51941075d2da6a5ae6a130e72948cd086f5b72efc39df0a573469534d78a7e37

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51941075d2da6a5ae6a130e72948cd086f5b72efc39df0a573469534d78a7e37_NeikiAnalytics.exe
Size

20KB
MD5

1288728fa4fe444f68996858f69a1510
SHA1

7372421e6ca22d1271cbee9b4c7d809104684340
SHA256

51941075d2da6a5ae6a130e72948cd086f5b72efc39df0a573469534d78a7e37
SHA512

aa1b79fc59b2efc7dfc61087b533d74c31df4f4d02231328a8e50a5fa2e9fe82db17e6ce1a55caea779102cad7b50f58555df46a1ee7ce13548555bc3f48e719
SSDEEP

192:RmHMqjoQewsETX0o1byouOlOx/+1qAGgYpVAdDWLkqQdAat:ReMigwsEo6Ze+N5Ypy6QdR

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	51941075d2da6a5ae6a130e72948cd086f5b72efc39df0a573469534d78a7e37_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
1136	erdou.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 1136	4380	51941075d2da6a5ae6a130e72948cd086f5b72efc39df0a573469534d78a7e37_NeikiAnalytics.exe	82
PID 4380 wrote to memory of 1136	4380	51941075d2da6a5ae6a130e72948cd086f5b72efc39df0a573469534d78a7e37_NeikiAnalytics.exe	82
PID 4380 wrote to memory of 1136	4380	51941075d2da6a5ae6a130e72948cd086f5b72efc39df0a573469534d78a7e37_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\51941075d2da6a5ae6a130e72948cd086f5b72efc39df0a573469534d78a7e37_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\51941075d2da6a5ae6a130e72948cd086f5b72efc39df0a573469534d78a7e37_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Users\Admin\AppData\Local\Temp\erdou.exe
  "C:\Users\Admin\AppData\Local\Temp\erdou.exe"
  2⤵
  - Executes dropped EXE
  PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\erdou.exe

Filesize
20KB

MD5
163f0e1450d440e8bbbccd690ca294a9

SHA1
8c522b15258ad40d0a0d837756f9d48fba7f32e0

SHA256
89061630a4bd8b4e90604ca6ad48b4068e2b74ad839525ca786bcdc361c209d5

SHA512
65f8e2923670659e86d92a7ac5fb873263e8b068928863f34934698cd7f263ca3ac0d0158dfb6d3179251502c925542939e76f4e6a4f1526be9dbc456e6263bb

Download Submit
memory/1136-14-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4380-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4380-2-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/4380-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download