Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/06/2024, 07:12
Behavioral task
behavioral1
Sample
977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe
-
Size
1.3MB
-
MD5
977d436f6b994ebd49a3a195c47ed9c0
-
SHA1
1009e3b0df7faeb187fb3a410367126e28c3b1a0
-
SHA256
5a0e0ffda4d8ddeed62772838878b03af6064e78635fb4ec6f440ec4818dbc1d
-
SHA512
3ee7b3d0f5492a26a5b849a2b7e146515b7ccf828571885500e8b3f2475128c4f8802f38401afe4cf0bf0a50c94a3fda965b2bf92f18e9fe8ea420ac90500d80
-
SSDEEP
24576:nAD3HRNtvJ2QY6ynjTdcpLmBtMs51aoflG4/iMtQkSNSFkeKvvvvLpphd7d8ddP7:nkpBs5dlG4/i0QkSoeeKvvvvLpphd7dq
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe -
resource yara_rule behavioral2/memory/3952-0-0x0000000000400000-0x000000000054E000-memory.dmp upx behavioral2/files/0x00090000000233f3-9.dat upx behavioral2/memory/3952-14-0x0000000000400000-0x000000000054E000-memory.dmp upx behavioral2/memory/3952-17-0x0000000000400000-0x000000000054E000-memory.dmp upx behavioral2/memory/3952-20-0x0000000000400000-0x000000000054E000-memory.dmp upx behavioral2/memory/3952-24-0x0000000000400000-0x000000000054E000-memory.dmp upx behavioral2/memory/3952-27-0x0000000000400000-0x000000000054E000-memory.dmp upx behavioral2/memory/3952-30-0x0000000000400000-0x000000000054E000-memory.dmp upx behavioral2/memory/3952-33-0x0000000000400000-0x000000000054E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 3952 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 3952 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 3952 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 3952 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 3952 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 3952 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 3952 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 3952 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 3952 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 3952 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 3952 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 3952 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 3952 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 3952 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 3952 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 3952 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3952 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3952 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 3952 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3952 wrote to memory of 4496 3952 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 84 PID 3952 wrote to memory of 4496 3952 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 84 PID 3952 wrote to memory of 4496 3952 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵PID:4496
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD50a09f354748324840a98a09a15172fb8
SHA141dc1d5cb5f99590ea7b83516be4ca616707932a
SHA25631a81ee87f0c6987d56d48ccac000d92e2a4efdb6b2f84787e9ef420d9f91c7d
SHA512f21a7c0f5f13285b5faa1fdaca04d15460d9b436eda4bb98a761bdb02b802f00c1c5727d84c97565891d317cd2dbc92ac370ecb8c248082a83a51558cd63bda8
-
Filesize
736B
MD5074f0f20b1af231ab4562985077c682f
SHA1647e5d0ff032c7aaf1fd5dbb20537f5831cc4b18
SHA256be7abb4d820f9c15accf03c551469e0e088a851f9bb4770aba961713cb7d4454
SHA512a48d7e9154fb82f628d58d6ea440c2628cf33b47cd8e63848ce5af6bdfade53c23b9cc9d789499331e101db722860269529a3a6cb06f97d86b0e68869b62f60b
-
Filesize
1.3MB
MD5a3a80cb62fc315de1924f165c1c95721
SHA1214f2f997b96adf2d832d04c004100442898502c
SHA256c5779c61b7bec592d5601c42cdd9952b2ea57c4c1ba4eda9758bcc52243fde50
SHA512bebac64d89e118cf24f1ebf401642820f4d63149af23e099119e495cdc1ed2b5b3fb9408e67ae8e6e98978007938683a2202c741c1ce4a1c5d403354f592b723