1e94b0fa8d8c50b4ed4e3b30e68f2864d0bbf1d2ce2d99ea54a7518c98b1e03e | Triage

Sharing

Copy URL Twitter E-mail

General

Target

1e94b0fa8d8c50b4ed4e3b30e68f2864d0bbf1d2ce2d99ea54a7518c98b1e03e_NeikiAnalytics.exe
Size

320KB
Sample

240630-19dpvs1ark
MD5

c665e7c6496e7c555db3fc7306677320
SHA1

4150ef958c72fa0d2ba2b17099cd32d9a1097119
SHA256

1e94b0fa8d8c50b4ed4e3b30e68f2864d0bbf1d2ce2d99ea54a7518c98b1e03e
SHA512

a39c359606b1a2fe30f2fcf50bab90221035c02c40b8fc7edbc396232ee5b5ac5bccedd610ebd15d700d1350b23e4a9db607d895ec24739a6ae961016f46204e
SSDEEP

6144:kTwZo1IV3puaibGKFHi0mofhaH05kipz016580bHFbl86JQPDHDdx/QtqR:aXgvmzFHi0mo5aH0qMzd5807FRPJQPDV

Score

10^/10

defense_evasion evasion persistence trojan

Malware Config

Targets

- Target
  
  1e94b0fa8d8c50b4ed4e3b30e68f2864d0bbf1d2ce2d99ea54a7518c98b1e03e_NeikiAnalytics.exe
- Size
  
  320KB
- MD5
  
  c665e7c6496e7c555db3fc7306677320
- SHA1
  
  4150ef958c72fa0d2ba2b17099cd32d9a1097119
- SHA256
  
  1e94b0fa8d8c50b4ed4e3b30e68f2864d0bbf1d2ce2d99ea54a7518c98b1e03e
- SHA512
  
  a39c359606b1a2fe30f2fcf50bab90221035c02c40b8fc7edbc396232ee5b5ac5bccedd610ebd15d700d1350b23e4a9db607d895ec24739a6ae961016f46204e
- SSDEEP
  
  6144:kTwZo1IV3puaibGKFHi0mofhaH05kipz016580bHFbl86JQPDHDdx/QtqR:aXgvmzFHi0mo5aH0qMzd5807FRPJQPDV
Score

10^/10

defense_evasion evasion persistence trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Adds policy Run key to start application
  persistence
- Disables RegEdit via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Safe Mode Boot

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasionevasionpersistencetrojan

behavioral2

defense_evasionevasionpersistencetrojan