Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 23:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5af1662476acf0f2c48eb894ef7e8b00_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
5af1662476acf0f2c48eb894ef7e8b00_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
5af1662476acf0f2c48eb894ef7e8b00_NeikiAnalytics.exe
-
Size
94KB
-
MD5
5af1662476acf0f2c48eb894ef7e8b00
-
SHA1
f3d53cd0e28606f3fc70cbd3110541edb71bc441
-
SHA256
fa3da96c0adf663ad371ce41a8b41cb0519e7e306a9ff453cb0a3a22a092491a
-
SHA512
9c6fadf28d5059ff5234ed3684eda32f9325c4dcee9869b0bee64c1ae51b66b51435d731012aae2fb36ec850a142f79b7b813921ecbe653268941c986cddb733
-
SSDEEP
1536:Udsah74bTxku0WlxDMtiJEVKH/tEzXwdt7:0ho2IfpJEVKH1KAd9
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" jfliep.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 5af1662476acf0f2c48eb894ef7e8b00_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
pid Process 4388 jfliep.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jfliep = "C:\\Users\\Admin\\jfliep.exe" jfliep.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe 4388 jfliep.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 184 5af1662476acf0f2c48eb894ef7e8b00_NeikiAnalytics.exe 4388 jfliep.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 184 wrote to memory of 4388 184 5af1662476acf0f2c48eb894ef7e8b00_NeikiAnalytics.exe 90 PID 184 wrote to memory of 4388 184 5af1662476acf0f2c48eb894ef7e8b00_NeikiAnalytics.exe 90 PID 184 wrote to memory of 4388 184 5af1662476acf0f2c48eb894ef7e8b00_NeikiAnalytics.exe 90 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82 PID 4388 wrote to memory of 184 4388 jfliep.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\5af1662476acf0f2c48eb894ef7e8b00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5af1662476acf0f2c48eb894ef7e8b00_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Users\Admin\jfliep.exe"C:\Users\Admin\jfliep.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4388
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD529c80ea93a949f807a64a9d069211b84
SHA1aa4ae4d49b08a93c5a379a3b3ece433ba51dec7c
SHA256dd8a9b6fb808b9598444bedb7fda6977a5ea8fbbaf7cda2c97062311d988d15d
SHA5126599abd5e93fec271972a89948bfe13ab19ce251f93ff88e6623a584e8a988b891c1affefcd60fae98376cbdd55f72177029d84e704db5b36cdc2695a698d45b