73cbe5bec39bc70469f66fdaad9e3f2499848e710eab668ee55ad9cc65e3ae20

General

Target

89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe
Size

2.7MB
MD5

89872808e6dea205906e4a9d51226dc0
SHA1

653ed5133f968a3af497135299ce2a76c4da4fea
SHA256

73cbe5bec39bc70469f66fdaad9e3f2499848e710eab668ee55ad9cc65e3ae20
SHA512

fe8e46ba97ac148c924d59e80f54f40a379666595dfff70253aae5d8413cb8993ea18c1ad6fdb0a3ada5142bb5229f8992fb65d878cd49f35664dbdde6cc2680
SSDEEP

49152:DBuZrEUVgCGLfmPm7FveXAPd4r58H81p6KIy029s4C1eH9k:FkLVlGLuu7kXQ4r58cUt29s4C1eH9k

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp

Executes dropped EXE 4 IoCs

pid	Process
4608	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp
2636	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp
4028	662edccf2a1b9_pe.exe
2840	662edccf2a1b9_pe.tmp

Loads dropped DLL 3 IoCs

pid	Process
4608	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp
2636	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp
2840	662edccf2a1b9_pe.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Whatsapp.exe\unins000.dat	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp
File created	C:\Program Files (x86)\Whatsapp.exe\is-9C9OO.tmp	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp
File opened for modification	C:\Program Files (x86)\Whatsapp.exe\unins000.dat	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2636	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp
2636	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2636	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 4608	3944	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe	82
PID 3944 wrote to memory of 4608	3944	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe	82
PID 3944 wrote to memory of 4608	3944	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe	82
PID 4608 wrote to memory of 1364	4608	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp	84
PID 4608 wrote to memory of 1364	4608	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp	84
PID 4608 wrote to memory of 1364	4608	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp	84
PID 1364 wrote to memory of 2636	1364	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe	86
PID 1364 wrote to memory of 2636	1364	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe	86
PID 1364 wrote to memory of 2636	1364	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe	86
PID 2636 wrote to memory of 4028	2636	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp	88
PID 2636 wrote to memory of 4028	2636	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp	88
PID 2636 wrote to memory of 4028	2636	89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp	88
PID 4028 wrote to memory of 2840	4028	662edccf2a1b9_pe.exe	89
PID 4028 wrote to memory of 2840	4028	662edccf2a1b9_pe.exe	89
PID 4028 wrote to memory of 2840	4028	662edccf2a1b9_pe.exe	89

C:\Users\Admin\AppData\Local\Temp\89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Users\Admin\AppData\Local\Temp\is-S8CGH.tmp\89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-S8CGH.tmp\89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp" /SL5="$80204,1969655,832512,C:\Users\Admin\AppData\Local\Temp\89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Users\Admin\AppData\Local\Temp\89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe" /SILENT /PASSWORD=4992348
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Users\Admin\AppData\Local\Temp\is-EHNHA.tmp\89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-EHNHA.tmp\89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp" /SL5="$90204,1969655,832512,C:\Users\Admin\AppData\Local\Temp\89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.exe" /SILENT /PASSWORD=4992348
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Users\Admin\AppData\Local\Temp\is-EFJSL.tmp\662edccf2a1b9_pe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-EFJSL.tmp\662edccf2a1b9_pe.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4028
      - C:\Users\Admin\AppData\Local\Temp\is-8OBDC.tmp\662edccf2a1b9_pe.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-8OBDC.tmp\662edccf2a1b9_pe.tmp" /SL5="$E0064,922170,832512,C:\Users\Admin\AppData\Local\Temp\is-EFJSL.tmp\662edccf2a1b9_pe.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-3HQJO.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8OBDC.tmp\662edccf2a1b9_pe.tmp

Filesize
3.1MB

MD5
b23174df4a38d6a0ef0d0dc7c33f016b

SHA1
52fe6f6fcfff9f81de222114b0e1499662d6aba0

SHA256
9dfed8bfcc4be0234a4d9ae70edf04e2eccf692a17c1f2a7ef3e27544c44daba

SHA512
c2bcd7484be259a7825c095a380ee0cfa3720f0c54ba74e4576bf1716b3a3a7cf205f4efa3ab9ea75e69cfd9528a06add9e5687788d7228dfc93e0ed78828f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ARTAS.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EFJSL.tmp\662edccf2a1b9_pe.exe

Filesize
1.7MB

MD5
4fe0240cd1a8b074df9ac1b87fc384c9

SHA1
9cc5cdd71646bde7859bbe30266a8fc0fcf75efd

SHA256
a60181c740eaa02e8644621df5a86b523702b8412fc4638bfb0af666ad4dbf7f

SHA512
89a0b011e575613eddd94b344b12d69e0c2fd1d80674e3a250cc4f2f69ee22edbe0d5705042e9af77adfdca1d4e7bcf5958d0cc20dd1b9fff5a24f9c8fca6a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S8CGH.tmp\89872808e6dea205906e4a9d51226dc0_NeikiAnalytics.tmp

Filesize
3.1MB

MD5
391e3fb9f9a24c1278fbd9f27eb495b7

SHA1
b7d51eed6117954c30c6e849beab7557bf38e0f6

SHA256
eb1ae5571665df14ca676be26a61ca285aca81bcbfcb3155df990f656c2d3d1c

SHA512
7fc2c96d833f91e09a4264d50de19b70c1cb6eb36fe6b7ca0b2ba1752417cd184557a238c0ef5714d7c7b2c1efa60a55249a80a18ce392195e23874f865c0d29

Download Submit
memory/1364-15-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1364-13-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1364-47-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2636-27-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2636-48-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2840-50-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/3944-19-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3944-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3944-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4028-36-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4028-49-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4608-17-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4608-6-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing