Overview

overview

7

Static

static

7

3551a3a60f...cs.exe

windows7-x64

7

3551a3a60f...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    132s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-06-2024 01:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3551a3a60fc99af90405f92d3ea8a53bef966fba48d4885163c9c42afaec8fe3_NeikiAnalytics.exe

  • Size

    134KB

  • MD5

    c531211cff3a122038341a985898f2f0

  • SHA1

    654ec9cb822798fac4a0f6e293751578e309dfaf

  • SHA256

    3551a3a60fc99af90405f92d3ea8a53bef966fba48d4885163c9c42afaec8fe3

  • SHA512

    df65f33614db24ecd782fa2fa345beaac00c22bed5b2b4dfdbb4b11cd7ea47d7e45503c4eb5858bb4df213c127dbc8098d9c0dbc3063709a422d74a55909eb0f

  • SSDEEP

    1536:YGYU/W2/HG6QMauSV3ixJHABLrmhH7i9eNOOg00GqMIK7aGZh3SOP:YfU/WF6QMauSuiWNi9eNOl0007NZIOP

Score
7/10
persistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3551a3a60fc99af90405f92d3ea8a53bef966fba48d4885163c9c42afaec8fe3_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3551a3a60fc99af90405f92d3ea8a53bef966fba48d4885163c9c42afaec8fe3_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:512
    • C:\ProgramData\Update\wuauclt.exe
      "C:\ProgramData\Update\wuauclt.exe" /run
      2⤵
      • Executes dropped EXE
      PID:216
    • C:\windows\SysWOW64\cmd.exe
      "C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\3551a3a60fc99af90405f92d3ea8a53bef966fba48d4885163c9c42afaec8fe3_NeikiAnalytics.exe" >> NUL
      2⤵
        PID:4536
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2736,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=3904 /prefetch:8
      1⤵
        PID:2272

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Update\wuauclt.exe
        Filesize

        134KB

        MD5

        7dda18c8cbe9e572973cd4dbaff74a7d

        SHA1

        a523414f67c1b60322b2ce7d9c8e0a77a529a282

        SHA256

        11ed6dd9cd9b02281f3495b14ffa4bddeccc1d99411e98eee5e13936fb5b96d3

        SHA512

        853976216a6b03581e58c085f11c75aa885a0d87c197485022827c1db34ac0571e50e63c9a7163cacf31d7cba6d8efe0d43f43db08b49a8c05a1c169a29886f2

        Download Submit

      • memory/216-5-0x0000000000AE0000-0x0000000000B08000-memory.dmp

        Filesize

        160KB

        Download

      • memory/216-7-0x0000000000AE0000-0x0000000000B08000-memory.dmp

        Filesize

        160KB

        Download

      • memory/512-0-0x00000000002E0000-0x0000000000308000-memory.dmp

        Filesize

        160KB

        Download

      • memory/512-6-0x00000000002E0000-0x0000000000308000-memory.dmp

        Filesize

        160KB

        Download

      • memory/512-8-0x00000000002E0000-0x0000000000308000-memory.dmp

        Filesize

        160KB

        Download