Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 23:04
Behavioral task
behavioral1
Sample
624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe
-
Size
368KB
-
MD5
624efc1dbe90125eddada90974fdace0
-
SHA1
f7f33cdd1c1d1da5de95dec6affc70be0dfeb711
-
SHA256
060925840131f267857344edc2c2c4ca8aa8e4d20b029f8e35baec4c92f8debc
-
SHA512
bbae1bdb52932a1fd008cd03520f891da91cd4845d8fb00acaa112d0426474e33fa2a24d6915d08a4f78724382f9ad94affeb7cbb53debd4688ccbd7aed1c174
-
SSDEEP
6144:OuJkl8DV12C28tLN2/FkCOfHVm0fMaHftvCGCBhDOHjTPmXHk62psW:OzGL2C2aZ2/F1WHHUaveOHjTH
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exewetif.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation wetif.exe -
Executes dropped EXE 2 IoCs
Processes:
wetif.exetomit.exepid process 2508 wetif.exe 3156 tomit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
tomit.exepid process 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe 3156 tomit.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exewetif.exedescription pid process target process PID 4656 wrote to memory of 2508 4656 624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe wetif.exe PID 4656 wrote to memory of 2508 4656 624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe wetif.exe PID 4656 wrote to memory of 2508 4656 624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe wetif.exe PID 4656 wrote to memory of 2800 4656 624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe cmd.exe PID 4656 wrote to memory of 2800 4656 624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe cmd.exe PID 4656 wrote to memory of 2800 4656 624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe cmd.exe PID 2508 wrote to memory of 3156 2508 wetif.exe tomit.exe PID 2508 wrote to memory of 3156 2508 wetif.exe tomit.exe PID 2508 wrote to memory of 3156 2508 wetif.exe tomit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\wetif.exe"C:\Users\Admin\AppData\Local\Temp\wetif.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\tomit.exe"C:\Users\Admin\AppData\Local\Temp\tomit.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:2800
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4316,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:81⤵PID:4940
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_uinsey.batFilesize
306B
MD578add4663005c31146bb2733aeb55be6
SHA12c221c8fc625dab5f62e0c9d091006d8e0038364
SHA25624d8cec81bb75923aaebc8c866f88cda3cad285adc883682e09f6076714b2c1c
SHA512d4a7bd6087a4ea90c568ee425ea9958e5aeb0c5b0097d2a76217bb1a7ab2a8aac0e475544807212bd83b59539900e24004c20523c47dc58f44c3f5922354935f
-
C:\Users\Admin\AppData\Local\Temp\golfinfo.iniFilesize
512B
MD5ff3c5a31f69602739d7781d196c9dba6
SHA19e84709a164478f83d614c0316707cbe6967dd06
SHA256a316f38c0a84e54734ecddbff784fdfbf2e9b511c0468d8129711dff7c019d10
SHA51268e633e6a1b7e21e4547d11bad2aef2eb37b71252d6f6b555be845ee0d18876641c1188e8ad9b6b728dd17e3ba6df021bf748cde07930d06ba4d404765b86b3e
-
C:\Users\Admin\AppData\Local\Temp\tomit.exeFilesize
303KB
MD575e4e2327186afaedc43b3b83df9c74e
SHA10377a497d9658d1420ab09c34377b99047fdc9fb
SHA256fa9206e6b5f23258ae293ab75669cd3e6e03d23b82f4e211bdd39a1601250d73
SHA5125ce95e7cfceee0965eda903702f59b4e122985ea19d6a537a53c4e0dd0e81622e1b5e4fe8dcc9887de4391b767b4ec31b8491b69de2358bc115d5034c063fd9e
-
C:\Users\Admin\AppData\Local\Temp\wetif.exeFilesize
368KB
MD573533e63c5580fc182193e23d46c229e
SHA120423b1c278ffa1bbac323a058358be68f0c4339
SHA256ee01d0f8aa907800265beabafb2644bc2525ce32d7be88f27bc3a7c1979aac61
SHA512c6262d00557b35bd1568a1ab941daf9c0115a8e75c897bf1c1eb50a9f9c59ba5dddefdcc098a5f4e6a2984eb582c71a5ba29f081b9d0b9bea9c16bc56ebbc5d1
-
memory/2508-10-0x00000000002A0000-0x0000000000302000-memory.dmpFilesize
392KB
-
memory/2508-25-0x00000000002A0000-0x0000000000302000-memory.dmpFilesize
392KB
-
memory/4656-0-0x0000000000D10000-0x0000000000D72000-memory.dmpFilesize
392KB
-
memory/4656-14-0x0000000000D10000-0x0000000000D72000-memory.dmpFilesize
392KB