c6be66b6789888d1911e750c17f00307c83a5c951e90c172c0657a6d5283e2ac

General

Target

0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe
Size

12KB
MD5

0abaf7fd668ec7b2ba52cd03decc2ac0
SHA1

e3aedc7dbf93de4a070e945530324298fa44febe
SHA256

c6be66b6789888d1911e750c17f00307c83a5c951e90c172c0657a6d5283e2ac
SHA512

57055f0f4011fca910b3fb93fc59c1fc6b1ff55d9b0f22e014a8dd5dafde0c685955bab4ada73cfef71877f0ac711cd5fb0450024364c3b8c0495dec3ae26482
SSDEEP

384:jL7li/2zNq2DcEQvdhcJKLTp/NK9xaM7:ndM/Q9cM7

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
3568	tmp50A1.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3568	tmp50A1.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	352	0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 352 wrote to memory of 1436	352	0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe	87
PID 352 wrote to memory of 1436	352	0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe	87
PID 352 wrote to memory of 1436	352	0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe	87
PID 1436 wrote to memory of 2216	1436	vbc.exe	89
PID 1436 wrote to memory of 2216	1436	vbc.exe	89
PID 1436 wrote to memory of 2216	1436	vbc.exe	89
PID 352 wrote to memory of 3568	352	0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe	90
PID 352 wrote to memory of 3568	352	0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe	90
PID 352 wrote to memory of 3568	352	0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cwymdrdp\cwymdrdp.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5294.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6D049DDDD2A5412A8C6EC3589CA599F.TMP"
    3⤵
    PID:2216
- C:\Users\Admin\AppData\Local\Temp\tmp50A1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp50A1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
b4a92efc62c90f1274f49ae72d27ffe8

SHA1
ce672ec96703f82d1aef6140bc984e6bc47f6a24

SHA256
25aa14adcd3c8885798acccbeba74212106dd2a10cd75470fe3ffcb919c92f92

SHA512
7f92a3d10d3f9b84674aea692e5e9906078296b79f34bfb7f63828a754d932f7ef5d08af8f5de0e0bb58207128b068e0db1a82ee422401ce2e05db7ab38df40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5294.tmp

Filesize
1KB

MD5
4aaf27c3f9bb7b6ea3267ada0070fbdc

SHA1
2c7b23d92c1be90bafe1180072cfaeef52f1473c

SHA256
e6a9bb8cd1c3d5365d1961677a77502ff83e9d585a909c54b1099ec470bc9a6c

SHA512
32b79e19dc173e1efd31a77a098cef88324dab66e4c7c46e73b601e663d9094ce55a5d6586fa52bfdf0955fc5653415f993b9195022a9ab0e2cdb9cebb78fe76

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwymdrdp\cwymdrdp.0.vb

Filesize
2KB

MD5
5d5be0aea8ed43bc18aaa6103b778a47

SHA1
85b7bb218334731854e0d04d5e618a8544eba6e0

SHA256
61f7242b7e066426c4ce28be242e263a78334defa394b09c2cbb1724fe3123ff

SHA512
0b035a6e859a0aa9676c5423261b62f3598b78ef78b4f3d94bf1441d6760cd1442fc890622da942c318e0cae9a4d99045092522c75e4cfbcc9d437f9e7f88199

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwymdrdp\cwymdrdp.cmdline

Filesize
273B

MD5
532ae716413214a460854a459c76a948

SHA1
e89f8f29bc4385bc7259a075e6fdc7fb04e1991e

SHA256
94bd04ff45a795d067cc591487e78293b122e4967fe4652f8e8e559bb2703e33

SHA512
04e71ac6724bf5ee37542222fd69a1df575598791b3f2a66950d21deb9a3ba3b9762e7d2cac262d974741d64da5ede77ddefba5267794dccd04e92ad72f14c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp50A1.tmp.exe

Filesize
12KB

MD5
96b6c7a8d821268151cb6e5ad348656d

SHA1
89a12d3a8aa21d4976813f0126d9d9efe75cdeac

SHA256
1e414b72e8bc4cda98eb3a3cb8402c9133e5647969cc820ebd32982bd8539db1

SHA512
c197adbdfa4ee7ff744d3805e9e3d68c49678ab0df11c51110f8cd7174ea548b832eb242db52c16dc018725cc07ace86077d14447885274e93592a14a6c303a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6D049DDDD2A5412A8C6EC3589CA599F.TMP

Filesize
1KB

MD5
dbb56ddabd504722a82970f2993cd528

SHA1
5f5743776a10e74a41bbf315c682c4ed011f5640

SHA256
838c2320b43fd8a8717ca5ea7c2e20def78435e2f7d17f67356b8010136194c5

SHA512
581f590cad4d0160e72cf4c35ab1a8e77e0f75398aa77712ee206987e1c945dfa09647812632b3c21ac34d63982fd1e7b55774ef1dc99d0e9caeef6df87be016

Download Submit
memory/352-0-0x00000000753BE000-0x00000000753BF000-memory.dmp

Filesize
4KB

Download
memory/352-8-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download
memory/352-2-0x0000000005530000-0x00000000055CC000-memory.dmp

Filesize
624KB

Download
memory/352-1-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

Filesize
40KB

Download
memory/352-24-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download
memory/3568-25-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download
memory/3568-26-0x0000000000C10000-0x0000000000C1A000-memory.dmp

Filesize
40KB

Download
memory/3568-27-0x0000000005B50000-0x00000000060F4000-memory.dmp

Filesize
5.6MB

Download
memory/3568-28-0x0000000005640000-0x00000000056D2000-memory.dmp

Filesize
584KB

Download
memory/3568-30-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing