0c5fa51d1bd7c8b817307c300031c268ab7732ec27b0d8d3a6c847d0a3b87d66

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 23:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0c5fa51d1bd7c8b817307c300031c268ab7732ec27b0d8d3a6c847d0a3b87d66_NeikiAnalytics.exe
Size

70KB
MD5

14f2298a066c51a3b1f9bbd2be8ffc10
SHA1

ca3cbb03bd2593fa0070856ea5b5854c8e7ab6a8
SHA256

0c5fa51d1bd7c8b817307c300031c268ab7732ec27b0d8d3a6c847d0a3b87d66
SHA512

ce224796651a3ab392d9db0a791c0af0f6d340e45c51d040bd395c2222bbadc50877419d61cf96f8980702ecb07817596cf0b1aa0d7233fc2b8e5714489a44ed
SSDEEP

768:SxDDnyAiIbhn+oRTaFSxjquEDFAnA1tLRNk2djaYoCMHosOuXOQ69zbjlAAX5e9R:SxDDnd1Raqq2uBNdSCMbizbR9Xwzd3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	0c5fa51d1bd7c8b817307c300031c268ab7732ec27b0d8d3a6c847d0a3b87d66_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
4472	hcbnaf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 4472	1160	0c5fa51d1bd7c8b817307c300031c268ab7732ec27b0d8d3a6c847d0a3b87d66_NeikiAnalytics.exe	83
PID 1160 wrote to memory of 4472	1160	0c5fa51d1bd7c8b817307c300031c268ab7732ec27b0d8d3a6c847d0a3b87d66_NeikiAnalytics.exe	83
PID 1160 wrote to memory of 4472	1160	0c5fa51d1bd7c8b817307c300031c268ab7732ec27b0d8d3a6c847d0a3b87d66_NeikiAnalytics.exe	83

C:\Users\Admin\AppData\Local\Temp\0c5fa51d1bd7c8b817307c300031c268ab7732ec27b0d8d3a6c847d0a3b87d66_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0c5fa51d1bd7c8b817307c300031c268ab7732ec27b0d8d3a6c847d0a3b87d66_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe
  "C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe"
  2⤵
  - Executes dropped EXE
  PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe

Filesize
70KB

MD5
6a47ac8084dd3930a028d2dbe737ded1

SHA1
77ac4560e9f198f83f6b859084e5ef33385565de

SHA256
0ef6d1b9dd376c862f65301d1ab400a562562b5ecc81592ee59a5c52e6882241

SHA512
c519ce924230d4a4536e34363a05bb4df0b35c8f8b4c8b9c73939a5d4729022648b9ed0c64226f3abe19fa943d85924b2b2d1e8a18308f148b4f91a7b6c17752

Download Submit
memory/1160-1-0x0000000001890000-0x0000000001894000-memory.dmp

Filesize
16KB

Download
memory/4472-9-0x00000000026F0000-0x00000000026F4000-memory.dmp

Filesize
16KB

Download