3ef59aa8de1804218108a1f343ad753f71219d32bc10370d27efaed89b744281

Analysis

max time kernel
139s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ef59aa8de1804218108a1f343ad753f71219d32bc10370d27efaed89b744281_NeikiAnalytics.exe
Size

3.4MB
MD5

9c26a81a4e07480102b8866c41ecb900
SHA1

586a3de0d843ab7022cbda769fdd2237d3a635c9
SHA256

3ef59aa8de1804218108a1f343ad753f71219d32bc10370d27efaed89b744281
SHA512

4e51960aa6f193b22b9563682ff51bc1f6e917e9260ed846e578412f229c2b6a83a9b9392b9c0e978dedc33ec5ea9e5b422894659603e9a19ae7a56a0934e372
SSDEEP

98304:WkkLESftZrW41TNqFrxLDKSMJ/Og4vf2OxmhOvGY6eXsx:hAESTTNq9uJ/Og4XPmoeYBXsx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	3ef59aa8de1804218108a1f343ad753f71219d32bc10370d27efaed89b744281_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
1220	Install LOLInfo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1220	2000	3ef59aa8de1804218108a1f343ad753f71219d32bc10370d27efaed89b744281_NeikiAnalytics.exe	82
PID 2000 wrote to memory of 1220	2000	3ef59aa8de1804218108a1f343ad753f71219d32bc10370d27efaed89b744281_NeikiAnalytics.exe	82
PID 2000 wrote to memory of 1220	2000	3ef59aa8de1804218108a1f343ad753f71219d32bc10370d27efaed89b744281_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\3ef59aa8de1804218108a1f343ad753f71219d32bc10370d27efaed89b744281_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3ef59aa8de1804218108a1f343ad753f71219d32bc10370d27efaed89b744281_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\AIR372D.tmp\Install LOLInfo.exe
  "C:\Users\Admin\AppData\Local\Temp\AIR372D.tmp\Install LOLInfo.exe"
  2⤵
  - Executes dropped EXE
  PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AIR372D.tmp\.launch

Filesize
19B

MD5
a59504597a32f93007beef70faadca35

SHA1
d5d708fdae84d4fc18ca48c4cdbf999a87dc7efd

SHA256
8aa4d5331fd928a41f15280f6d7bc2e8e6d8b7be913a83063e001224b7c80d03

SHA512
f97f691ef124636a62a133328036103ab9d2fa6c08f6203211cf61f8b74faf474d35de54c20e326276746f231a9f0e193d96530361e89957c95f9731c6bf1b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIR372D.tmp\Install LOLInfo.exe

Filesize
129KB

MD5
f20ad78598c39c35ae6e7595444cdc76

SHA1
1c586ca02dc7eb0924c6538e7a1c0e17cac9e7be

SHA256
adc2cb614008caf3250cda012370b099341f1ddf482aeb3b45a8736f27de13c7

SHA512
ca7b6f89c6acde6c3c2143d4ad3c9b9a4ccd4de677c410bbdf5ca1341cc40af19ff5aef73170a4501302ab0b04883c020cf3a31c1db83eae8c027ab0a7193963

Download Submit