f425c0e4f5fc046e276dfb8bae7b7e471652764168f070607496eed884e37952

Analysis

max time kernel
131s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe
Size

57KB
MD5

a43d5c91b70baf3666a86c91ff0673a0
SHA1

56a4ecb518a7519365aeb2ac366a39d0b47b5b06
SHA256

f425c0e4f5fc046e276dfb8bae7b7e471652764168f070607496eed884e37952
SHA512

721d73fb12fa28f3ce53909e38489c8c4f77227d43f3b59d3c9617bd297d12e9bfc9ca1f0c8741044db90650895b2cf9de2eb1d7f5445976f6303369a5c0b420
SSDEEP

768:IGnekOEPJjjGdjzAjluDhvRQUB4LSeKn+lTFPG8BY96V6s:FnnxJUsjAFvRQUB4mV8T0FgV7

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
3596	codecupdater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 3596	3012	a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe	82
PID 3012 wrote to memory of 3596	3012	a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe	82
PID 3012 wrote to memory of 3596	3012	a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\codecupdater.exe
  "C:\Users\Admin\AppData\Local\Temp\codecupdater.exe"
  2⤵
  - Executes dropped EXE
  PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKWDYRX8\pdf[1].htm

Filesize
167B

MD5
0104c301c5e02bd6148b8703d19b3a73

SHA1
7436e0b4b1f8c222c38069890b75fa2baf9ca620

SHA256
446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f

SHA512
84427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\codecupdater.exe

Filesize
58KB

MD5
f51db72f9bdab50ce46872171934662e

SHA1
6efbb51326cdb3e23424f823e6757d24f7aa39e0

SHA256
dba8adc1854432c0176f009c002c1ceb998671368335beed6a4f7d3b580da336

SHA512
0350c1e68b519e85577607b21fc59a20e9a8daeb755aa9bbccbf8af6b6f3bd4dfdf96b66fc5c2265709219d0d388c27ee97547a9277076780e7b78c5d0d33c01

Download Submit
memory/3012-1-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/3596-9-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download