d5e8ee06d114702e270ef7efa03a5202996a587191af9637d79b792c0207

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 02:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2df8761a5c741e0cb26751abe53f1a50_NeikiAnalytics.exe
Size

106KB
MD5

2df8761a5c741e0cb26751abe53f1a50
SHA1

f1e25be498d4e0a2880b22d97a1d3fed7b8576bf
SHA256

9fb1d5e8ee06d114702e270ef7efa03a5202996a587191af9637d79b792c0207
SHA512

988fc252d818cab365d39f36d4d31eb518d166a231f8dce7e60add686e086ee9f3f42bf9a9701b773c5c6d586fa75ecc12b99dc5894b468c557d83241dd06e6c
SSDEEP

1536:V7fPGy1jOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfzxy4Od:BnC+ouCpk2mpcWJ0r+QNTBfzm

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	2df8761a5c741e0cb26751abe53f1a50_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 3328	3136	2df8761a5c741e0cb26751abe53f1a50_NeikiAnalytics.exe	81
PID 3136 wrote to memory of 3328	3136	2df8761a5c741e0cb26751abe53f1a50_NeikiAnalytics.exe	81
PID 3328 wrote to memory of 3824	3328	cmd.exe	84
PID 3328 wrote to memory of 3824	3328	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\2df8761a5c741e0cb26751abe53f1a50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2df8761a5c741e0cb26751abe53f1a50_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4016.tmp\4017.tmp\4018.bat C:\Users\Admin\AppData\Local\Temp\2df8761a5c741e0cb26751abe53f1a50_NeikiAnalytics.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3328
- - C:\Windows\system32\iexpress.exe
    iexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\hid.sed
    3⤵
    PID:3824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4016.tmp\4017.tmp\4018.bat

Filesize
1KB

MD5
da9a8db30b2193eb306fd377ddc09822

SHA1
2b14a8683d1faca6bd607d0ae398cb95c36ab6f5

SHA256
9a36afba88e927c8bb2a67791db72d7575c9b89639e7b5e265b49b965d1fa34f

SHA512
2055ae22207643f89e211db4272a7c8ef559535f8c5566098cceb0f05eaddf1f0a9e93f94b38885e10b715abae17ae33855b8dbbcc19a3c3db9aecda51ca5cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\hid.sed

Filesize
106KB

MD5
d2ed9c15cd0a45de304fdce3815ce4d8

SHA1
643878a75a07ca8679d4a4cca07be5b458df6f41

SHA256
52d069ba56979567c507f8523376d61068d8e3c74a1c3eec0f9b7d986ef4173b

SHA512
339c34aca30907b9d990bf431f9bb2d000da5cb5d110b6aa6464e96c5302fcfa3bb5b8fff587bced0d1f65f14df2f875bdf99b2c1b347e4d625e6605e0eb366f

Download Submit
memory/3136-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3136-8-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download