General
-
Target
52a309b059e9c2dccd75d272971e7ea0_NeikiAnalytics.exe
-
Size
688KB
-
Sample
240529-n7wfnsdf2v
-
MD5
52a309b059e9c2dccd75d272971e7ea0
-
SHA1
28bbd88c2bb4670ba0d90c274954c40018dcfc74
-
SHA256
3788dc98b496b8eca5bec9fe73397cb6eb6bacadae5637c8e3d3009a98afe203
-
SHA512
ccf237f37d0e54a4cb860a78910cf6f33cfe590a13e945b5c6c1ee91d25bfc023611f39c5ee1e9a7533dbadf717d4bc0990029b2671d12a82122e7ed3e7f28b4
-
SSDEEP
12288:910pei36RLzmmwtcb2GQ8E5qrln7RJiHw3lm+gKR+shQ2L8BiV6id:96pp36V6HorQ0lmHh9K4s62LyiV6id
Static task
static1
Behavioral task
behavioral1
Sample
52a309b059e9c2dccd75d272971e7ea0_NeikiAnalytics.exe
Resource
win7-20240221-en
Malware Config
Extracted
nanocore
1.2.2.0
staywicked99.ddns.net:63882
127.0.0.1:63882
344b2f5a-4a49-455c-8a61-465a5df696b3
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
37.235.1.177
-
buffer_size
65535
-
build_time
2024-02-23T18:24:33.192101836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
63882
-
default_group
ash
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
344b2f5a-4a49-455c-8a61-465a5df696b3
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
staywicked99.ddns.net
-
primary_dns_server
37.235.1.174
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
52a309b059e9c2dccd75d272971e7ea0_NeikiAnalytics.exe
-
Size
688KB
-
MD5
52a309b059e9c2dccd75d272971e7ea0
-
SHA1
28bbd88c2bb4670ba0d90c274954c40018dcfc74
-
SHA256
3788dc98b496b8eca5bec9fe73397cb6eb6bacadae5637c8e3d3009a98afe203
-
SHA512
ccf237f37d0e54a4cb860a78910cf6f33cfe590a13e945b5c6c1ee91d25bfc023611f39c5ee1e9a7533dbadf717d4bc0990029b2671d12a82122e7ed3e7f28b4
-
SSDEEP
12288:910pei36RLzmmwtcb2GQ8E5qrln7RJiHw3lm+gKR+shQ2L8BiV6id:96pp36V6HorQ0lmHh9K4s62LyiV6id
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-