Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
17-06-2024 01:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
30ec430d2dafd2d74789ebd963133960_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
30ec430d2dafd2d74789ebd963133960_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
30ec430d2dafd2d74789ebd963133960_NeikiAnalytics.exe
-
Size
53KB
-
MD5
30ec430d2dafd2d74789ebd963133960
-
SHA1
da4ccbd9a3f418ecbea08bc2e186672737c1d321
-
SHA256
47a1a0c47dfb290b25e334a99b99d174731e648c67f99d1c8316504e46d88aee
-
SHA512
ee7421d99f9307b6f5626c9020dbe95d466aa58d1817a1008e9a9364e902befa332e7a6c176a0d20bbd23140d8276b96c9bd243e35af2e766e9f3b2aa70aa5fc
-
SSDEEP
1536:vNAg8r8QnTcVK7Kp3StjEMjmLM3ztDJWZsXy4JzxPME:0TckJJjmLM3zRJWZsXy4Jt
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lfxiav.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation 30ec430d2dafd2d74789ebd963133960_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
pid Process 3784 lfxiav.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lfxiav = "C:\\Users\\Admin\\lfxiav.exe" lfxiav.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe 3784 lfxiav.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2180 30ec430d2dafd2d74789ebd963133960_NeikiAnalytics.exe 3784 lfxiav.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 3784 2180 30ec430d2dafd2d74789ebd963133960_NeikiAnalytics.exe 84 PID 2180 wrote to memory of 3784 2180 30ec430d2dafd2d74789ebd963133960_NeikiAnalytics.exe 84 PID 2180 wrote to memory of 3784 2180 30ec430d2dafd2d74789ebd963133960_NeikiAnalytics.exe 84 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80 PID 3784 wrote to memory of 2180 3784 lfxiav.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\30ec430d2dafd2d74789ebd963133960_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\30ec430d2dafd2d74789ebd963133960_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\lfxiav.exe"C:\Users\Admin\lfxiav.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3784
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD526f2bdb8226b08e8b49effd2ad1ec695
SHA13cc63042f5b7f0567d3f16975c12bd482fedae55
SHA2569160cba71047d5fff7eb75657be284a778d09c3e51fa653fd6a9bb8c4d4922e7
SHA51273c233a2b1eca59ad8e9efd59d84e717cc9e6dbf31487d0da2fedbc8f77cb03cc9fc1b6096c7f954b45393535e03c8df7d3e703d5699a5f65982b09faaf2b040