0b2d83799d8e24eb885d5bd273fba574c62361ff06a73920a184e910219573ed

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34456a277ff52fead209552b5ec08720_NeikiAnalytics.exe
Size

32KB
MD5

34456a277ff52fead209552b5ec08720
SHA1

367cd9a97525ae198271bbd127501d53ec892969
SHA256

0b2d83799d8e24eb885d5bd273fba574c62361ff06a73920a184e910219573ed
SHA512

d2bcbee04b4cda8ddbdbefe3bc53637079167309645e908ddbb249fca134648d15834a8aeef0c69354654cd3580d5c5a43cafe8e455019738b0d810ddd4e50f7
SSDEEP

384:ry26utT4Dq8RX5OSNyCdvQ0KKsGbcH5wk50P/miY0sRxHgHhbi1g9Vwj5FjZmSU/:G26uYzQhmWSm8/mjHgH9OAwj5FZOj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	34456a277ff52fead209552b5ec08720_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
1788	denis.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 1788	5044	34456a277ff52fead209552b5ec08720_NeikiAnalytics.exe	81
PID 5044 wrote to memory of 1788	5044	34456a277ff52fead209552b5ec08720_NeikiAnalytics.exe	81
PID 5044 wrote to memory of 1788	5044	34456a277ff52fead209552b5ec08720_NeikiAnalytics.exe	81

C:\Users\Admin\AppData\Local\Temp\34456a277ff52fead209552b5ec08720_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\34456a277ff52fead209552b5ec08720_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\AppData\Local\Temp\denis.exe
  "C:\Users\Admin\AppData\Local\Temp\denis.exe"
  2⤵
  - Executes dropped EXE
  PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\denis.exe

Filesize
32KB

MD5
ec86c678423e5e58367b60cf6c424090

SHA1
2b6e1585cf75a44f5f43d5daeb8d63f5b722e747

SHA256
474dd6e398a1ef86cf5714e65fd89eb67cecc8b225fbbd4629376e9b8c6b1c27

SHA512
4d1acf4302c4209cbdcfd5ad1355c313c0b378e8032cb75227c4fc146b9e30c478c94eff49b89e8bce330054d729c517d40cef4bcb30c128817ec7359e4522e7

Download Submit
memory/1788-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1788-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1788-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1788-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5044-0-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/5044-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/5044-7-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download