Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
07/06/2024, 11:48
Behavioral task
behavioral1
Sample
54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe
-
Size
427KB
-
MD5
54e3722e65bff1800fa6d58f8bea7560
-
SHA1
9c2ecad59f091f3ebc3a5e4105c5a40f7dce5b06
-
SHA256
a69b8c96db4b68c72e103978877238ef9aacb368376c3543b7cf9cedc8e76fae
-
SHA512
bdee93f53ffd97d86f2bce9219b3d3affa42c0f1e5e09be08abe35d6128971ee7066d61939f3b3e1e890a8bdb1a31b35d4a9fd72812e9cf9e6f8573ec5bdcc5d
-
SSDEEP
6144:v2ja0W9vFWhZ4HYaWtsV6gNbncvlNFn9XGTWve/0OvCEv:v6a0W9vF2SLM0NAvlNFn8TWvecOvfv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe -
Deletes itself 1 IoCs
pid Process 4068 Sysceamgiqom.exe -
Executes dropped EXE 1 IoCs
pid Process 4068 Sysceamgiqom.exe -
resource yara_rule behavioral2/memory/4268-0-0x0000000000400000-0x000000000046D000-memory.dmp upx behavioral2/files/0x000b000000023368-10.dat upx behavioral2/memory/4268-41-0x0000000000400000-0x000000000046D000-memory.dmp upx behavioral2/memory/4068-42-0x0000000000400000-0x000000000046D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe 4068 Sysceamgiqom.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4268 wrote to memory of 4068 4268 54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe 93 PID 4268 wrote to memory of 4068 4268 54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe 93 PID 4268 wrote to memory of 4068 4268 54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe"C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4068
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
427KB
MD548bec37ebcd4a2178e5f12c6aa61acfd
SHA1bd138e62c285b9eac1e81253240fc70049ed84e1
SHA256cc98784d9bbc919ddd5b3fb9f60448cd3cb1efd8217a2b63e040cc3fe8a00f30
SHA5128a4c6b09dbbd0415e47e78efc2f3e05f700bb700129af481a72b422cb79ddd1614bec64d05df999da8dce0306e50d3c1f08e5f50cf8dbb0cbff417c777d60186
-
Filesize
85B
MD5f3c13a8491eacec21cb6e4e08275fc79
SHA1f15617afa3611aa196fef7a11542038c8ed1f3d0
SHA2563c55c82473198408f935a198c41592eb96be93e37c60919f42cf12b80cb0d1ec
SHA512c5d3db45e8cc13559af69105a24acad9517769873c54aeb35c91516bb58a3ed9582fb9eebc92400a022d0956627cd44e2829920e1cb2c08f30c1bc4988c9d434