367563a6941882d00623e2e55d3f14d20ed5fd3569cd5a02eeef430863b79266

General

Target

a1398b00c145e6425531b7488f33e710_NeikiAnalytics.exe
Size

12KB
MD5

a1398b00c145e6425531b7488f33e710
SHA1

b70f27d0c833ca0e6f0dc381e0a8adc908519eb8
SHA256

367563a6941882d00623e2e55d3f14d20ed5fd3569cd5a02eeef430863b79266
SHA512

22c0258c553ed9f634ebd8f0fe7eefb056603874353b78185ca4dc504381c18fd2eb1b1a841a5250ea08f3e10690136a68ab604a306c42dfa6ead5fde9651514
SSDEEP

384:zL7li/2zBq2DcEQvdQcJKLTp/NK9xauX:XxMCQ9cuX

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	a1398b00c145e6425531b7488f33e710_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
4656	tmp3C7D.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4656	tmp3C7D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	448	a1398b00c145e6425531b7488f33e710_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 2992	448	a1398b00c145e6425531b7488f33e710_NeikiAnalytics.exe	80
PID 448 wrote to memory of 2992	448	a1398b00c145e6425531b7488f33e710_NeikiAnalytics.exe	80
PID 448 wrote to memory of 2992	448	a1398b00c145e6425531b7488f33e710_NeikiAnalytics.exe	80
PID 2992 wrote to memory of 4012	2992	vbc.exe	82
PID 2992 wrote to memory of 4012	2992	vbc.exe	82
PID 2992 wrote to memory of 4012	2992	vbc.exe	82
PID 448 wrote to memory of 4656	448	a1398b00c145e6425531b7488f33e710_NeikiAnalytics.exe	83
PID 448 wrote to memory of 4656	448	a1398b00c145e6425531b7488f33e710_NeikiAnalytics.exe	83
PID 448 wrote to memory of 4656	448	a1398b00c145e6425531b7488f33e710_NeikiAnalytics.exe	83

C:\Users\Admin\AppData\Local\Temp\a1398b00c145e6425531b7488f33e710_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a1398b00c145e6425531b7488f33e710_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i4rkxesl\i4rkxesl.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E51.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc107120D896F47A088F0B15AE2B225C.TMP"
    3⤵
    PID:4012
- C:\Users\Admin\AppData\Local\Temp\tmp3C7D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3C7D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a1398b00c145e6425531b7488f33e710_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
981ef94c84117125af9d91c3a9504e37

SHA1
09521b9713b9a285500ed6c53ea76db0356cf5fc

SHA256
ff084b54fc23f94182ea354405fb67e38340815dc3d7e630c7346a08a89a02f4

SHA512
72fceeff7afbb7f53b45d141720a6c03494eda60aa5750f7aed09fd4a17703a3392e01a481a075f944d0e911c71123c8389ddce6b593596194615092037a828b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3E51.tmp

Filesize
1KB

MD5
f83005c3863809b30506b58ce7fb091f

SHA1
6ad732ec80876605d4b39b1311c49aa345105c84

SHA256
5ae8a573a37ccd7b6ffc9f1fae47f8dcceb2a92a6243d5a37d2ad5a7b7268a43

SHA512
0084119291f3d03d527e369cc4d9014ae9a94b8c1c786531cfb333198c114846f6ff102d08ffe2dc0d3efabc2a57771dd5226e546450087d84bbdaafba7d6edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\i4rkxesl\i4rkxesl.0.vb

Filesize
2KB

MD5
080beac3dcaefc3813f50f9784852636

SHA1
49fc7d3c92eb4dfa1120e75691813268fbfada6f

SHA256
edaedbaebcabbfb34abad2e329c7f552f0d8ad4f2529a0fce5e7b760709bf009

SHA512
ea53a2f98d07a4f7568e44e7a213121ca4b6d541f2b5c5e994d6607ef0be838f8cb5b41c8125d68f4dcda8c8668226679e6f7da9051b4be0ef6b17fc8cc1611f

Download Submit
C:\Users\Admin\AppData\Local\Temp\i4rkxesl\i4rkxesl.cmdline

Filesize
273B

MD5
42bf18016dc4a802d94e25fcba6abcda

SHA1
f2251bd16e15b0893f74386d8f50857618729cd8

SHA256
e15ce20d6cf995e850995005487ee6ceab14637bb4c9ea8a1f3f1f583305034c

SHA512
eaaccff0a6cefcfa471af85aa4e772185db8bd06ee3f04acf5c2e70e5a431045dbacec75a2905fcd68f9df661cd4f6f69854a858c00ed4fdd5166955543fa0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3C7D.tmp.exe

Filesize
12KB

MD5
3a7a325b3ec41ba744ea73649ec23aa1

SHA1
ba1f7d62c71664678c54b307ccfd61b8d2fb6615

SHA256
48669c00e1a8e76f48933eba1a124031d30ea0abbbfc157d980a88c2e17a591f

SHA512
228b02b6ce4a2b10ac4ac999edc669ededae0ad7a93d9878133fbea11dd2ebc8fdc16bc3fd8632144844c3836f2f3d4fb60786eaab3383ad4eba1c105508031d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc107120D896F47A088F0B15AE2B225C.TMP

Filesize
1KB

MD5
a93c55530e1451d46f4effa9ff459f86

SHA1
3f457b0b0540ae21fbbfe27b0710a1260340beda

SHA256
33b29a4908ceb1ac3eb53a6269f689fbed485ea594db131e66d2a00f58e430f4

SHA512
a5768fe42fbbdcef002d2dff1bb8ca5009f205b8970d97483088fc5d7fafc719cb9c95b90aeda3c6d8d363897339e9983c5f8df0527938d1ab22d67c4978b350

Download Submit
memory/448-0-0x0000000074BAE000-0x0000000074BAF000-memory.dmp

Filesize
4KB

Download
memory/448-8-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/448-2-0x00000000056B0000-0x000000000574C000-memory.dmp

Filesize
624KB

Download
memory/448-1-0x0000000000D00000-0x0000000000D0A000-memory.dmp

Filesize
40KB

Download
memory/448-24-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4656-25-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/4656-26-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4656-27-0x00000000052F0000-0x0000000005894000-memory.dmp

Filesize
5.6MB

Download
memory/4656-28-0x0000000004D40000-0x0000000004DD2000-memory.dmp

Filesize
584KB

Download
memory/4656-30-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing