509d936c9423a5ae18a42dd8e51426f3bde1287537f376385274c989d5ed8686

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

509d936c9423a5ae18a42dd8e51426f3bde1287537f376385274c989d5ed8686_NeikiAnalytics.exe
Size

24KB
MD5

a12fa64b68afa5cc9c15427dbb3ce8c0
SHA1

7239eff02d0b2e64a6c010e5e40a07810f325aea
SHA256

509d936c9423a5ae18a42dd8e51426f3bde1287537f376385274c989d5ed8686
SHA512

ea834509cd2a3560d3c841301511cb93ac5f9d2b19e40eb66d91fd405e21a4762474a639aa06ad00e4368194f5600961e4c2396948683b4bff47ba82a179c0e1
SSDEEP

384:PMJD+1/AMX2U6P9lkyAP9Ep6jtmi/pEojSjOnj+:oD+FhXN6jRMtlRE9jOi

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	509d936c9423a5ae18a42dd8e51426f3bde1287537f376385274c989d5ed8686_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
4628	firefox_update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 4628	3016	509d936c9423a5ae18a42dd8e51426f3bde1287537f376385274c989d5ed8686_NeikiAnalytics.exe	80
PID 3016 wrote to memory of 4628	3016	509d936c9423a5ae18a42dd8e51426f3bde1287537f376385274c989d5ed8686_NeikiAnalytics.exe	80
PID 3016 wrote to memory of 4628	3016	509d936c9423a5ae18a42dd8e51426f3bde1287537f376385274c989d5ed8686_NeikiAnalytics.exe	80

C:\Users\Admin\AppData\Local\Temp\509d936c9423a5ae18a42dd8e51426f3bde1287537f376385274c989d5ed8686_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\509d936c9423a5ae18a42dd8e51426f3bde1287537f376385274c989d5ed8686_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\firefox_update.exe
  "C:\Users\Admin\AppData\Local\Temp\firefox_update.exe"
  2⤵
  - Executes dropped EXE
  PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\firefox_update.exe

Filesize
25KB

MD5
3fe2cf9475e62b7599ac06ac9e97152a

SHA1
05fcac89b9de35925767e6508dfe16d26c176ae3

SHA256
51acb49c10f0a9f1b5d845391e198ee4bf8cc2d973b0eb05c1ee5d59a5b554f9

SHA512
1701c67369d14488abbba59be5957439ce5ba7da7453a4f7b4c88f4fc139b30e5f24c0ef593f7975a9851dae8c2351f848c9e34c973d6ae124ca158ce34d4213

Download Submit
memory/3016-1-0x0000000000403000-0x0000000000405000-memory.dmp

Filesize
8KB

Download
memory/4628-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download