e66152b53fb851769c3abac3e5b9211275e4111dc24b5d3871737ef3ad8a7289

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 16:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

86abfd3571bc76f3c54cc5f61d275cd0_NeikiAnalytics.exe
Size

43KB
MD5

86abfd3571bc76f3c54cc5f61d275cd0
SHA1

fb7ee0ceb0e5f2046e3dc35400b9da76d56315eb
SHA256

e66152b53fb851769c3abac3e5b9211275e4111dc24b5d3871737ef3ad8a7289
SHA512

daab8acb0a46da03fabc56f8a2d2034306aa738dab20e54c7894642230e0897464f6330931c32885a07a4d0e9f0b7a02809cfb56f8d9a87aec5fb17913b4137d
SSDEEP

768:b/yC4GyNM01GuQMNXw2PSjHPbSuYlW8PAekQk:b/pYayGig5HjS3NPAekR

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	86abfd3571bc76f3c54cc5f61d275cd0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
2900	retln.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 2900	4160	86abfd3571bc76f3c54cc5f61d275cd0_NeikiAnalytics.exe	92
PID 4160 wrote to memory of 2900	4160	86abfd3571bc76f3c54cc5f61d275cd0_NeikiAnalytics.exe	92
PID 4160 wrote to memory of 2900	4160	86abfd3571bc76f3c54cc5f61d275cd0_NeikiAnalytics.exe	92

C:\Users\Admin\AppData\Local\Temp\86abfd3571bc76f3c54cc5f61d275cd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\86abfd3571bc76f3c54cc5f61d275cd0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  PID:2900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4196,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4268 /prefetch:8
1⤵
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
43KB

MD5
68e89124a595ad021d51463dc0143434

SHA1
6e57d2d843ccf142f5ab542985fa6e1a12077a8c

SHA256
3475d71108b60b6c1103b5c08a7a60885eb4341d66091ed0e6cb7257b1865b50

SHA512
1d788f3968a8eb2f86003a9bfc1acaed6edcfcb6f27f2fcaeb89cd2420e421487a4ec65644561d7c318bfd36b14bddfd042cacacd1760b386846c20f3e1c8357

Download Submit
memory/2900-25-0x00000000021C0000-0x00000000021C6000-memory.dmp

Filesize
24KB

Download
memory/4160-0-0x0000000002150000-0x0000000002156000-memory.dmp

Filesize
24KB

Download
memory/4160-8-0x0000000002150000-0x0000000002156000-memory.dmp

Filesize
24KB

Download
memory/4160-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download