Analysis

  • max time kernel
    118s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 02:46

General

  • Target

    5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe

  • Size

    368KB

  • MD5

    5840c1688f54eb98308d33aba1e3b0f0

  • SHA1

    16fb59a97f3a703055a8e82b39af8573e82fdaa3

  • SHA256

    057db4e22fafc7beb6b3a32b36c726edf94a23c774aefaf25d09866332b34f40

  • SHA512

    0189b21277fd3fbebf134cdcccc4811e866f090378240e303e2388d9a47f111b6eb07c0ab197df695b17cba66f0b86fe7154467ff196f4f862b7d4e5bb50b1f9

  • SSDEEP

    6144:Gk3v2BsHkq8xJYd1BeJuESHr4YWzOMlql49e1/lcduanJntih/FlVjf5PfbZjo/E:nv2BsHkq8xJYdlEC4YWzZvRMUqD

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 54 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:640
    • C:\Users\Admin\ziaita.exe
      "C:\Users\Admin\ziaita.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:3040

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\ziaita.exe

    Filesize

    368KB

    MD5

    4d9c07cde6a28aa5f94acb47e42ae300

    SHA1

    d3088fc3bd082b8ca0e8f61306c6249d4144a810

    SHA256

    fae5698405f0758ad6d1dc5b4a31de909f383a1eda483898374d4b4e262d2e7b

    SHA512

    de000aa6370c424f7a4c321c415b73dcdbf19540ee6f336272d2d1782605ec1b7cdd81799c35b9300c9fa42cbaa7f9b1a45ddedf87c3598da3b37213b4551bbd