Analysis
-
max time kernel
149s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 04:30
Behavioral task
behavioral1
Sample
3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe
Resource
win7-20240220-en
General
-
Target
3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe
-
Size
431KB
-
MD5
958d1b88d6e33021458a2f1b47d383b0
-
SHA1
bd9ff9b24f1955c73bb2dd3d3bbdf47a5eb13b1d
-
SHA256
3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7
-
SHA512
2beb4ee9f743c566e02c3074c5a8b8cd04da8b3a0c980893f84415dcb105e25db09080419d53a57e45dbca867310b19b5e8e554afe42ecc6ae96a1a8aae6ea78
-
SSDEEP
6144:cT5J63Fm3b7yOE7Hvpu5CaGi4mUf95TtC4uP2scqAO:c4Fm3b7yOAHNar4mUf9lJ82scqAO
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Systemtkrwu.exe family_blackmoon -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe -
Deletes itself 1 IoCs
Processes:
Systemtkrwu.exepid process 1584 Systemtkrwu.exe -
Executes dropped EXE 1 IoCs
Processes:
Systemtkrwu.exepid process 1584 Systemtkrwu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exeSystemtkrwu.exepid process 3772 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe 3772 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe 3772 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe 3772 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe 3772 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe 3772 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe 3772 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe 3772 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe 3772 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe 3772 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe 3772 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe 3772 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe 3772 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe 3772 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe 3772 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe 3772 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe 1584 Systemtkrwu.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exedescription pid process target process PID 3772 wrote to memory of 1584 3772 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe Systemtkrwu.exe PID 3772 wrote to memory of 1584 3772 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe Systemtkrwu.exe PID 3772 wrote to memory of 1584 3772 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe Systemtkrwu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Users\Admin\AppData\Local\Temp\Systemtkrwu.exe"C:\Users\Admin\AppData\Local\Temp\Systemtkrwu.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1584
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
431KB
MD59f8c02e1cc25e1e437d36ee96cf1de31
SHA1e9993aa6ca2753162306776adf8ffa12771831d9
SHA256782507bf6508f12019957f759af1ff0066088cd964cb7e48923bd711b5e0f8ab
SHA512bdaf1b8d1bdeb751dc8b809ded8633ffa7bda97a3827606f0586ad47784f37c28bc4ef2fd1be952d9b010949657353a180917f3e2fb9268913b41c30c09c4d3d
-
Filesize
117B
MD539a6ad471d41bfb9cb334d5abfcb759b
SHA1f11f37039c94dc6b041c150d2fa0b9bb562a2954
SHA2561ab620a9bc3645fc6c400712a8437c264a53956599089e1d30b155ecfa853f21
SHA5125d28ec0c46c8b547c896ba443d9ed201bbb00456226671feba95b841cd56b272eb01ec8a4c3849235283e777d8d5c5d68dc407178446269bbf58f0f600a85af7