2d77ec342bc62fe11dcc79d0046d18a0476ae76679f444bf65e01ca381694fed

General

Target

00a85405c5dac086f44c019a13a4dc60_NeikiAnalytics.exe
Size

409KB
MD5

00a85405c5dac086f44c019a13a4dc60
SHA1

af35cce9252fe968b785f340fe0438a957a5eff0
SHA256

2d77ec342bc62fe11dcc79d0046d18a0476ae76679f444bf65e01ca381694fed
SHA512

538bf3578d96b8126d743dcc06c6ce6abf1669c8bc57b02a68eae82c6b458f3d43ce2332923bbd8f6af8e4f76b9af99a8bc5768f69de8850d80fdcd77835ac90
SSDEEP

12288:GrWcDkpFBK4TuxGzRrf1u+zV0+wqoKRx8y:GrWcDkpm4T9BzV0+vL8y

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	3846.tmp

Executes dropped EXE 1 IoCs

pid	Process
3168	3846.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	3846.tmp

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1908	WINWORD.EXE
1908	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3168	3846.tmp

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 3168	4080	00a85405c5dac086f44c019a13a4dc60_NeikiAnalytics.exe	80
PID 4080 wrote to memory of 3168	4080	00a85405c5dac086f44c019a13a4dc60_NeikiAnalytics.exe	80
PID 4080 wrote to memory of 3168	4080	00a85405c5dac086f44c019a13a4dc60_NeikiAnalytics.exe	80
PID 3168 wrote to memory of 1908	3168	3846.tmp	81
PID 3168 wrote to memory of 1908	3168	3846.tmp	81

C:\Users\Admin\AppData\Local\Temp\00a85405c5dac086f44c019a13a4dc60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\00a85405c5dac086f44c019a13a4dc60_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Users\Admin\AppData\Local\Temp\3846.tmp
  "C:\Users\Admin\AppData\Local\Temp\3846.tmp" --pingC:\Users\Admin\AppData\Local\Temp\00a85405c5dac086f44c019a13a4dc60_NeikiAnalytics.exe E7F71C8F30924673CD02392A8B8F71E37B1DB4DD0CE280B6884EA215555F2076156708D2D6A43BADA92A76C15ADFB99E0CD98F598369DB49CA0D8182E60BCC46
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\00a85405c5dac086f44c019a13a4dc60_NeikiAnalytics.doc" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00a85405c5dac086f44c019a13a4dc60_NeikiAnalytics.doc

Filesize
21KB

MD5
12e57ae08f64353b3c3b3d08681aaaf1

SHA1
36b6aca282497c65d41513b231d247b0187651f1

SHA256
07498e905c47bfea983587265b88eb01bc6098978c375c71074b9469a99b4308

SHA512
aba2748b1b5d26f52a93bbfabbd4760435b06d6c449631930e7db339c5317429f59cc24709515707cdda34956c73d30e60b83b81986873eb544b1040388748a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3846.tmp

Filesize
409KB

MD5
659c4c83c12c162dfb5e7afc386f22ed

SHA1
2f5537e3da96b32aad76592e574667e999e22f97

SHA256
8a631d5f336780c05c3c0baa57f96d94d7d5e7f539a591c1e40daa760c01d69c

SHA512
00f6ae483a6222b26e6f3557cb62e7accf40b9a455ad94a93fbae31a03384d95126e0dd0ffff214fd9228da3123e4503a5114e5533fb24b02b5996908ca5c85c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD95E2.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
memory/1908-23-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/1908-21-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/1908-31-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/1908-30-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/1908-33-0x00007FF903A50000-0x00007FF903A60000-memory.dmp

Filesize
64KB

Download
memory/1908-29-0x00007FF903A50000-0x00007FF903A60000-memory.dmp

Filesize
64KB

Download
memory/1908-28-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/1908-27-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/1908-26-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/1908-24-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/1908-25-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/1908-20-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/1908-22-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/1908-32-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/1908-19-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/1908-17-0x00007FF945ACD000-0x00007FF945ACE000-memory.dmp

Filesize
4KB

Download
memory/1908-16-0x00007FF905AB0000-0x00007FF905AC0000-memory.dmp

Filesize
64KB

Download
memory/1908-15-0x00007FF905AB0000-0x00007FF905AC0000-memory.dmp

Filesize
64KB

Download
memory/1908-14-0x00007FF905AB0000-0x00007FF905AC0000-memory.dmp

Filesize
64KB

Download
memory/1908-13-0x00007FF905AB0000-0x00007FF905AC0000-memory.dmp

Filesize
64KB

Download
memory/1908-18-0x00007FF905AB0000-0x00007FF905AC0000-memory.dmp

Filesize
64KB

Download
memory/1908-528-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/1908-552-0x00007FF945A30000-0x00007FF945C25000-memory.dmp

Filesize
2.0MB

Download
memory/1908-551-0x00007FF905AB0000-0x00007FF905AC0000-memory.dmp

Filesize
64KB

Download
memory/1908-550-0x00007FF905AB0000-0x00007FF905AC0000-memory.dmp

Filesize
64KB

Download
memory/1908-549-0x00007FF905AB0000-0x00007FF905AC0000-memory.dmp

Filesize
64KB

Download
memory/1908-548-0x00007FF905AB0000-0x00007FF905AC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads