67480d640ca38edac6b75e61ec981055fbd0504fb1f96927c4266d28eb445c90

General

Target

d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe
Size

12KB
MD5

d84003982d335bb3fa71fe7933929600
SHA1

f3909e1bf91266169c87013d738c3c8d9bce8c5b
SHA256

67480d640ca38edac6b75e61ec981055fbd0504fb1f96927c4266d28eb445c90
SHA512

de237dc796f988c85d5a6ab3c20840900456fd78784dc9bc76af4a0346b7c112cb5199b5edfbe6f717bd9f2888138de516edb7cef66baf8f2e26d8e27cf5ba9d
SSDEEP

384:aL7li/2zKq2DcEQvdhcJKLTp/NK9xaZM:EaM/Q9cZM

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
392	tmp4CC9.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
392	tmp4CC9.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1588	d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 2692	1588	d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe	88
PID 1588 wrote to memory of 2692	1588	d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe	88
PID 1588 wrote to memory of 2692	1588	d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe	88
PID 2692 wrote to memory of 440	2692	vbc.exe	90
PID 2692 wrote to memory of 440	2692	vbc.exe	90
PID 2692 wrote to memory of 440	2692	vbc.exe	90
PID 1588 wrote to memory of 392	1588	d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe	91
PID 1588 wrote to memory of 392	1588	d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe	91
PID 1588 wrote to memory of 392	1588	d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w53w2y31\w53w2y31.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E8D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1E8FE32883D4FDDB58758BE14B3DD84.TMP"
    3⤵
    PID:440
- C:\Users\Admin\AppData\Local\Temp\tmp4CC9.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4CC9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
93839726a3eadd78ef9b050ec3d6b9ea

SHA1
0aea49beeb7f5fa1d4d5370a3f2a0277516cd683

SHA256
066998c5bfce98e321cd91a1d133f58dea679d61113a64d1615e7749b51149a3

SHA512
49965c63dab7b39c1f59e1afe61e79e050e6b1d150556056f899b50e27099513115fa6eeb0c1be02e309f1091b802aad07997d8f9b64e0bbf095dbcef8882712

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4E8D.tmp

Filesize
1KB

MD5
9ac03a22e9d9918e18eaf53ad15d4aea

SHA1
f9e5e93313d5250c3e81d541e78a4cfe4adb12ab

SHA256
9ef59372c8caffa7d31c17b0da488ad528b10d50ad5d571a24a0c90fa3485401

SHA512
e1ef6050dbd4f9df532dead6c02564e24d73e96afc6caaafd1a254bd7f95b93c1e13618ce1265d8ed36a80d31fe5591670988e314cab9c7c0cd7c9628e146005

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4CC9.tmp.exe

Filesize
12KB

MD5
e6f27cd2643f907fe62f5ee157d91609

SHA1
e253d7f35a3183935f984d9db5d9a5b84f24a87a

SHA256
71af577db873f35fa8565b6637d01660359a0893d8d84e5c2d87b1784aa1f59b

SHA512
cef8591100375d1663f055ed5b6f334d82c42e205b66f242656aa5fe607909d2ee2cf96f3dab14c87b331171d9582245efcc1fe50fbab74efd63bbb243a991de

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1E8FE32883D4FDDB58758BE14B3DD84.TMP

Filesize
1KB

MD5
c0d86840368d15636bf2c61c98535850

SHA1
5a1f154e684aced77e28233d12b287349b23b05d

SHA256
68420c2ae2650506298add471e16dc71dbb4f308b91f506ee0ce15f5dad2a89a

SHA512
816e26a8fd82cb0d173fe770a8129a409b187da83adda4334325cb0aa41be2dfcd5587f2b4a3ac3b2bfe24a2904ddc9e418f0a0c2fe57fbed53911054a0fd33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\w53w2y31\w53w2y31.0.vb

Filesize
2KB

MD5
3974a7cbeec3b44333aa18eb72133282

SHA1
bf59ed62b0c109060203e514c5f4aae06fdbd21b

SHA256
d75c4f18da263e9f24c0a0bf1ec3801ff921975f3a7584418b5a7c85ef71e14e

SHA512
41ba6c1bce148eebbcdd36b73aeede0f3881a49f6d5dbe5a6dde2b255a295d00543ca4b4e5125cd4dc9bced559c67e785ce2f1dcf1c2896dea3fbed2bdf933c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\w53w2y31\w53w2y31.cmdline

Filesize
273B

MD5
47c57342cb9baa3f77fd78e6a2fcdd75

SHA1
59142f13402e26143992b691996211606debd52c

SHA256
244d7a0d9c71268083a3f1661f4d3e33229a675575f9138e8f9e1dd9a2ea36a2

SHA512
20f03046df92e5fcab073b1ef9c73be761bfdf275c83e825341f6f0e789fc12ff150b53a7d847b98280792ce34f51a63c11b2af42d3fce45e4f324d44671a6c7

Download Submit
memory/392-26-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/392-25-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/392-27-0x00000000051E0000-0x0000000005784000-memory.dmp

Filesize
5.6MB

Download
memory/392-28-0x0000000004CD0000-0x0000000004D62000-memory.dmp

Filesize
584KB

Download
memory/392-30-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/1588-0-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/1588-8-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/1588-2-0x0000000005740000-0x00000000057DC000-memory.dmp

Filesize
624KB

Download
memory/1588-1-0x0000000000D40000-0x0000000000D4A000-memory.dmp

Filesize
40KB

Download
memory/1588-24-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing