Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 00:16
Behavioral task
behavioral1
Sample
147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe
-
Size
359KB
-
MD5
147ddac047e768fcd95ee46620c9bb50
-
SHA1
fea3efad7bbfbeb51c311abd1269d208e5c99cc4
-
SHA256
092feaa449f6b06fcad8006164091ae694446ee6631dfea678a2d8f8330fa5be
-
SHA512
8b7f00cd7f61bfe3bb17220a8bb2e26bb43a39195ece3cff9a8cf3d654cdf1c44fe3e9d8e6442e8b3b29799730f3b0d46f4a38b2c6a89bbe3ab19c3261b72bdb
-
SSDEEP
6144:c1bYec5C8AAYLxhEmPG7qwmioqVsCqbN0ho:MUyI6QmPPPqVspr
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exeugnum.execoticy.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation ugnum.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation coticy.exe -
Executes dropped EXE 3 IoCs
Processes:
ugnum.execoticy.exedotus.exepid process 1008 ugnum.exe 660 coticy.exe 3352 dotus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dotus.exepid process 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe 3352 dotus.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exeugnum.execoticy.exedescription pid process target process PID 1592 wrote to memory of 1008 1592 147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe ugnum.exe PID 1592 wrote to memory of 1008 1592 147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe ugnum.exe PID 1592 wrote to memory of 1008 1592 147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe ugnum.exe PID 1592 wrote to memory of 1928 1592 147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe cmd.exe PID 1592 wrote to memory of 1928 1592 147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe cmd.exe PID 1592 wrote to memory of 1928 1592 147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe cmd.exe PID 1008 wrote to memory of 660 1008 ugnum.exe coticy.exe PID 1008 wrote to memory of 660 1008 ugnum.exe coticy.exe PID 1008 wrote to memory of 660 1008 ugnum.exe coticy.exe PID 660 wrote to memory of 3352 660 coticy.exe dotus.exe PID 660 wrote to memory of 3352 660 coticy.exe dotus.exe PID 660 wrote to memory of 3352 660 coticy.exe dotus.exe PID 660 wrote to memory of 3344 660 coticy.exe cmd.exe PID 660 wrote to memory of 3344 660 coticy.exe cmd.exe PID 660 wrote to memory of 3344 660 coticy.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\147ddac047e768fcd95ee46620c9bb50_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\ugnum.exe"C:\Users\Admin\AppData\Local\Temp\ugnum.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\coticy.exe"C:\Users\Admin\AppData\Local\Temp\coticy.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Users\Admin\AppData\Local\Temp\dotus.exe"C:\Users\Admin\AppData\Local\Temp\dotus.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:3344
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵PID:1928
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_vslite.batFilesize
224B
MD546070bde9bc55d529c2973c1069af143
SHA12df5f3bc59935cce269190867eb5d9bb84366d51
SHA25672ef42537cda785e0af8dd0b56e663ed058b78589b347077491f8a482a72fc5a
SHA512154d0cb95aaeb9779d6202c70c842d399cb7ea012f31bca008d6a2802d97735c4f87a2720faeea480d95c598e6bc47ee5f9263cc4fb1501792608d6c6844d7e8
-
C:\Users\Admin\AppData\Local\Temp\_vslite.batFilesize
306B
MD51d62ed3239cc265c6115f40ac391dac6
SHA155652006d4012e132640eb81148cc220f453f1ee
SHA256d41936bc792a7e31892dc5a2adc59b0bc0f22f639120144d99a5156e50414a6c
SHA5122f4003dfac7b34c144463d7fb8723ac149d65d49282c7f27e3d256b31dd2665028d3fadb3a12ab08e7a2d074178c6215b998b573840476605a44264ecc93f2cb
-
C:\Users\Admin\AppData\Local\Temp\dotus.exeFilesize
107KB
MD56a4cedc2de7eb481f78e71c38c79ba88
SHA1449880fae11877bbfa3dfb10ec39dc3a4c347e4a
SHA25614150f0ecfbe2825d298d6412cbcf1c597fad58a88e7fcb54b68669b5d248796
SHA51256cb7e4c2d62e8aef100d5b4d5a3c2caa45d7345c32c56fb13183b8c790d2a374919eb8960670051c510e3a64ade9c03dae6f789028419e2965f418fff744220
-
C:\Users\Admin\AppData\Local\Temp\golfinfo.iniFilesize
512B
MD5b5c2f7ed95f4b2d7475f9b740dcb415a
SHA19f25e09d17413bc960b79501c5c20094b274a200
SHA2566453088eb9d88a33151d5d13d83c47b4a1a01bb29f32c1cf85df35485fc9ef13
SHA512656754db0b592bacce4c2180479bc7b87877d2206d95b9094b3f0f5f7936b960f9b65b963d46bc55dabd3570972aae07ad0bc21bf4e4c43ee23cb2defb45dd92
-
C:\Users\Admin\AppData\Local\Temp\ugnum.exeFilesize
359KB
MD5588dfe322e18e577153849c30d4c96d4
SHA195a8bbfebfc6a948c689f2f265632228b5d03e24
SHA2565485c4ed98e184e2a6b5ef30df30607c086a809bd113465bd2316df288fe2dd5
SHA51254919cba0b3f5a735d143e992177a1b589b748eb0ff8f453f8609dc0d18c359e59753d070ca6e87b2bab2bd532a3bb883ac5d95791e5969c9ed2fedb95144ba8
-
memory/660-24-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/660-39-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/1008-25-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/1592-14-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/1592-0-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/3352-37-0x0000000000120000-0x00000000001A5000-memory.dmpFilesize
532KB
-
memory/3352-41-0x0000000000120000-0x00000000001A5000-memory.dmpFilesize
532KB
-
memory/3352-42-0x0000000000120000-0x00000000001A5000-memory.dmpFilesize
532KB
-
memory/3352-43-0x0000000000120000-0x00000000001A5000-memory.dmpFilesize
532KB
-
memory/3352-44-0x0000000000120000-0x00000000001A5000-memory.dmpFilesize
532KB
-
memory/3352-45-0x0000000000120000-0x00000000001A5000-memory.dmpFilesize
532KB
-
memory/3352-46-0x0000000000120000-0x00000000001A5000-memory.dmpFilesize
532KB