ac78ae6859e76adecb9a7d3832fcd7d78ecda878e47c1d747954bc5f17bf74f8

General

Target

4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe
Size

12KB
MD5

4a2b844cc3569863df29389496680c10
SHA1

485d6c18331112391d7ae64e6d35728fb10c3331
SHA256

ac78ae6859e76adecb9a7d3832fcd7d78ecda878e47c1d747954bc5f17bf74f8
SHA512

5a5329a4a19ec550b42d34b5581071a85b30c42890decfd1da67f92f70fc16f529b2d8b98edde470968924eb8f8706b8c802b7afa2f5b89c6611001cfb3c9cf1
SSDEEP

384:FL7li/2ztq2DcEQvdhcJKLTp/NK9xado:FtM/Q9cdo

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
1952	tmp7427.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1952	tmp7427.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1012	4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 4508	1012	4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe	85
PID 1012 wrote to memory of 4508	1012	4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe	85
PID 1012 wrote to memory of 4508	1012	4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe	85
PID 4508 wrote to memory of 2644	4508	vbc.exe	87
PID 4508 wrote to memory of 2644	4508	vbc.exe	87
PID 4508 wrote to memory of 2644	4508	vbc.exe	87
PID 1012 wrote to memory of 1952	1012	4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe	88
PID 1012 wrote to memory of 1952	1012	4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe	88
PID 1012 wrote to memory of 1952	1012	4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4ygqeejf\4ygqeejf.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC19E0B7F276A42259F448DCABFA3A57E.TMP"
    3⤵
    PID:2644
- C:\Users\Admin\AppData\Local\Temp\tmp7427.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7427.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4ygqeejf\4ygqeejf.0.vb

Filesize
2KB

MD5
4b32f4d34da1262b4ffab0cac2c7d76e

SHA1
f0cce41635dbb0284b5f7e6faeb4e5cccbd24cc7

SHA256
84a65f16987a568f8f0e47103fad937cedd138dc66da109aee76a9fdfb219643

SHA512
f803b58dac485a6c610793918de420db27e20780a1bd59ae37e5585020095e20572f0a0e2be6beb597dfdd6407d4887049a9a5c27afe74c34698fc2f8e0bad25

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ygqeejf\4ygqeejf.cmdline

Filesize
273B

MD5
6a3ab5ab142211b3ec9f592d4dc7ff01

SHA1
601972340a35d8a3d6ef9e4b346d3271836e358d

SHA256
89f723fd62a5e714eda3305be4c366fe4e6f6bc23882d99aa64d4d6249104a8f

SHA512
9e2ed5d73afa87108cb739be03b846f53817d6f93fa6c0c8c11323836e4827c7f85cb4991d63bc342ca3101b7326f29790914920ca867e4451540dcab2e69354

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
2e724a46d14ac8ee589ca03fda20a4b7

SHA1
aad29f7935084983bfe9c111041bcdf80449030e

SHA256
fc84bb35ccb02df05999d08c9fa1935ca568ddaf1e777184b399412aebcc4496

SHA512
636fff35ce0d18a054ba6014fc678a947afb22fed4bbb307818182270c828a964512d123b4288037266cca7024625e1ab6446d99a8c9402f02b2aed418804afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES75CC.tmp

Filesize
1KB

MD5
1280b252ff347b3b5d3fbb3a6503f27b

SHA1
b1126fee77b46e51c7cb228b12de088aa7d5dd88

SHA256
0f6cf49872c5f9d10fd49d5b20ca376366c5ba293ced418424f4c325d7196c0e

SHA512
2fb5e0b3ed9639ade51e854128d382abe5b62db22f73809405f5e13db215fbcbf4775beb70f9fcfc394f55b0987956860f3be26d95b1fd5064585568e7d8555b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7427.tmp.exe

Filesize
12KB

MD5
6d105f2fc124ed00a83231c0010cf2aa

SHA1
8f04bcaf00c06b3d2dc84879fff15bf30d2060b5

SHA256
16202c27f410e1d6e48f1f762de842fce0f2d92a021d7935f0fd752a8ce308e1

SHA512
8ba5497eba78944b95b3c4cc9d6eabbe24dceeffcaa6e4de9d45b93650caf9a2438179bd0728d85cb978fc57caebd446bdee370ce3002228306c96f0849d7302

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC19E0B7F276A42259F448DCABFA3A57E.TMP

Filesize
1KB

MD5
4accacaf8acb48a1369786d709a7959d

SHA1
f89f550f30e901da8d561166bef732ff0ff0a917

SHA256
3ee34a04035970dc88128959d3859b210d0aa95366194765ef06c4640facf4a3

SHA512
574f704cf1db7a2a646e8449d0ffd55601071e515a90175256ff3f1426277a8798e6fcb8db8d14edc3bded0ad15ac083566737b3dda483c5795126347a71d754

Download Submit
memory/1012-8-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/1012-2-0x0000000005870000-0x000000000590C000-memory.dmp

Filesize
624KB

Download
memory/1012-1-0x0000000000FB0000-0x0000000000FBA000-memory.dmp

Filesize
40KB

Download
memory/1012-0-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

Filesize
4KB

Download
memory/1012-26-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/1952-24-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/1952-25-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

Filesize
40KB

Download
memory/1952-27-0x0000000005C30000-0x00000000061D4000-memory.dmp

Filesize
5.6MB

Download
memory/1952-28-0x0000000005720000-0x00000000057B2000-memory.dmp

Filesize
584KB

Download
memory/1952-30-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing