Analysis
-
max time kernel
0s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 03:21
Behavioral task
behavioral1
Sample
31a8e35da6f07f6233b1d399871285d6f97a18cf68bd7f54ec6b7317f8a870f3_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
31a8e35da6f07f6233b1d399871285d6f97a18cf68bd7f54ec6b7317f8a870f3_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
31a8e35da6f07f6233b1d399871285d6f97a18cf68bd7f54ec6b7317f8a870f3_NeikiAnalytics.exe
-
Size
676KB
-
MD5
3132989abe8e47d0d6fc378c334234d0
-
SHA1
4699699cd043b5476ebdbfc818ef9fa6a6e62acd
-
SHA256
31a8e35da6f07f6233b1d399871285d6f97a18cf68bd7f54ec6b7317f8a870f3
-
SHA512
83cec9437a893e3e56d0ecf229b368a065b6381b479b360585869df49e1044307354940720ae28f4136e74989e033266474f3d7f0065f356f78d7fe905ceacef
-
SSDEEP
6144:k9vI4+EORn0aO+p3o8RdnVDw7vg95sA1/TQgTR9Ftk/uN4yWN2ou5lKbZpf41NIG:yI1b0a1JHzn2nA2ZTIou6bM1NzANqgot
Malware Config
Signatures
-
Detect Neshta payload 5 IoCs
Processes:
resource yara_rule C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE family_neshta behavioral2/memory/2948-96-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2948-97-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2948-98-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2948-100-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
31a8e35da6f07f6233b1d399871285d6f97a18cf68bd7f54ec6b7317f8a870f3_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 31a8e35da6f07f6233b1d399871285d6f97a18cf68bd7f54ec6b7317f8a870f3_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
31a8e35da6f07f6233b1d399871285d6f97a18cf68bd7f54ec6b7317f8a870f3_NeikiAnalytics.exepid process 1584 31a8e35da6f07f6233b1d399871285d6f97a18cf68bd7f54ec6b7317f8a870f3_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
31a8e35da6f07f6233b1d399871285d6f97a18cf68bd7f54ec6b7317f8a870f3_NeikiAnalytics.exedescription pid process target process PID 2948 wrote to memory of 1584 2948 31a8e35da6f07f6233b1d399871285d6f97a18cf68bd7f54ec6b7317f8a870f3_NeikiAnalytics.exe 31a8e35da6f07f6233b1d399871285d6f97a18cf68bd7f54ec6b7317f8a870f3_NeikiAnalytics.exe PID 2948 wrote to memory of 1584 2948 31a8e35da6f07f6233b1d399871285d6f97a18cf68bd7f54ec6b7317f8a870f3_NeikiAnalytics.exe 31a8e35da6f07f6233b1d399871285d6f97a18cf68bd7f54ec6b7317f8a870f3_NeikiAnalytics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\31a8e35da6f07f6233b1d399871285d6f97a18cf68bd7f54ec6b7317f8a870f3_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\31a8e35da6f07f6233b1d399871285d6f97a18cf68bd7f54ec6b7317f8a870f3_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\31a8e35da6f07f6233b1d399871285d6f97a18cf68bd7f54ec6b7317f8a870f3_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\31a8e35da6f07f6233b1d399871285d6f97a18cf68bd7f54ec6b7317f8a870f3_NeikiAnalytics.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXEFilesize
86KB
MD53b73078a714bf61d1c19ebc3afc0e454
SHA19abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA51275959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4
-
C:\Users\Admin\AppData\Local\Temp\3582-490\31a8e35da6f07f6233b1d399871285d6f97a18cf68bd7f54ec6b7317f8a870f3_NeikiAnalytics.exeFilesize
636KB
MD539ddc8ba672e05e99fbd77dccd2b38ca
SHA18dbbd58208b337650d5982ffee8439493fc0f091
SHA256b78d63a78a202ee7fff00330cf1d24aee42372bae9979ccb6efb5b1d71446586
SHA5120fe4fefc52fdae07d7554215ef588ae1b6499287cbb2abf2e2e63086f445c997b40194699072ef9e14d5affc8fd1aa0c8db8a1a2a6555cfb754da2e471e42a9f
-
memory/2948-96-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2948-97-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2948-98-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2948-100-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB