3a4c8d6b698ce861ded7e32d6b14883b2d42921587f1e0303e3c63529ddc797b

General

Target

5c2942bd49f620c778d6b1a0aeeb9590_NeikiAnalytics.exe
Size

12KB
MD5

5c2942bd49f620c778d6b1a0aeeb9590
SHA1

4889b13fd04d62098dda09940e7b68d89227aeb9
SHA256

3a4c8d6b698ce861ded7e32d6b14883b2d42921587f1e0303e3c63529ddc797b
SHA512

376e046f5035cf1b769dfb26dc9c5acbac4df025b4ddfd179e41e02c6e11cc1f073d11b5adbeff033ef63f00a15d668162f8d0d7d52712a4ae7940a4e33bb858
SSDEEP

384:ML7li/2zYq2DcEQvdhcJKLTp/NK9xafP:KsM/Q9cfP

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	5c2942bd49f620c778d6b1a0aeeb9590_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
3456	tmp4FB7.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3456	tmp4FB7.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3324	5c2942bd49f620c778d6b1a0aeeb9590_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 3972	3324	5c2942bd49f620c778d6b1a0aeeb9590_NeikiAnalytics.exe	86
PID 3324 wrote to memory of 3972	3324	5c2942bd49f620c778d6b1a0aeeb9590_NeikiAnalytics.exe	86
PID 3324 wrote to memory of 3972	3324	5c2942bd49f620c778d6b1a0aeeb9590_NeikiAnalytics.exe	86
PID 3972 wrote to memory of 4012	3972	vbc.exe	88
PID 3972 wrote to memory of 4012	3972	vbc.exe	88
PID 3972 wrote to memory of 4012	3972	vbc.exe	88
PID 3324 wrote to memory of 3456	3324	5c2942bd49f620c778d6b1a0aeeb9590_NeikiAnalytics.exe	89
PID 3324 wrote to memory of 3456	3324	5c2942bd49f620c778d6b1a0aeeb9590_NeikiAnalytics.exe	89
PID 3324 wrote to memory of 3456	3324	5c2942bd49f620c778d6b1a0aeeb9590_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\5c2942bd49f620c778d6b1a0aeeb9590_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5c2942bd49f620c778d6b1a0aeeb9590_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b3ouhqky\b3ouhqky.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES516C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3767EDCA70E34ACFB9566CDD80F0D1C8.TMP"
    3⤵
    PID:4012
- C:\Users\Admin\AppData\Local\Temp\tmp4FB7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4FB7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5c2942bd49f620c778d6b1a0aeeb9590_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
3e78dbb8e394a2acc3970b0becab7841

SHA1
1f4204a2f34c6b7a0e7a97f72903c3f8080a25fd

SHA256
6f11f8b8523da2631d77e91d3494778e4ee810e8037fceb7a9f01c50b57322a2

SHA512
8eb6092bd889e81a6fcb3e27d03a98055b6a8014fc38ceb2bfec9b74d83759d9365b23acd5cccd3167c82b01970e837c02b49b2be2915ed6ffb4b647fcfeecd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES516C.tmp

Filesize
1KB

MD5
103477505546cfebbcdf4444ccbc09c1

SHA1
fd0365bcb3549d7d35f37b7c94e9e01600fcd708

SHA256
c5514f74ad16a9ee1a6a1d7e3833383181394faef6423793865f80000c074218

SHA512
5b7447037a627ae9ff5926f016780e97069e6738772a0dc15eefe0aa8257533f7a0f6c39a649d2a728f2cb7e788b98cc7c34204fcff664c3e71576d5b69a2dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3ouhqky\b3ouhqky.0.vb

Filesize
2KB

MD5
5b6648d911d98928e17a2c0374533259

SHA1
0b77953f769a43611d7a58fd52126e028c95da07

SHA256
1e90fed5d359b6f517ad2fd085939b6ddaa5d9084d0b3504420edd35c81b07b6

SHA512
680905bbccefb24e1b569ea99341abac4cf1aca846eac8457399b19888b8e062a1afb423729c064b09ec9a8cf87f30fc1252ca273efb6718ef57d94ccf016987

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3ouhqky\b3ouhqky.cmdline

Filesize
273B

MD5
78811feaadc87e39291066a0bd13b4b9

SHA1
6569ec1d1cf256840f95ce5025c1aaa86d1d3f4b

SHA256
f735ea332f1be5ffedfa54c0d29a7b16565a08a2803bf13e68d0bcb46263d1d8

SHA512
8e5563896bf8539eac1eeb85163641f1fdbc296abb4a2026fc9c2c3a56c8db65f3bb45baccd638bd180bdbb1f8894de5cf2e926a420b21c83546dfef5cc708e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4FB7.tmp.exe

Filesize
12KB

MD5
90e28cecddb1668e31d454231a066988

SHA1
fd253138cff99fadae2f2b2d06046a2902eb1226

SHA256
bc111680e94a18944c27213a0e7733853402652f4d2c54ab8c3305df4a91106c

SHA512
9db1b896f30d93c2ec579d08f9f25ade71716e15f91b7027467013531cb3d834e592065814f3eb609051bd459fdd88847c8804fcae4bda17669b41e7a6117928

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3767EDCA70E34ACFB9566CDD80F0D1C8.TMP

Filesize
1KB

MD5
55390ddac84d81dd420a4315d4ecfaff

SHA1
a7dbe59d1ee551412bad20b6d425b4eee348fedb

SHA256
6f52d181d451ab76cc606a5d7016e1fd450e3d7c6aacbac9fedfb8331bad354b

SHA512
57aae1c82935b38581f4e22f884308abb5f74e4fbd26116bf33e079ee239028078ed8ea1fd0670aecae1c93ce51b5d34283efa0d035a230a9d215c7737ca3e16

Download Submit
memory/3324-0-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/3324-8-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/3324-2-0x0000000005590000-0x000000000562C000-memory.dmp

Filesize
624KB

Download
memory/3324-1-0x0000000000CE0000-0x0000000000CEA000-memory.dmp

Filesize
40KB

Download
memory/3324-24-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/3456-26-0x0000000000E00000-0x0000000000E0A000-memory.dmp

Filesize
40KB

Download
memory/3456-25-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/3456-27-0x0000000005D00000-0x00000000062A4000-memory.dmp

Filesize
5.6MB

Download
memory/3456-28-0x00000000057F0000-0x0000000005882000-memory.dmp

Filesize
584KB

Download
memory/3456-30-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing