e76d3ae955b50a99834413bbfa0cd0ed583cc7f1dbc79fcf8b3b886ef0c5866b

General

Target

73e87473ea0e8c0fa4ad32cc9a3faad0_NeikiAnalytics.exe
Size

78KB
MD5

73e87473ea0e8c0fa4ad32cc9a3faad0
SHA1

94b239a4b26a2197087f9e2debced611391046a4
SHA256

e76d3ae955b50a99834413bbfa0cd0ed583cc7f1dbc79fcf8b3b886ef0c5866b
SHA512

96e04d7b17508f95447592e53c0ae6e21c36e2fa711955e1ea0ff3d6cafefa08035d9dc63b8f2dc75d4de49db0653233ac2daec80a62ff746851c20796229ce8
SSDEEP

1536:We58MLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtt609/71Sb:We586E2EwR4uY41HyvY79/G

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	73e87473ea0e8c0fa4ad32cc9a3faad0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
5756	tmp30F3.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
5756	tmp30F3.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp30F3.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1136	73e87473ea0e8c0fa4ad32cc9a3faad0_NeikiAnalytics.exe
Token: SeDebugPrivilege	5756	tmp30F3.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 2416	1136	73e87473ea0e8c0fa4ad32cc9a3faad0_NeikiAnalytics.exe	82
PID 1136 wrote to memory of 2416	1136	73e87473ea0e8c0fa4ad32cc9a3faad0_NeikiAnalytics.exe	82
PID 1136 wrote to memory of 2416	1136	73e87473ea0e8c0fa4ad32cc9a3faad0_NeikiAnalytics.exe	82
PID 2416 wrote to memory of 4220	2416	vbc.exe	84
PID 2416 wrote to memory of 4220	2416	vbc.exe	84
PID 2416 wrote to memory of 4220	2416	vbc.exe	84
PID 1136 wrote to memory of 5756	1136	73e87473ea0e8c0fa4ad32cc9a3faad0_NeikiAnalytics.exe	86
PID 1136 wrote to memory of 5756	1136	73e87473ea0e8c0fa4ad32cc9a3faad0_NeikiAnalytics.exe	86
PID 1136 wrote to memory of 5756	1136	73e87473ea0e8c0fa4ad32cc9a3faad0_NeikiAnalytics.exe	86

C:\Users\Admin\AppData\Local\Temp\73e87473ea0e8c0fa4ad32cc9a3faad0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\73e87473ea0e8c0fa4ad32cc9a3faad0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l6cm6-9h.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES31DD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBCD46AB97B64A7A8A8D34D2E71F9E9C.TMP"
    3⤵
    PID:4220
- C:\Users\Admin\AppData\Local\Temp\tmp30F3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp30F3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\73e87473ea0e8c0fa4ad32cc9a3faad0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:5756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES31DD.tmp

Filesize
1KB

MD5
124883fb2a6ff32550a50e0fb26e8c55

SHA1
12ca0c7345fdfc85b2fcac3f4a1095adca7517d9

SHA256
43859ee67fadd803dae0096b0ba5463d725b98b62251ddb318a7936fcfc86b1d

SHA512
d3a72f16c914d21506e511295d639f70b3fa8452f947d69e4f4f95583578ce52676b8a26aac6eb3ce57bbf7a41484984d419355a5563adc7e649f59448bd29d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\l6cm6-9h.0.vb

Filesize
14KB

MD5
19c19f92922d720535827a93f85bad3c

SHA1
8027a05119f1e01d6cd7c783a45169ffdf0be3a4

SHA256
37a3610aa2215de19230e0ded5681187097ac878fa76f0ad9685cc7c393ddeff

SHA512
b81de98fde3cffa06af110142a1be8980c75139879ccbbe73b0da8529e2083039ca286b0e1ebf684e3e9ebeec38b6402c6ab5dcc89c644c267305eb9e56f59ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\l6cm6-9h.cmdline

Filesize
266B

MD5
d47f2d0e860f5f19afbc3e094fe40e76

SHA1
832e2313d52292ca4689ed98871bd3bf743a0771

SHA256
a6a0d5ab87f720e6ed5af97932678364476da3f70333d0f6c02810a5dbd292ec

SHA512
bfc72cad0c477b9ebf5ebf4714c55047e7ef635ba45b81ff770f4ca1a3530b41ca276abe576188e2d69f754a4d066c62180a1243bb95cb7dfaf12a1e4e5d44c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp30F3.tmp.exe

Filesize
78KB

MD5
164dc5c6fc8c0fae52f2bf0855e24887

SHA1
5d9febb38081f94be156b7463a7297c336387d66

SHA256
0563722fcd30b7d29f2d6fbbd7d5c034220689f41dc72c78dc70d5f281e16ba5

SHA512
021c7b2bd23367741f513200f63ba5a35fc4682b7f943f7479e5012ca9fd1e5b3721cd1d1947b54c2290062b64aeb59b112dcc23b99519c1f87fb112d69afded

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBCD46AB97B64A7A8A8D34D2E71F9E9C.TMP

Filesize
660B

MD5
7a062fed614b460f198fd4f4c469a4da

SHA1
168ee8a6fa44fccdcf44f2736e55ef929f41ecc0

SHA256
9b5ccd2bc5e26f361de72bf21061b89cdec579def6091442681f7ab7721faa64

SHA512
32c87866dd9b74430c871b806ceda17b5fd84d579ee8afcdc3477e489dbb68217113a675abe5b5f2aadf295a63c3b9c6c3c7aabcbb5b2d379d53d414731edffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1136-1-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/1136-0-0x0000000074DC2000-0x0000000074DC3000-memory.dmp

Filesize
4KB

Download
memory/1136-2-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/1136-22-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/2416-9-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/2416-18-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/5756-23-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/5756-24-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/5756-25-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/5756-27-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/5756-28-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/5756-29-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads