Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 13:21
Static task
static1
Behavioral task
behavioral1
Sample
a4ca7e2085cbb6acc72f6e34d0594ae0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a4ca7e2085cbb6acc72f6e34d0594ae0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
a4ca7e2085cbb6acc72f6e34d0594ae0_NeikiAnalytics.exe
-
Size
38KB
-
MD5
a4ca7e2085cbb6acc72f6e34d0594ae0
-
SHA1
1d829bd89834eb83d9c89cac6015a81cf7e3a74c
-
SHA256
7379ffa293b52dcd75b25fb3199c715162c7f053a8a28d733c354d9a6658d485
-
SHA512
6cea5050d3e2d1909fbc64dc9a5a65fad8cdf570b3bd852e2eae72a4f54da5d9d47b7b040e2890db7d26e44f5fa496d9218c86d3a7a868797ee6158129ca845e
-
SSDEEP
768:NLhcSDgpxUueqk230wHmIOdic+AvALEJ0X/t6:NLhcRLleqk4rTOdbvAwJ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation a4ca7e2085cbb6acc72f6e34d0594ae0_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
pid Process 688 codecupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5092 wrote to memory of 688 5092 a4ca7e2085cbb6acc72f6e34d0594ae0_NeikiAnalytics.exe 84 PID 5092 wrote to memory of 688 5092 a4ca7e2085cbb6acc72f6e34d0594ae0_NeikiAnalytics.exe 84 PID 5092 wrote to memory of 688 5092 a4ca7e2085cbb6acc72f6e34d0594ae0_NeikiAnalytics.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4ca7e2085cbb6acc72f6e34d0594ae0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a4ca7e2085cbb6acc72f6e34d0594ae0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\codecupdate.exe"C:\Users\Admin\AppData\Local\Temp\codecupdate.exe"2⤵
- Executes dropped EXE
PID:688
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD57d52898ee4d401c49a7d0e1c41e9b646
SHA1701a2580be076fe3fe64195686f8c3fdd7c393e1
SHA2566bb8a8cb396bbf980ba54d11c5678a02e3a84012fb178f4a4b6b444b74b9d60d
SHA512960e027178b3244a1bc4c7df4720e22997c1af399480de889e9c651f6fe39751e83352a598658f2282c95a757653a1fdf6772d16f348f310cc0203fe7833f07b