f3aef209098577275f193a318d9019923f1536bc41a583cd519f49ee70728c34

General

Target

2600e360966776078720722372390df0_NEIKI.exe
Size

12KB
MD5

2600e360966776078720722372390df0
SHA1

014d93d4235534ba28c475230e25fb04282ad1fb
SHA256

f3aef209098577275f193a318d9019923f1536bc41a583cd519f49ee70728c34
SHA512

51b8bbd05b81dafeb779ee0ee1ec6dd9e3e9349561bf84ba1703a5518f6ea7f5390a2d368ee7a8b7cf833120dfee6725500980170ba504df058c8126ed1464e6
SSDEEP

384:QL7li/2ziq2DcEQvdhcJKLTp/NK9xaHL:O6M/Q9cHL

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	2600e360966776078720722372390df0_NEIKI.exe

Deletes itself 1 IoCs

pid	Process
1828	tmp4036.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1828	tmp4036.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4348	2600e360966776078720722372390df0_NEIKI.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 1576	4348	2600e360966776078720722372390df0_NEIKI.exe	88
PID 4348 wrote to memory of 1576	4348	2600e360966776078720722372390df0_NEIKI.exe	88
PID 4348 wrote to memory of 1576	4348	2600e360966776078720722372390df0_NEIKI.exe	88
PID 1576 wrote to memory of 1648	1576	vbc.exe	91
PID 1576 wrote to memory of 1648	1576	vbc.exe	91
PID 1576 wrote to memory of 1648	1576	vbc.exe	91
PID 4348 wrote to memory of 1828	4348	2600e360966776078720722372390df0_NEIKI.exe	93
PID 4348 wrote to memory of 1828	4348	2600e360966776078720722372390df0_NEIKI.exe	93
PID 4348 wrote to memory of 1828	4348	2600e360966776078720722372390df0_NEIKI.exe	93

C:\Users\Admin\AppData\Local\Temp\2600e360966776078720722372390df0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\2600e360966776078720722372390df0_NEIKI.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\shiuskyr\shiuskyr.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4239.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc42AA813C39BB4D82B5B7D89F8FAD498D.TMP"
    3⤵
    PID:1648
- C:\Users\Admin\AppData\Local\Temp\tmp4036.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4036.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2600e360966776078720722372390df0_NEIKI.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
b935bcc751fb3fe741505b454ebe87a5

SHA1
682581c9939163f37ee534a56e7180128a2cf812

SHA256
ece7af9fd44544cf5fc490072b579667af6136fcafb368896a155a50cf7390b9

SHA512
a41323cb2f11d94718229830d11cf82c2e38bea283a63486c98022d2a3255ea2f75d5c4719a5ee5c82515276ebc652bcf4bac6161135ad2342ce5c8e1a00a318

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4239.tmp

Filesize
1KB

MD5
c381425d3630ba6d9d8aab4662204038

SHA1
0922a63fcab1116a1610eeaa3c73a3cf82af2be2

SHA256
f971ccbdbb504b674523a0b2efa512da5f475152d718f0e6e9cb5a5cc355f8d0

SHA512
874817a148ff9be64cd22ca530eb1c2fcd2067e2f757328c79e68dbfb48f3741ee25b1d93b43ea7adf32c3429021a3a91696588bccdaa46610ce16ee41c769ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\shiuskyr\shiuskyr.0.vb

Filesize
2KB

MD5
e3c53ca3ac4a61ad95ff66b91702917e

SHA1
39892300d4706f547cabd7258d77e756ac997fd5

SHA256
fdf4ce1687e21c07cf4e5e94b3af688f0dd1ef0d0012e667f91551161b2220e7

SHA512
5001da0810230d81f031eea4b6778ea97df1b8863559ccedbb4e8479b4c09126119341fc5c22cc1fae64c86fa7a76f3f8dbbb2e0f0376d6182bfc12720c4a074

Download Submit
C:\Users\Admin\AppData\Local\Temp\shiuskyr\shiuskyr.cmdline

Filesize
273B

MD5
8c72e289c8e9462c0ac9adf5289921d2

SHA1
871a84de512a2ee191866d7e83a2592c8d9d1631

SHA256
4e6f3d8af2b7a18d8cb2d5fe224af92c2aa134ac5ec06e3cd3e36c04308892b1

SHA512
c88f8a7f277c68ac5cf3de6a81cd8a7b6ec269fd2a40786549eeae37b309189dce193330b92b880564a62baa03d5ee4d947232eb7260b97f0d17cd77f810f383

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4036.tmp.exe

Filesize
12KB

MD5
c59fe4d5480aa8bed34fb087b43f6c40

SHA1
0ca833839182dda64b7d16adabbc5ac526869e01

SHA256
fe91f1c5d93deb604ce5b232e60697922f9f17850e680b1a83b3701084c4ccab

SHA512
eafbae12e8b2a52411e1fe4e0277882515cd97ee8527ccbbdf56b47a6e4f779be8bd9bfc1c15527f4438a9ec444df888a4a2b4876e7cf6ed1b516400b31cc2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc42AA813C39BB4D82B5B7D89F8FAD498D.TMP

Filesize
1KB

MD5
5e2bdda596cb96b95af24ce800c939da

SHA1
3cabe418471ab71315fe01977bdf5bd7515f2a8e

SHA256
2a3bba00f8853a11c0648ad8fdbe9645dfab798985782baac0d22ac895453306

SHA512
df32b04e4451f675cd1142db5c43dc256dad61d5fef0c9ea2766571098eade45cb73bf3ea16c4fb286f1686d422223ae0da3798d8f53473927552d124cfe55ed

Download Submit
memory/1828-24-0x0000000074A20000-0x00000000751D0000-memory.dmp

Filesize
7.7MB

Download
memory/1828-26-0x00000000000B0000-0x00000000000BA000-memory.dmp

Filesize
40KB

Download
memory/1828-27-0x0000000004FF0000-0x0000000005594000-memory.dmp

Filesize
5.6MB

Download
memory/1828-28-0x0000000004A40000-0x0000000004AD2000-memory.dmp

Filesize
584KB

Download
memory/1828-30-0x0000000074A20000-0x00000000751D0000-memory.dmp

Filesize
7.7MB

Download
memory/4348-0-0x0000000074A2E000-0x0000000074A2F000-memory.dmp

Filesize
4KB

Download
memory/4348-8-0x0000000074A20000-0x00000000751D0000-memory.dmp

Filesize
7.7MB

Download
memory/4348-2-0x0000000005800000-0x000000000589C000-memory.dmp

Filesize
624KB

Download
memory/4348-1-0x0000000000DE0000-0x0000000000DEA000-memory.dmp

Filesize
40KB

Download
memory/4348-25-0x0000000074A20000-0x00000000751D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing