b667dc02cd1b6a289d5d7df31385ce1ad6d18f1bb32ccc5d2e0f823ca1086ec7

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

225ca3b13d065c2d232a9690c8a1a8a0_NeikiAnalytics.exe
Size

980KB
MD5

225ca3b13d065c2d232a9690c8a1a8a0
SHA1

5b1f6f1ad773c84a47986addc32ecd9fe9b0eabc
SHA256

b667dc02cd1b6a289d5d7df31385ce1ad6d18f1bb32ccc5d2e0f823ca1086ec7
SHA512

6cdd545eed2dd0992712a5c3fc1d764cc3133a84d75d85af732f17291e8d9997977743d9e32240a2cecacdd3cd3377861be33418e8e0059cebfde2577129e969
SSDEEP

24576:1GRzatThRiVNbLGJv6plFh9iGa2oMYMgdsHGev:o8TjFJspDLoVMgdkLv

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	225ca3b13d065c2d232a9690c8a1a8a0_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WdExt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	module_launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	kb50145.exe

Executes dropped EXE 4 IoCs

pid	Process
4360	WdExt.exe
4840	module_launcher.exe
4480	kb50145.exe
3672	injector_s.exe

Loads dropped DLL 2 IoCs

pid	Process
1508	225ca3b13d065c2d232a9690c8a1a8a0_NeikiAnalytics.exe
4360	WdExt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Admin\\module_launcher.exe\""	module_launcher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1508	225ca3b13d065c2d232a9690c8a1a8a0_NeikiAnalytics.exe
1508	225ca3b13d065c2d232a9690c8a1a8a0_NeikiAnalytics.exe
4360	WdExt.exe
4360	WdExt.exe
4840	module_launcher.exe
4840	module_launcher.exe
4840	module_launcher.exe
4840	module_launcher.exe
4840	module_launcher.exe
4840	module_launcher.exe
4840	module_launcher.exe
4840	module_launcher.exe
3672	injector_s.exe
3672	injector_s.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3672	injector_s.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 3116	1508	225ca3b13d065c2d232a9690c8a1a8a0_NeikiAnalytics.exe	82
PID 1508 wrote to memory of 3116	1508	225ca3b13d065c2d232a9690c8a1a8a0_NeikiAnalytics.exe	82
PID 1508 wrote to memory of 3116	1508	225ca3b13d065c2d232a9690c8a1a8a0_NeikiAnalytics.exe	82
PID 1508 wrote to memory of 3424	1508	225ca3b13d065c2d232a9690c8a1a8a0_NeikiAnalytics.exe	84
PID 1508 wrote to memory of 3424	1508	225ca3b13d065c2d232a9690c8a1a8a0_NeikiAnalytics.exe	84
PID 1508 wrote to memory of 3424	1508	225ca3b13d065c2d232a9690c8a1a8a0_NeikiAnalytics.exe	84
PID 3116 wrote to memory of 4360	3116	cmd.exe	86
PID 3116 wrote to memory of 4360	3116	cmd.exe	86
PID 3116 wrote to memory of 4360	3116	cmd.exe	86
PID 4360 wrote to memory of 4740	4360	WdExt.exe	87
PID 4360 wrote to memory of 4740	4360	WdExt.exe	87
PID 4360 wrote to memory of 4740	4360	WdExt.exe	87
PID 4740 wrote to memory of 4840	4740	cmd.exe	89
PID 4740 wrote to memory of 4840	4740	cmd.exe	89
PID 4740 wrote to memory of 4840	4740	cmd.exe	89
PID 4840 wrote to memory of 5040	4840	module_launcher.exe	90
PID 4840 wrote to memory of 5040	4840	module_launcher.exe	90
PID 4840 wrote to memory of 5040	4840	module_launcher.exe	90
PID 5040 wrote to memory of 4480	5040	cmd.exe	92
PID 5040 wrote to memory of 4480	5040	cmd.exe	92
PID 5040 wrote to memory of 4480	5040	cmd.exe	92
PID 4480 wrote to memory of 3672	4480	kb50145.exe	93
PID 4480 wrote to memory of 3672	4480	kb50145.exe	93
PID 4480 wrote to memory of 3672	4480	kb50145.exe	93
PID 4480 wrote to memory of 4092	4480	kb50145.exe	94
PID 4480 wrote to memory of 4092	4480	kb50145.exe	94
PID 4480 wrote to memory of 4092	4480	kb50145.exe	94
PID 3672 wrote to memory of 3484	3672	injector_s.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3484
- C:\Users\Admin\AppData\Local\Temp\225ca3b13d065c2d232a9690c8a1a8a0_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\225ca3b13d065c2d232a9690c8a1a8a0_NeikiAnalytics.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe
      "C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4360
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4740
      - C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe
        
        "C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe" /i 4360
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe
        
        "C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Users\Admin\AppData\Roaming\injector_s.exe
        
        "C:\Users\Admin\AppData\Roaming\injector_s.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a0x.bat" "C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe" "C:\Users\Admin\AppData\Local\Temp\a0x.bat""
        9⤵
        
        PID:4092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
    3⤵
    PID:3424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a0x.bat

Filesize
44B

MD5
804bb96081db73d249b1d21573d8ea59

SHA1
abf76e8d0702ce245bb7afbb513cdcc8bac6ab35

SHA256
b1e4990bf84c402594a53a2a98011b8880239e790872de1f6c7b8b9cd1005cf5

SHA512
d037dea300ffe466ab83c2a1c2c9a55693c36b546dbbcfa0a7a1ef477a3ea5c33f9831d71389466cf4c74192b417bf9ed0b7e0ad88d927f1ca997fcba254414c

Download Submit
C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe

Filesize
980KB

MD5
d703bcd90a6b901307193995443b3e8d

SHA1
a7f98cf3c177d7600961fea228ed2eb5d98f2f83

SHA256
e687d72b6eb89babc4be148a5ce08fc1052dc7e192cd69ef5758287eb7cc5a98

SHA512
b98118f06d92ec448a15374566075e9248f7067b4b3677aaa3e20774df0730bdc2ad0d185c8d6c1b2f061ade02d3d571fa39d6476e47f5b5ec09c5350f475517

Download Submit
C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe

Filesize
981KB

MD5
e13300b5d6cac8eb60a72bfc78b3dde6

SHA1
4e36a81d4cfb863d38adb13801290e8e736f1ef7

SHA256
aac53851c4cc81b192a1ea010ac98f9964a6df85e09d8a5780a073ca0d3c6998

SHA512
5f9aca9da95a91b7273828b23109c9277825eaac7d654f8d1dd447ffe04ae4312b378519f2da5a2333ea7f6cb32596dda0626135fc0ccdfddd50b7a22efe79b7

Download Submit
C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe

Filesize
76KB

MD5
8bf335774fbb62bbe1de03921dfe047a

SHA1
24fc750a20aebb52f23e84264d201f458106d95d

SHA256
048655d212b269073107e4636125ceeea262acce1d364fc512a0cc8f4783dcf7

SHA512
aed95f1c37cc99cee23d250e395a80c9c45c7c1c017ec7baef2af860711dbd5b540bf077d372e94582c9758961063f4c166a03fffce3b17e7fb468ce174b7aea

Download Submit
C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe

Filesize
172KB

MD5
6ff3155e619e2c601db536c88741e094

SHA1
c71bfc0a9b11db33c801035e06d31a03e2901dd0

SHA256
b4febd6c6fc42b7d86b575f6c44f0d49fbe9ec02e98d3be00cb26b3e32a3a6d1

SHA512
8a3047ff46833003464f0979702a4b4f0cf3998c3e4aa865b2f61cfd377689eae706fb9017c2ca97a2fee7f65d6c17c73ae37e86940a6aefdd06d8f0281bcebc

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
105B

MD5
902a1098f800859502aec4eac3026495

SHA1
a6b209e9aa15087670e830af5de8179b31abc897

SHA256
ff5e923c453d3d61a7989b2b0f978b0bba924a7052667311c9eed54852a20cfd

SHA512
cf7f0197c78f9c7db81068fbc702596a00c5d7c8280751641965917056c0e71265a3a89f3daf6a3600faa13034b54fbedea50ea583723abbfc286f2e7e79fe77

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
268B

MD5
22f1f5e174a80f290e4351b2b9d113f6

SHA1
87ee745406e2ad3000f83e4ed23f9bb79f1a90e6

SHA256
0dded706b52f2448b2d472c7ffde2dfe9c65dcc092a9a14c549331df3daad84b

SHA512
66127f4f8c2c88ad591832e4f90c3382f0b7bc73aad18415315f8c6612d0e0fa139228762e0fe3d9e6ea13a036644717736100ecfef693227b82e5c0c0f80bbd

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
122B

MD5
d3b198fefb188c84fd3a2fa1f4b6bd7c

SHA1
ac42e990e92b39987bd5125ea1b430f5dbe5d510

SHA256
a6f2729cef30f2cb5c0f27cbaceb2fdd2ab0fc8efc3e8510eb474c829d6127a4

SHA512
4fb732c7011d36eec162ab95c4faa78310aba0d67dc89e7c601e20b98f18a48d8a2d5e9eaf334144cbd9983836802560a6e15f2ceb12a2d96235457e2ba17f7c

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat

Filesize
107B

MD5
85eb3280f9675f88d00040cbea92277f

SHA1
2fece0a30b2153b4a9fee72fe5a637dee1967a2f

SHA256
bf1b95975082845d3d9d8948999d69d666dfe50d741a36cdf81fa180fa4c777b

SHA512
2641b1dfa67216ed86d0394dbc6dd78f6124978c23673c73e4e1da66a93f98364acafc13c3df017fab682ed3d9a2c993f3d9bb562e07b7a1b0a01576e1381298

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
388KB

MD5
e1e47695a0b98432911311352b63eaed

SHA1
836142e550301e0fc13c1a047aae5a2f4481d7cd

SHA256
c67ed34d9254b31e611ee830125c3f2572a1e686f82deb69e1580fb9a4614cd0

SHA512
da49234ee2e1d8f9956ba59d4a49fe04d3ab154f5dd60cf7a6c72e9d42defe8a4b0aeb38845444fe3a8d9c80976467d2101f7c992a48f98f6a9317d0e61ca961

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
388KB

MD5
8d7db101a7211fe3309dc4dc8cf2dd0a

SHA1
6c2781eadf53b3742d16dab2f164baf813f7ac85

SHA256
93db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a

SHA512
8b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83

Download Submit
C:\Users\Admin\AppData\Roaming\injector_s.exe

Filesize
188KB

MD5
1d1491e1759c1e39bf99a5df90311db3

SHA1
8bd6faed091bb00f879ef379715461130493e97f

SHA256
22c5c5bcb256c1dcaead463c92a70107ba1bac40564fe1e7d46594c6a3936778

SHA512
ac6ca48acbd288011849e55b0c66faf9ead479e39dc2deaecc7ad998e764f02a1807bb9227e03f12ce1a0b1f5c5b3072c3b86b5bae336e84d95d7a3e42cf5a1e

Download Submit
memory/1508-0-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download