3d7d08cb3283723eeeb9f454285a82484bb9f4cdeea07caa31fb5d255a14446b

General

Target

5770ca451449ba364e75ebfa2eee9590_NeikiAnalytics.exe
Size

12KB
MD5

5770ca451449ba364e75ebfa2eee9590
SHA1

480795985bdd4eb071b0f637bf13e3a7a1aaad18
SHA256

3d7d08cb3283723eeeb9f454285a82484bb9f4cdeea07caa31fb5d255a14446b
SHA512

44334236f00dca8db345f9946fc3154ee0b13746140782f71c050b46dae97fb6a15b8eb0e9dda52374e305815a66c31ac10eebe11847b4fad5a6ebd33d046155
SSDEEP

384:sL7li/2zfq2DcEQvdQcJKLTp/NK9xa2pd:qjMCQ9cSd

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	5770ca451449ba364e75ebfa2eee9590_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
3276	tmp4EAD.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3276	tmp4EAD.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	5770ca451449ba364e75ebfa2eee9590_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 4912	2800	5770ca451449ba364e75ebfa2eee9590_NeikiAnalytics.exe	87
PID 2800 wrote to memory of 4912	2800	5770ca451449ba364e75ebfa2eee9590_NeikiAnalytics.exe	87
PID 2800 wrote to memory of 4912	2800	5770ca451449ba364e75ebfa2eee9590_NeikiAnalytics.exe	87
PID 4912 wrote to memory of 1504	4912	vbc.exe	89
PID 4912 wrote to memory of 1504	4912	vbc.exe	89
PID 4912 wrote to memory of 1504	4912	vbc.exe	89
PID 2800 wrote to memory of 3276	2800	5770ca451449ba364e75ebfa2eee9590_NeikiAnalytics.exe	90
PID 2800 wrote to memory of 3276	2800	5770ca451449ba364e75ebfa2eee9590_NeikiAnalytics.exe	90
PID 2800 wrote to memory of 3276	2800	5770ca451449ba364e75ebfa2eee9590_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\5770ca451449ba364e75ebfa2eee9590_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5770ca451449ba364e75ebfa2eee9590_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xpjiqcob\xpjiqcob.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50FE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD5224607D4FB4E8CAB815CE036974DE7.TMP"
    3⤵
    PID:1504
- C:\Users\Admin\AppData\Local\Temp\tmp4EAD.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4EAD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5770ca451449ba364e75ebfa2eee9590_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
31f6f829cd3d50ee791905af0f887a39

SHA1
c2ed7df3e808e54303dc70d54b76996eeb50a26a

SHA256
78c30fad48bf53fc6950c318f65559334b8878a5f7fc188c60d289bbc5c7cb92

SHA512
3b5dbf2bb262743c3cc319ed8f3a092c412842e67b8af1ec0389db1f8745293ff4e42d9d93df7feaf37aa19c59aed95222f1a7145fec11a5f0aed00828596a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES50FE.tmp

Filesize
1KB

MD5
71ff4faf633b185ef461172d386f5703

SHA1
2bf7def0bb8401dba899d37625cdcac820b2f0c3

SHA256
0a2e2c104d11dc3e990713fca9773648f0c49155169d8c6bd9f07e81136f566e

SHA512
e17007fb7212950ea121a331d6cf49353e7ead89935388e77a7b6a8db66ed5f17665490cb7cae3f073de2d313d727ef754a7c2e7ad1f83eed0dcdfdf226cde2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4EAD.tmp.exe

Filesize
12KB

MD5
70cb3275334bea567204291ad3cd4f31

SHA1
722fa6296c620eef74b6c16e8e14880315f19238

SHA256
0e863b37b8ba53109270d374981088b8ba148b7a95d9f6319af6dd1145b52f50

SHA512
d8bdb13730902e078bbe824e1a78f6758c340fc9b782172ed2fd8ba186dc688828ad808bf2ba77687e3d2270a6c94f79097cffabfb9a545c3bfe5fa1d5f55c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD5224607D4FB4E8CAB815CE036974DE7.TMP

Filesize
1KB

MD5
f88bfd30a6eed014dc279c0a75f9d01a

SHA1
0298167228998d9ddeea1728f7d10558359ee814

SHA256
bd895b16ffcaee85041666b8c21e642104933dd7a18ef2961c3d8699c131a19f

SHA512
06f3047a06b633523ab2170c7c0e244b9fa1b9edf14350594e32a4f5f3f4becd0c7bf4e54e314ec7004bd02c5c516a4d9495b3bf852521da0d3adc4015c0227e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xpjiqcob\xpjiqcob.0.vb

Filesize
2KB

MD5
0f5d19c58d0f289f177e5158bf90f412

SHA1
4c60e7ad42b9e5b3679424d0d81cf5a85e424779

SHA256
a532ea3c53f78ee2f34a8bfe45efe3a5fd851780f604d6da0214aee87d06e24f

SHA512
1008e1aad6730933acc1965c242d46cb5c7e64ba84c9b8f4dd47fa9d7a37a638544b841b712bc1d52f1c82e7055ad18e31df8f2b1651fa8f6664c927bdfcba0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xpjiqcob\xpjiqcob.cmdline

Filesize
273B

MD5
e11a2a0f6189b33633a62cb9ce80a773

SHA1
dfd7bc12d99297f00bd754234a7e45501ff41df4

SHA256
eeee2935aaaeb722c10fa8f885d5542f79c4fa358b1e0d0484bf6a6d5c97858b

SHA512
a5c096a6e034f9e9b364ce3a687abe8b9a7222f7aa3e0b0de402453315b58b1b0dcb38987a6fc320f7d00b0a0b0388c00f78ce30767effd718d9cae5ece29b20

Download Submit
memory/2800-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

Filesize
4KB

Download
memory/2800-8-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/2800-2-0x0000000004BA0000-0x0000000004C3C000-memory.dmp

Filesize
624KB

Download
memory/2800-1-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/2800-24-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/3276-25-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/3276-26-0x00000000007E0000-0x00000000007EA000-memory.dmp

Filesize
40KB

Download
memory/3276-27-0x0000000005700000-0x0000000005CA4000-memory.dmp

Filesize
5.6MB

Download
memory/3276-28-0x0000000005150000-0x00000000051E2000-memory.dmp

Filesize
584KB

Download
memory/3276-30-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing