Analysis
-
max time kernel
144s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 05:36
Static task
static1
Behavioral task
behavioral1
Sample
628851d3520f4b737662b5f514326850_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
628851d3520f4b737662b5f514326850_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
628851d3520f4b737662b5f514326850_NeikiAnalytics.exe
-
Size
2.7MB
-
MD5
628851d3520f4b737662b5f514326850
-
SHA1
7cfafcf10b2f33f4baad2e8df9d002caf8d7522b
-
SHA256
a33485f0cf2a08f8f9856f56a3a998c9973628bd72c94f036422ec281ba11211
-
SHA512
40fad61146e7c50f1f939e95d878f518e7f0aa6cc313289457f95bb9b8e93bc4814fb3273618c34b58cc7ba419f43c8826a03c042befb74666c994485df653ff
-
SSDEEP
49152:TBuZrEUkpanVBcOvgQvSbXjQ0gLfXMKIy029s4C1eH9f:VkLk0VBcOKXjQ1Wt29s4C1eH9f
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
628851d3520f4b737662b5f514326850_NeikiAnalytics.tmpdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp -
Executes dropped EXE 4 IoCs
Processes:
628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp66328646efbb0_pe.exe66328646efbb0_pe.tmppid process 3484 628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp 1716 628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp 4728 66328646efbb0_pe.exe 2192 66328646efbb0_pe.tmp -
Loads dropped DLL 3 IoCs
Processes:
628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp66328646efbb0_pe.tmppid process 3484 628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp 1716 628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp 2192 66328646efbb0_pe.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
Processes:
628851d3520f4b737662b5f514326850_NeikiAnalytics.tmpdescription ioc process File created C:\Program Files (x86)\Driver easy.exe\unins000.dat 628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp File created C:\Program Files (x86)\Driver easy.exe\is-8DJM9.tmp 628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp File opened for modification C:\Program Files (x86)\Driver easy.exe\unins000.dat 628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
628851d3520f4b737662b5f514326850_NeikiAnalytics.tmppid process 1716 628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp 1716 628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
628851d3520f4b737662b5f514326850_NeikiAnalytics.tmppid process 1716 628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
628851d3520f4b737662b5f514326850_NeikiAnalytics.exe628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp628851d3520f4b737662b5f514326850_NeikiAnalytics.exe628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp66328646efbb0_pe.exedescription pid process target process PID 4000 wrote to memory of 3484 4000 628851d3520f4b737662b5f514326850_NeikiAnalytics.exe 628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp PID 4000 wrote to memory of 3484 4000 628851d3520f4b737662b5f514326850_NeikiAnalytics.exe 628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp PID 4000 wrote to memory of 3484 4000 628851d3520f4b737662b5f514326850_NeikiAnalytics.exe 628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp PID 3484 wrote to memory of 3076 3484 628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp 628851d3520f4b737662b5f514326850_NeikiAnalytics.exe PID 3484 wrote to memory of 3076 3484 628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp 628851d3520f4b737662b5f514326850_NeikiAnalytics.exe PID 3484 wrote to memory of 3076 3484 628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp 628851d3520f4b737662b5f514326850_NeikiAnalytics.exe PID 3076 wrote to memory of 1716 3076 628851d3520f4b737662b5f514326850_NeikiAnalytics.exe 628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp PID 3076 wrote to memory of 1716 3076 628851d3520f4b737662b5f514326850_NeikiAnalytics.exe 628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp PID 3076 wrote to memory of 1716 3076 628851d3520f4b737662b5f514326850_NeikiAnalytics.exe 628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp PID 1716 wrote to memory of 4728 1716 628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp 66328646efbb0_pe.exe PID 1716 wrote to memory of 4728 1716 628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp 66328646efbb0_pe.exe PID 1716 wrote to memory of 4728 1716 628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp 66328646efbb0_pe.exe PID 4728 wrote to memory of 2192 4728 66328646efbb0_pe.exe 66328646efbb0_pe.tmp PID 4728 wrote to memory of 2192 4728 66328646efbb0_pe.exe 66328646efbb0_pe.tmp PID 4728 wrote to memory of 2192 4728 66328646efbb0_pe.exe 66328646efbb0_pe.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Users\Admin\AppData\Local\Temp\is-FK3DR.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp"C:\Users\Admin\AppData\Local\Temp\is-FK3DR.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp" /SL5="$801E6,1970021,832512,C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe" /SILENT /PASSWORD=58733332223⤵
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\is-05F0F.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp"C:\Users\Admin\AppData\Local\Temp\is-05F0F.tmp\628851d3520f4b737662b5f514326850_NeikiAnalytics.tmp" /SL5="$901A4,1970021,832512,C:\Users\Admin\AppData\Local\Temp\628851d3520f4b737662b5f514326850_NeikiAnalytics.exe" /SILENT /PASSWORD=58733332224⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\is-6M9JT.tmp\66328646efbb0_pe.exe"C:\Users\Admin\AppData\Local\Temp\is-6M9JT.tmp\66328646efbb0_pe.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\is-SIK2J.tmp\66328646efbb0_pe.tmp"C:\Users\Admin\AppData\Local\Temp\is-SIK2J.tmp\66328646efbb0_pe.tmp" /SL5="$20224,922170,832512,C:\Users\Admin\AppData\Local\Temp\is-6M9JT.tmp\66328646efbb0_pe.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD50e82993b4f4c1a7c8c1c4ef9bcf743b3
SHA1e13d6eb6d190031fce62c9eeaaafec3506103d1e
SHA2564ae23d2b1c00f9d89aedcf0700b2ae25acda844821803bbb418a91fafb3e65ca
SHA512819a4cd30bf4a2a67e0cb5808e52cca789cab2e0cba2f4d5d2744fa06a6d5969aceb26f365de64fd8aa92faa75912c843277ded96f94a68181d1958b0a8b836d
-
Filesize
3.1MB
MD568c2b3c8acf2cdc4743b5a621661d092
SHA1be6804961e43b920dadfc915c65db605b9adad04
SHA25631899d77e7a0eabd17b0a57abfa7a8f8367e45d339369ed831037dda794b64d3
SHA51204f1e65d9e0d34d5fc28dd3d2216078f01fdacda08ba24df579658ddd734d5e70cd90bc92f0f5a7381d31878815cc8215702c85490c3809901c7f9cca971d3da
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
3.1MB
MD578c037aae046b104980c5274dd9934c6
SHA10139073d1c2914ad527ed8ee3a4f5850f8bc09d1
SHA256c172ced841e0d6abaaf892b3be13ecf430b603230a1d4df51d90285da9e82444
SHA512f9b1d7feaa50186d6a7f61bea0b71ae68ba24f0a6ac42c88653b4b95a55da57b471f9893860c90a7303db9afecebde85ddb80abfe9caab646c5b50ec55daa92e
-
Filesize
232KB
MD555c310c0319260d798757557ab3bf636
SHA10892eb7ed31d8bb20a56c6835990749011a2d8de
SHA25654e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57