c66b3ec7224d80972b38b689e85c4fb395fbfbfcfe6dd5018bbd04bc17787979

General

Target

81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe
Size

12KB
MD5

81f16f0ac610e0b01dc4e21b61ce9b20
SHA1

6927214c52526f0df4ca146c11d02cf3665b1350
SHA256

c66b3ec7224d80972b38b689e85c4fb395fbfbfcfe6dd5018bbd04bc17787979
SHA512

13b24cdd20b5d83769cec343716337b3399bee00e1a8734b981a00f8562fba0e9be012b36b8c79a85a72c4deb20995ebe61fcd3d6eab98765d58d929934b31e6
SSDEEP

384:qL7li/2zhq2DcEQvdQcJKLTp/NK9xawr:0xMCQ9cwr

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
4116	tmp4084.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4116	tmp4084.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4296	81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 3600	4296	81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe	87
PID 4296 wrote to memory of 3600	4296	81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe	87
PID 4296 wrote to memory of 3600	4296	81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe	87
PID 3600 wrote to memory of 4104	3600	vbc.exe	89
PID 3600 wrote to memory of 4104	3600	vbc.exe	89
PID 3600 wrote to memory of 4104	3600	vbc.exe	89
PID 4296 wrote to memory of 4116	4296	81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe	90
PID 4296 wrote to memory of 4116	4296	81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe	90
PID 4296 wrote to memory of 4116	4296	81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gcghr3ti\gcghr3ti.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41EB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9817416F3B934F6486F33DEA4E0DF15.TMP"
    3⤵
    PID:4104
- C:\Users\Admin\AppData\Local\Temp\tmp4084.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4084.tmp.exe" C:\Users\Admin\AppData\Local\Temp\81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
791dd6b9dd38ac471a70b730e67c867d

SHA1
1fed14c2915f0b7045c0fba7331970f6a029fe8d

SHA256
cdf100044f18f03b21d07f210b00c7e247c8948bee638f4a4411790e9916e850

SHA512
d1e5af876c70c33fad8e1ecb0fc4e3d36fcd32fb401f42e87203883a2198e7ab68dcf8342582dda18806576ae403ac45f8cc2d5dea0a9cb04dd77cbdb6424b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES41EB.tmp

Filesize
1KB

MD5
7f7f1376b0c1e5c459dd241746d5d49d

SHA1
553e4641450eb204303f2714f42bcad18e9bb5f4

SHA256
8f0ff91f927bd3faed7acdd7efca38f44c33b84422f9d91185325bd7e29e5b93

SHA512
caaa143c0b734b363ba2d6db9c5f6e139207d871557aa1e32ddaf6d9e262630579eae44d226e00c17176fc7718181e3af36df314a48c2062566acb2710003c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcghr3ti\gcghr3ti.0.vb

Filesize
2KB

MD5
0acaea086f4c623db46d3f9c32f7002c

SHA1
31918c3d4622c15867f3fed539101560fb43859c

SHA256
a84d62c9ab8585f7f6e648dcacbf8e131b53486b22712cd9ebc96fcbfddf1d30

SHA512
e0258dbb4a69bf77bede3bd3ce5f0b84cc76f0ed512276c6ac022e1f01607416960f4f2591fb7cd48a23cd2810e832279879f28385f84604daddf4a04c8570f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcghr3ti\gcghr3ti.cmdline

Filesize
273B

MD5
bace065c51ba31f6fa74b5dd3466b8ce

SHA1
4f4337f23f588dd958cbc419d94425c9e365a797

SHA256
d60f18dfc118d890af4179e1d5d5b3d663eabe7d243f087e5b82feb905a0e986

SHA512
9f92e3428d2d62368e2bf6d528423ff54c09efac622d680421dce7df821e091d3142714e5d48be90055bed4335d56520c60ae6cacd61e2e7c0cfafc527d5f148

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4084.tmp.exe

Filesize
12KB

MD5
3878b69eaa562bf4c412913770aff644

SHA1
939301af7ed54d08bd9ae9c260b4aff305c10ffb

SHA256
2714d7f63bf65479bae6980f8d5bd62bedc1c572f4daef6e9486bfcffe45d727

SHA512
0fec02cd2d6547b37dbb828acec2ba0a523ac960f905cfe91d194a36bdbde8d25a87aee6091787bd821176fc6b6f35cddc78e09177bc912261a43c1ee90edb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9817416F3B934F6486F33DEA4E0DF15.TMP

Filesize
1KB

MD5
830e6c0a14a456804b293a9cefdfa3f7

SHA1
21b431a2e272cc3dbcfb82612f2c4f44e67d0eaf

SHA256
5e52615b8923118527e9dcf1034b84190d3e6b38cce50a100c2ab9fe01c6c084

SHA512
d4829d5cafd494d077cc2d7eac1eeaaa570fba01430ba8201e119b1c185787143a14d54272af28b610bd2b08486d1875495da1825f95abf80050ad86647588f4

Download Submit
memory/4116-25-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download
memory/4116-26-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/4116-27-0x00000000052F0000-0x0000000005894000-memory.dmp

Filesize
5.6MB

Download
memory/4116-28-0x0000000004DE0000-0x0000000004E72000-memory.dmp

Filesize
584KB

Download
memory/4116-30-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/4296-0-0x00000000747EE000-0x00000000747EF000-memory.dmp

Filesize
4KB

Download
memory/4296-8-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/4296-2-0x0000000005790000-0x000000000582C000-memory.dmp

Filesize
624KB

Download
memory/4296-1-0x0000000000DD0000-0x0000000000DDA000-memory.dmp

Filesize
40KB

Download
memory/4296-24-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing