2a8e1a8b9d75e6f2e9c355ae6f6c3009a8ca6f9f1f5071a042d3e07a45c28a45

General

Target

1acac53a42b94d3fb5b0cf07ac8c3720_NeikiAnalytics.exe
Size

12KB
MD5

1acac53a42b94d3fb5b0cf07ac8c3720
SHA1

3ca37bf4f0e186e3bbc7cb463db3a2b549db2b16
SHA256

2a8e1a8b9d75e6f2e9c355ae6f6c3009a8ca6f9f1f5071a042d3e07a45c28a45
SHA512

a9be5245e3c37db6cdda93c2b66c833998d7687f894f9df4a147d42dc61296073c6f641e28eb14fe8fa93ec164c698f69a3a8878f4eb68f5af90b138815a4d0c
SSDEEP

384:LL7li/2zUq2DcEQvdhcJKLTp/NK9xazH5:fIM/Q9czH5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	1acac53a42b94d3fb5b0cf07ac8c3720_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
4388	tmp3CAC.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4388	tmp3CAC.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	1acac53a42b94d3fb5b0cf07ac8c3720_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 2244	1600	1acac53a42b94d3fb5b0cf07ac8c3720_NeikiAnalytics.exe	86
PID 1600 wrote to memory of 2244	1600	1acac53a42b94d3fb5b0cf07ac8c3720_NeikiAnalytics.exe	86
PID 1600 wrote to memory of 2244	1600	1acac53a42b94d3fb5b0cf07ac8c3720_NeikiAnalytics.exe	86
PID 2244 wrote to memory of 4208	2244	vbc.exe	88
PID 2244 wrote to memory of 4208	2244	vbc.exe	88
PID 2244 wrote to memory of 4208	2244	vbc.exe	88
PID 1600 wrote to memory of 4388	1600	1acac53a42b94d3fb5b0cf07ac8c3720_NeikiAnalytics.exe	89
PID 1600 wrote to memory of 4388	1600	1acac53a42b94d3fb5b0cf07ac8c3720_NeikiAnalytics.exe	89
PID 1600 wrote to memory of 4388	1600	1acac53a42b94d3fb5b0cf07ac8c3720_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\1acac53a42b94d3fb5b0cf07ac8c3720_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1acac53a42b94d3fb5b0cf07ac8c3720_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\widex0ip\widex0ip.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E12.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6265974B8A946FF97CEBB6B66496C92.TMP"
    3⤵
    PID:4208
- C:\Users\Admin\AppData\Local\Temp\tmp3CAC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3CAC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1acac53a42b94d3fb5b0cf07ac8c3720_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
082bc5c6dab905e27449ff74c87d5fcc

SHA1
20a4f16ca45d2ca830cab5e0b671cb78de80f826

SHA256
cbb5f014a6cebe0898332e05b18ca3750835256da9585011f484bf77f3f861ff

SHA512
e3d3d8d1eb9ba3549906893f22fe7d0573808d47e24f0d0e2651b03423a73546ecae2232569e3524419b92600ec34e7b83ee3567aaa06282bd064cf477c22267

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3E12.tmp

Filesize
1KB

MD5
296c5465457a91e81b9189ec90786f7f

SHA1
da7e71f173281841add8d1185488ea580715fa77

SHA256
ee16b587af8f3516f1c264e25905391c2b904da4df875f60ecb7b156d8ca0d1a

SHA512
fc68e93fbd38fa3e8f47ee7187641900c5815c3376818cbb224843cfafb6c601ecd1c8f567ab594e37fc83dc3754ea7269b0659e5a31cce72ef2a2ecd79ed4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3CAC.tmp.exe

Filesize
12KB

MD5
584cf05b7b6af384b9875fbc4026faa4

SHA1
ade6dd4bc97965000a807803329ab2924744d5b0

SHA256
ea4aa0dd027e0761c9d045d141a37d8fa719574fdb0a869188125a81d130ca9e

SHA512
d9e518cf984d30453fc71018d9b91bdf31eb9a328c39bbecbb4a23c86d422905a36d7d86c3b1a463a7ffc6b479ceaa12db090862b0cfa2f3833aca045554dc82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6265974B8A946FF97CEBB6B66496C92.TMP

Filesize
1KB

MD5
9618a78ff46393e18f1e69d94be06b72

SHA1
6950a885b8b8c3fb7ec30beae73adda8b597aab5

SHA256
6c4942d5a829a0c22446ffa8553f5412ed388e1834b4a7a565a9af5303a02ca7

SHA512
472e5d72ece77f4a8c599f7efb19539762a6fda9b0620bac4d69dbd89860fdf3a0ba5151d7edddff8c04d23b7469651c3f362ff8062084ee2a3e06c03dc2b9c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\widex0ip\widex0ip.0.vb

Filesize
2KB

MD5
7c08076a3618452f411b798942a34a1f

SHA1
6fff586eeb279a7e1d0a82fac4fd2c95268572d9

SHA256
cc0976e716aebda43c84cd9ffd35b58cf8969027fd59cbbe1fad12e5325fd5e0

SHA512
8169ed0bbad98850ba3881bbc95def778fc375643ce102837674611aeb129b1fd02284f28edfbf2ee1f075a997ebd6d71270dbb13e2b54c6b06084ec4c444981

Download Submit
C:\Users\Admin\AppData\Local\Temp\widex0ip\widex0ip.cmdline

Filesize
273B

MD5
3a7f69bb477ecf14d668f0dd7046bb10

SHA1
11ee48e721ed64e885d3ddd3cf06118f5e272449

SHA256
24d6071de80d95f1cf19e42d77b351ee67b93efde0294de9f6eadf4dae9f38f2

SHA512
2b86c5907cc376417e4ee5303a53d01d0f0911d5b294bc35cee155849a62a0b946415e6e9a2cbb71f9e1711736ab81aa3a5953b4b8e8d4b23b13c7393474d781

Download Submit
memory/1600-0-0x00000000746AE000-0x00000000746AF000-memory.dmp

Filesize
4KB

Download
memory/1600-8-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/1600-2-0x0000000005980000-0x0000000005A1C000-memory.dmp

Filesize
624KB

Download
memory/1600-1-0x0000000000F90000-0x0000000000F9A000-memory.dmp

Filesize
40KB

Download
memory/1600-24-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/4388-25-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download
memory/4388-26-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/4388-27-0x0000000005060000-0x0000000005604000-memory.dmp

Filesize
5.6MB

Download
memory/4388-28-0x0000000004B50000-0x0000000004BE2000-memory.dmp

Filesize
584KB

Download
memory/4388-30-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing