Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/06/2024, 07:12

General

  • Target

    977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe

  • Size

    1.3MB

  • MD5

    977d436f6b994ebd49a3a195c47ed9c0

  • SHA1

    1009e3b0df7faeb187fb3a410367126e28c3b1a0

  • SHA256

    5a0e0ffda4d8ddeed62772838878b03af6064e78635fb4ec6f440ec4818dbc1d

  • SHA512

    3ee7b3d0f5492a26a5b849a2b7e146515b7ccf828571885500e8b3f2475128c4f8802f38401afe4cf0bf0a50c94a3fda965b2bf92f18e9fe8ea420ac90500d80

  • SSDEEP

    24576:nAD3HRNtvJ2QY6ynjTdcpLmBtMs51aoflG4/iMtQkSNSFkeKvvvvLpphd7d8ddP7:nkpBs5dlG4/i0QkSoeeKvvvvLpphd7dq

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3952
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
        PID:4496

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

            Filesize

            92B

            MD5

            0a09f354748324840a98a09a15172fb8

            SHA1

            41dc1d5cb5f99590ea7b83516be4ca616707932a

            SHA256

            31a81ee87f0c6987d56d48ccac000d92e2a4efdb6b2f84787e9ef420d9f91c7d

            SHA512

            f21a7c0f5f13285b5faa1fdaca04d15460d9b436eda4bb98a761bdb02b802f00c1c5727d84c97565891d317cd2dbc92ac370ecb8c248082a83a51558cd63bda8

          • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

            Filesize

            736B

            MD5

            074f0f20b1af231ab4562985077c682f

            SHA1

            647e5d0ff032c7aaf1fd5dbb20537f5831cc4b18

            SHA256

            be7abb4d820f9c15accf03c551469e0e088a851f9bb4770aba961713cb7d4454

            SHA512

            a48d7e9154fb82f628d58d6ea440c2628cf33b47cd8e63848ce5af6bdfade53c23b9cc9d789499331e101db722860269529a3a6cb06f97d86b0e68869b62f60b

          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

            Filesize

            1.3MB

            MD5

            a3a80cb62fc315de1924f165c1c95721

            SHA1

            214f2f997b96adf2d832d04c004100442898502c

            SHA256

            c5779c61b7bec592d5601c42cdd9952b2ea57c4c1ba4eda9758bcc52243fde50

            SHA512

            bebac64d89e118cf24f1ebf401642820f4d63149af23e099119e495cdc1ed2b5b3fb9408e67ae8e6e98978007938683a2202c741c1ce4a1c5d403354f592b723

          • memory/3952-0-0x0000000000400000-0x000000000054E000-memory.dmp

            Filesize

            1.3MB

          • memory/3952-14-0x0000000000400000-0x000000000054E000-memory.dmp

            Filesize

            1.3MB

          • memory/3952-17-0x0000000000400000-0x000000000054E000-memory.dmp

            Filesize

            1.3MB

          • memory/3952-20-0x0000000000400000-0x000000000054E000-memory.dmp

            Filesize

            1.3MB

          • memory/3952-24-0x0000000000400000-0x000000000054E000-memory.dmp

            Filesize

            1.3MB

          • memory/3952-27-0x0000000000400000-0x000000000054E000-memory.dmp

            Filesize

            1.3MB

          • memory/3952-30-0x0000000000400000-0x000000000054E000-memory.dmp

            Filesize

            1.3MB

          • memory/3952-33-0x0000000000400000-0x000000000054E000-memory.dmp

            Filesize

            1.3MB