Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 13:39
Static task
static1
Behavioral task
behavioral1
Sample
adb6f2c6600b62f753a9a0a10f93d391d8a9262303b88e7ae143eeabe71e5839_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
adb6f2c6600b62f753a9a0a10f93d391d8a9262303b88e7ae143eeabe71e5839_NeikiAnalytics.exe
-
Size
280KB
-
MD5
bed05b2e649232a1a5c0dfe131917740
-
SHA1
16891a3e909a77451d34e541fdb5bc3d1460125c
-
SHA256
adb6f2c6600b62f753a9a0a10f93d391d8a9262303b88e7ae143eeabe71e5839
-
SHA512
eec074cdb9864fb74c28be7de186c2ef3ce5c51b25c967ef467d1b764986f613542d7ff623f6cda491630b201d6f0361f1cd94e3cbb346398bb80880fa1f25c5
-
SSDEEP
6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkfg:boSeGUA5YZazpXUmZhZ6SF
Malware Config
Extracted
nanocore
1.2.2.0
sysupdate24.ddns.net:45400
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2020-04-24T17:41:53.492468936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
45400
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
sysupdate24.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
adb6f2c6600b62f753a9a0a10f93d391d8a9262303b88e7ae143eeabe71e5839_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation adb6f2c6600b62f753a9a0a10f93d391d8a9262303b88e7ae143eeabe71e5839_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
a1punf5t2of.exea1punf5t2of.exepid process 3592 a1punf5t2of.exe 4032 a1punf5t2of.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
adb6f2c6600b62f753a9a0a10f93d391d8a9262303b88e7ae143eeabe71e5839_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" adb6f2c6600b62f753a9a0a10f93d391d8a9262303b88e7ae143eeabe71e5839_NeikiAnalytics.exe -
Processes:
a1punf5t2of.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a1punf5t2of.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a1punf5t2of.exedescription pid process target process PID 3592 set thread context of 4032 3592 a1punf5t2of.exe a1punf5t2of.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
a1punf5t2of.exepid process 4032 a1punf5t2of.exe 4032 a1punf5t2of.exe 4032 a1punf5t2of.exe 4032 a1punf5t2of.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
a1punf5t2of.exepid process 4032 a1punf5t2of.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a1punf5t2of.exedescription pid process Token: SeDebugPrivilege 4032 a1punf5t2of.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
adb6f2c6600b62f753a9a0a10f93d391d8a9262303b88e7ae143eeabe71e5839_NeikiAnalytics.exea1punf5t2of.exedescription pid process target process PID 1620 wrote to memory of 3592 1620 adb6f2c6600b62f753a9a0a10f93d391d8a9262303b88e7ae143eeabe71e5839_NeikiAnalytics.exe a1punf5t2of.exe PID 1620 wrote to memory of 3592 1620 adb6f2c6600b62f753a9a0a10f93d391d8a9262303b88e7ae143eeabe71e5839_NeikiAnalytics.exe a1punf5t2of.exe PID 1620 wrote to memory of 3592 1620 adb6f2c6600b62f753a9a0a10f93d391d8a9262303b88e7ae143eeabe71e5839_NeikiAnalytics.exe a1punf5t2of.exe PID 3592 wrote to memory of 4032 3592 a1punf5t2of.exe a1punf5t2of.exe PID 3592 wrote to memory of 4032 3592 a1punf5t2of.exe a1punf5t2of.exe PID 3592 wrote to memory of 4032 3592 a1punf5t2of.exe a1punf5t2of.exe PID 3592 wrote to memory of 4032 3592 a1punf5t2of.exe a1punf5t2of.exe PID 3592 wrote to memory of 4032 3592 a1punf5t2of.exe a1punf5t2of.exe PID 3592 wrote to memory of 4032 3592 a1punf5t2of.exe a1punf5t2of.exe PID 3592 wrote to memory of 4032 3592 a1punf5t2of.exe a1punf5t2of.exe PID 3592 wrote to memory of 4032 3592 a1punf5t2of.exe a1punf5t2of.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\adb6f2c6600b62f753a9a0a10f93d391d8a9262303b88e7ae143eeabe71e5839_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\adb6f2c6600b62f753a9a0a10f93d391d8a9262303b88e7ae143eeabe71e5839_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exeFilesize
280KB
MD5a3a89f7aee666af7de7a055771d88248
SHA138ba6b72e94e6c2ae3ad315610a6cb5980e1dead
SHA25626eef0b8e8365cb93afae80560eb396e41fdb645c080a3c4798fd2675b5d1410
SHA512a683fe01ca911debdcaee069ac2df3988cd7a0fa9515a9928c4eee5ddb97a9a04a41cc51f7e4fe563197b68e82a5b62e8ac6e45667f37dcc470a5a04a55fe8a2
-
memory/1620-20-0x0000000074770000-0x0000000074D21000-memory.dmpFilesize
5.7MB
-
memory/1620-1-0x0000000074770000-0x0000000074D21000-memory.dmpFilesize
5.7MB
-
memory/1620-2-0x0000000074770000-0x0000000074D21000-memory.dmpFilesize
5.7MB
-
memory/1620-5-0x0000000074772000-0x0000000074773000-memory.dmpFilesize
4KB
-
memory/1620-16-0x0000000074770000-0x0000000074D21000-memory.dmpFilesize
5.7MB
-
memory/1620-0-0x0000000074772000-0x0000000074773000-memory.dmpFilesize
4KB
-
memory/3592-22-0x0000000074770000-0x0000000074D21000-memory.dmpFilesize
5.7MB
-
memory/3592-19-0x0000000074770000-0x0000000074D21000-memory.dmpFilesize
5.7MB
-
memory/3592-21-0x0000000074770000-0x0000000074D21000-memory.dmpFilesize
5.7MB
-
memory/3592-18-0x0000000074770000-0x0000000074D21000-memory.dmpFilesize
5.7MB
-
memory/3592-34-0x0000000074770000-0x0000000074D21000-memory.dmpFilesize
5.7MB
-
memory/3592-31-0x0000000074770000-0x0000000074D21000-memory.dmpFilesize
5.7MB
-
memory/4032-28-0x0000000074770000-0x0000000074D21000-memory.dmpFilesize
5.7MB
-
memory/4032-25-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4032-29-0x0000000074770000-0x0000000074D21000-memory.dmpFilesize
5.7MB
-
memory/4032-23-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4032-32-0x0000000074770000-0x0000000074D21000-memory.dmpFilesize
5.7MB
-
memory/4032-24-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4032-35-0x0000000074770000-0x0000000074D21000-memory.dmpFilesize
5.7MB
-
memory/4032-36-0x0000000074770000-0x0000000074D21000-memory.dmpFilesize
5.7MB
-
memory/4032-37-0x0000000074770000-0x0000000074D21000-memory.dmpFilesize
5.7MB