6662af282b44e0ca13d421257fec9a081cc2292daa330789105ae97fbc0e56af

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 23:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1a387aba0904d633cf6e8a706fd1fb80_NeikiAnalytics.exe
Size

611KB
MD5

1a387aba0904d633cf6e8a706fd1fb80
SHA1

3589a327061ded90733bfea24abafba4299b6f6b
SHA256

6662af282b44e0ca13d421257fec9a081cc2292daa330789105ae97fbc0e56af
SHA512

811f361c97a7b3d068f5b5494889843c504c8d52e2cbf1a64c391600a027f2f0dd290a06fb0ebafd3176cea9fcfced8f69f7d565841bfd6f105a1758cd922803
SSDEEP

6144:NptVO7mOV1u9MV0ue9Ya47I9Ya4oXtamAV3vQnx04EFtUXMamoa9tG6tP/q8f/Pw:NhEDfP/q8fmRYCKREDAg

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	1a387aba0904d633cf6e8a706fd1fb80_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
1496	budha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 1496	3988	1a387aba0904d633cf6e8a706fd1fb80_NeikiAnalytics.exe	82
PID 3988 wrote to memory of 1496	3988	1a387aba0904d633cf6e8a706fd1fb80_NeikiAnalytics.exe	82
PID 3988 wrote to memory of 1496	3988	1a387aba0904d633cf6e8a706fd1fb80_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\1a387aba0904d633cf6e8a706fd1fb80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1a387aba0904d633cf6e8a706fd1fb80_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
611KB

MD5
f9b2b873a0be6f64f5a72f28e545d88f

SHA1
cead724bf0607f7cfbe9614031bee324683d6793

SHA256
e6a6c8fd9ac81a1c2659f9e79f056c4b2b40c283bacef505cf2c503088260db7

SHA512
387b775184867e8137a49f03ae46714ee33c16e9280f6d36a94b25c9ead6fd8fdf7dd9bc2353856f48fafea0f6ea268149c5732762b9c3df998419fb84856c27

Download Submit
memory/1496-11-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1496-15-0x00000000026F0000-0x0000000002AF0000-memory.dmp

Filesize
4.0MB

Download
memory/1496-14-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/1496-16-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3988-0-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3988-1-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/3988-3-0x0000000002500000-0x0000000002900000-memory.dmp

Filesize
4.0MB

Download
memory/3988-13-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download