Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 03:34
Static task
static1
Behavioral task
behavioral1
Sample
9ef61f4b5ccac5db2f07dc783fe5f340_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
9ef61f4b5ccac5db2f07dc783fe5f340_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
9ef61f4b5ccac5db2f07dc783fe5f340_NeikiAnalytics.exe
-
Size
33KB
-
MD5
9ef61f4b5ccac5db2f07dc783fe5f340
-
SHA1
008d7f1cb2a93043781693901f09b274c346afa7
-
SHA256
4fc6e6cf0c8d0da772e90e9dc2b9d7b64de4825b413e4366ce951029ae801f8d
-
SHA512
9c0d81dd228dbfb9e2c99155c90ef5b4b33280f1fe65c5e435dd3944d3d2820f58c7bb685dc0ad014312f51fdcab2d9ea5cac1c1852b27f23cc2c8828693d9b6
-
SSDEEP
768:9qSqC8+N5ozQQkncwxWmNXMX3cX8wtgg/X/zCtgcgCEX8u/vSXrXrXrXrXrXyR:9rqfzQQkamN88Fr277777m
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation 9ef61f4b5ccac5db2f07dc783fe5f340_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
pid Process 2936 jusched.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\7861efff\jusched.exe 9ef61f4b5ccac5db2f07dc783fe5f340_NeikiAnalytics.exe File created C:\Program Files (x86)\7861efff\7861efff 9ef61f4b5ccac5db2f07dc783fe5f340_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe 2936 jusched.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 752 wrote to memory of 2936 752 9ef61f4b5ccac5db2f07dc783fe5f340_NeikiAnalytics.exe 92 PID 752 wrote to memory of 2936 752 9ef61f4b5ccac5db2f07dc783fe5f340_NeikiAnalytics.exe 92 PID 752 wrote to memory of 2936 752 9ef61f4b5ccac5db2f07dc783fe5f340_NeikiAnalytics.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ef61f4b5ccac5db2f07dc783fe5f340_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9ef61f4b5ccac5db2f07dc783fe5f340_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Program Files (x86)\7861efff\jusched.exe"C:\Program Files (x86)\7861efff\jusched.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4120,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=3580 /prefetch:81⤵PID:3380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13B
MD5f253efe302d32ab264a76e0ce65be769
SHA1768685ca582abd0af2fbb57ca37752aa98c9372b
SHA25649dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd
SHA5121990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4
-
Filesize
33KB
MD54b582266b93329002bfa4dd29a58bf5d
SHA1798bc1bf2c0befa8c4f68518ca2dd4702a46ad70
SHA256ddbadab4c714b8d12537ad13f8a56c2562f831f0de938be3f1af16bac81e4d58
SHA512ebff43990fb325061fc0c992d1203506533868edd1698620b475f7f4ab9fcbbb2c3bf794d7c1cdcc38a7e559cc0885db385c5c3654c4dd499f407c9aec02cf7c