Overview

overview

7

Static

static

7

267de363c2...cs.exe

windows7-x64

7

267de363c2...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/06/2024, 07:04

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    267de363c21cdc11522226c9364191c0_NeikiAnalytics.exe

  • Size

    134KB

  • MD5

    267de363c21cdc11522226c9364191c0

  • SHA1

    9481d3054e276ad956c2bfb9891ba0386da0cf19

  • SHA256

    182a6dff215da740a545ebfb2dae19d248076fe27f1944997cf1083115c0a1b1

  • SHA512

    1affa67bede013834258a60706b62d5469ad1754f016c05759c3e03bc59032494c3d15ace51bddde6e19ab11120029b430a82077b587edcadeeeda9cc98c555e

  • SSDEEP

    1536:YGYU/W2/HG6QMauSV3ixJHABLrmhH7i9eNOOg00GqMIK7aGZh3SOu:YfU/WF6QMauSuiWNi9eNOl0007NZIOu

Score
7/10
persistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\267de363c21cdc11522226c9364191c0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\267de363c21cdc11522226c9364191c0_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4680
    • C:\ProgramData\Update\wuauclt.exe
      "C:\ProgramData\Update\wuauclt.exe" /run
      2⤵
      • Executes dropped EXE
      PID:5112
    • C:\windows\SysWOW64\cmd.exe
      "C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\267de363c21cdc11522226c9364191c0_NeikiAnalytics.exe" >> NUL
      2⤵
        PID:2684

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Update\wuauclt.exe
            Filesize

            134KB

            MD5

            3a0f6a70987d3ae257add992c3f3967b

            SHA1

            e66bf5cf031c9544808cff132fc24d1de633d061

            SHA256

            7cdf873b7663fa49ae999b00f1c4d8e86ee4caf6bb2c97e10a1449918c5f42cc

            SHA512

            9dd74559d98d3b288dc21910400a3b6f075a362ea0ef8b498c1dcebce26a7c38fa4ed6909b94315bd08e1586cc646c5dc6dae05ad907fe343fc3227d295c0954

            Download Submit

          • memory/4680-0-0x00000000008A0000-0x00000000008C8000-memory.dmp

            Filesize

            160KB

            Download

          • memory/4680-6-0x00000000008A0000-0x00000000008C8000-memory.dmp

            Filesize

            160KB

            Download

          • memory/4680-8-0x00000000008A0000-0x00000000008C8000-memory.dmp

            Filesize

            160KB

            Download

          • memory/5112-5-0x0000000000890000-0x00000000008B8000-memory.dmp

            Filesize

            160KB

            Download

          • memory/5112-7-0x0000000000890000-0x00000000008B8000-memory.dmp

            Filesize

            160KB

            Download