a88b9c9c11685a6566492626245e09abc709d7ffa9ce2ae3ec20c1db1449e669

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

339bd6e0edf7cad39f838b26cc3d4740_NeikiAnalytics.exe
Size

54KB
MD5

339bd6e0edf7cad39f838b26cc3d4740
SHA1

8f03f4fc0a4a75ec37b33f8fcfcbe13d2d0040b4
SHA256

a88b9c9c11685a6566492626245e09abc709d7ffa9ce2ae3ec20c1db1449e669
SHA512

828d99268a31937a3db38a128fc9b27cab7b4cbc509eb12280a1f76a232604a6c657ea9d37e43c7857ac2a859c06bd319aa13125c5df324aa024bbec2f5bc07a
SSDEEP

768:/8sJAnZCQBwuUuequfoWfslluMgsk1Glwh4uO0j3iJ:/8sMnlequfoWfsysvwh4uO0GJ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	339bd6e0edf7cad39f838b26cc3d4740_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
4848	justupdater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 4848	4508	339bd6e0edf7cad39f838b26cc3d4740_NeikiAnalytics.exe	84
PID 4508 wrote to memory of 4848	4508	339bd6e0edf7cad39f838b26cc3d4740_NeikiAnalytics.exe	84
PID 4508 wrote to memory of 4848	4508	339bd6e0edf7cad39f838b26cc3d4740_NeikiAnalytics.exe	84

C:\Users\Admin\AppData\Local\Temp\339bd6e0edf7cad39f838b26cc3d4740_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\339bd6e0edf7cad39f838b26cc3d4740_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Users\Admin\AppData\Local\Temp\justupdater.exe
  "C:\Users\Admin\AppData\Local\Temp\justupdater.exe"
  2⤵
  - Executes dropped EXE
  PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\justupdater.exe

Filesize
54KB

MD5
d6b9f4a8b2add1a52c8745930a010b75

SHA1
674cf3504bd1fbd1e22ef2c491973ab184177d61

SHA256
b185754f6d626131608ac90d4dc41383b610b1c307a0b89f518bdc230e05233c

SHA512
0feb592d7956f5f84c94297c76e56640dd8399d58ead2f232424622ff642ef0586f6a24b9d3fe1b09815289919b5e6af44f009aed1861100a3b5b254adb01afd

Download Submit
memory/4508-1-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/4848-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download