549d541bd8fd123cf67b63b34f6dc0777d38cde63bd86e1383324c4fc9ba6f85

Analysis

max time kernel
129s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3965d83031bc5c66eea88e9ec3f6f2e0_NeikiAnalytics.exe
Size

43KB
MD5

3965d83031bc5c66eea88e9ec3f6f2e0
SHA1

6a5465910192b9d7de8276304f60382f4d18e035
SHA256

549d541bd8fd123cf67b63b34f6dc0777d38cde63bd86e1383324c4fc9ba6f85
SHA512

b90d95df0ddd8fea11fd70a3f20092b7c74e30e5c3c77194b49361f89e4f6ea320c2a22ab851dcd2c35e2ccd067fd7eda679f9d0786b42b2193f8f9e559d78c6
SSDEEP

384:UFguzjEChqLcBsMNQiviL//U8o/iYpDLQjQVf608rOpOzTlgmFc:UFlAL+vW//p8iKxR8r+OzBgm6

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	3965d83031bc5c66eea88e9ec3f6f2e0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
2888	budha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 2888	4636	3965d83031bc5c66eea88e9ec3f6f2e0_NeikiAnalytics.exe	83
PID 4636 wrote to memory of 2888	4636	3965d83031bc5c66eea88e9ec3f6f2e0_NeikiAnalytics.exe	83
PID 4636 wrote to memory of 2888	4636	3965d83031bc5c66eea88e9ec3f6f2e0_NeikiAnalytics.exe	83

C:\Users\Admin\AppData\Local\Temp\3965d83031bc5c66eea88e9ec3f6f2e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3965d83031bc5c66eea88e9ec3f6f2e0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
43KB

MD5
032bd6c84d3ba05840b0cae9682446dd

SHA1
4122a14460ed1ce42de1c4837c8a8b62c87b2731

SHA256
9842ce9c2db8a3301947d077332d18dfb06937030543441289af169629e96371

SHA512
af4134e30a9aead050bbb21e9de36f15b73f29d6ae4208f941cd1262989d914aaf734e8dfedc995cda8920737a7a1e8489424f1f30abaf9ca3e11be80a2a6dc0

Download Submit
memory/2888-11-0x00000000005A0000-0x00000000005A7000-memory.dmp

Filesize
28KB

Download
memory/2888-10-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/2888-12-0x00000000005A0000-0x00000000005A7000-memory.dmp

Filesize
28KB

Download
memory/4636-1-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/4636-2-0x0000000000960000-0x0000000000967000-memory.dmp

Filesize
28KB

Download