25ea33f3e06d0e4eed64cef88daa440fa05e7a3121ab8c86c86a3b20ae1e5cf8

General

Target

500d88c959a3e5a30764bf3f8728d3c0_NeikiAnalytics.exe
Size

12KB
MD5

500d88c959a3e5a30764bf3f8728d3c0
SHA1

775679d39f79daa12d6d77c60074d30c1438a6de
SHA256

25ea33f3e06d0e4eed64cef88daa440fa05e7a3121ab8c86c86a3b20ae1e5cf8
SHA512

a19d050649fde2c06aec1bcb1d8b0e6210b09cbf29fc982b573b02bccca8d3dd00bae148a83595c2a3ea4259ada50e2ebdb23d525f9e8aac5703aa680336653a
SSDEEP

384:qL7li/2zoq2DcEQvdhcJKLTp/NK9xamz:0UM/Q9cmz

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	500d88c959a3e5a30764bf3f8728d3c0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
428	tmp43B1.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
428	tmp43B1.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3404	500d88c959a3e5a30764bf3f8728d3c0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 4220	3404	500d88c959a3e5a30764bf3f8728d3c0_NeikiAnalytics.exe	85
PID 3404 wrote to memory of 4220	3404	500d88c959a3e5a30764bf3f8728d3c0_NeikiAnalytics.exe	85
PID 3404 wrote to memory of 4220	3404	500d88c959a3e5a30764bf3f8728d3c0_NeikiAnalytics.exe	85
PID 4220 wrote to memory of 4820	4220	vbc.exe	87
PID 4220 wrote to memory of 4820	4220	vbc.exe	87
PID 4220 wrote to memory of 4820	4220	vbc.exe	87
PID 3404 wrote to memory of 428	3404	500d88c959a3e5a30764bf3f8728d3c0_NeikiAnalytics.exe	88
PID 3404 wrote to memory of 428	3404	500d88c959a3e5a30764bf3f8728d3c0_NeikiAnalytics.exe	88
PID 3404 wrote to memory of 428	3404	500d88c959a3e5a30764bf3f8728d3c0_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\500d88c959a3e5a30764bf3f8728d3c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\500d88c959a3e5a30764bf3f8728d3c0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0abmdldm\0abmdldm.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4585.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2AC7BBABE4EE444B997D8B6AA02245C9.TMP"
    3⤵
    PID:4820
- C:\Users\Admin\AppData\Local\Temp\tmp43B1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp43B1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\500d88c959a3e5a30764bf3f8728d3c0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0abmdldm\0abmdldm.0.vb

Filesize
2KB

MD5
96d85ba62108788298fcfbfc728e057f

SHA1
04b8419644a37635904aa173ca519b1e186bf30c

SHA256
fe5a73148c28ddb0e5fa812df006dc2c940463855c7680672d95c1db4c5a068e

SHA512
decdedad91986f966885651f7d4443a72e800c0b0a17fb7fbf938adf807274ef6687c6c68cf3d90c375c8172ecff6621803cfaadbfe87d144ec1ee2f3d5d6e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\0abmdldm\0abmdldm.cmdline

Filesize
273B

MD5
8a5c130b42eacffb5da37f08c4de4a4a

SHA1
f6fa80e2a18c2ea21c76944fe228a2f2eb3ccdbb

SHA256
bc63fd0d96464f70c40b8baeb930f54288ef3f369215402b41b443959c0a3555

SHA512
5b55ff8404e2b0313be29c1c695d6574dc03788944836fbf7c56d95488dacf7e7c6e53a3c3d988e43ffc479f15437209c97cb212eb27db2310e8d7001be471a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
6ea4ffc9fe40b7fedd371a15b1763d9a

SHA1
760b93056e4ab3da2b0aff418f4fd337d614a30a

SHA256
1ca94f18a1bfe87b627d7b152c6976ba4bcac855661e8fb84b2a9e3a7924355e

SHA512
1e643e852abbf4f1fa5c41ceec1e998d449974213c9777a50a855c2f071ee8627dad0c94fefe8ab64b00bd8ec849ff1b2b3b3002026b5dea1014e74d62e41ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4585.tmp

Filesize
1KB

MD5
6bdc6d6fb0e73d89548c8a216638fc3c

SHA1
376346f1b24a2801b6dfdfaa6fb286023825900b

SHA256
a6b6f2c2b45990e0b32136220336596d04b3369b6b4071259cb5d7a16a86b488

SHA512
63c6b80e13a33e0f2b99c87587fe8096528c673669410c02084566f7c148655daf8a691dcb841fb1009ba159423fea5db86a683b8bd335ebf396557f9dec0b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp43B1.tmp.exe

Filesize
12KB

MD5
59532f71d58672f821663a7d8fcdbb33

SHA1
82cac8301dc2b41ea824fc998d89cf7eb86d0f77

SHA256
ed47b0607e88c9622ab64f0381aee7629ac7364b6dc9c1eb5837590f42857aa8

SHA512
fe4670a2f230bf32334ee11e9e7efd02b800297cb29a966c49cd55e56f73d6272b2ddb7748fbdf66175dee62f3e8f603604067cbf57701926b8f827fd74c2ada

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2AC7BBABE4EE444B997D8B6AA02245C9.TMP

Filesize
1KB

MD5
d7405c6b55555ad506d338b21c87d8af

SHA1
ea0c849fd1df731e66f51f1050371c5a8f8972e0

SHA256
a771073ab3a5503058c6509b8f28264b4d20be01a5b0ec4a5c2bc25caa9bb8a3

SHA512
944b752f5394cd43458e23bb647c3dd335d1cf6aa34279ca8b7523e65ab3dd38d0d9b16956701f3f6774f8e5eeae7fa405675cf4d4da17140a3b6dc2e6f3f29e

Download Submit
memory/428-25-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/428-26-0x0000000000940000-0x000000000094A000-memory.dmp

Filesize
40KB

Download
memory/428-27-0x00000000058A0000-0x0000000005E44000-memory.dmp

Filesize
5.6MB

Download
memory/428-28-0x00000000052F0000-0x0000000005382000-memory.dmp

Filesize
584KB

Download
memory/428-30-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/3404-8-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/3404-2-0x00000000055B0000-0x000000000564C000-memory.dmp

Filesize
624KB

Download
memory/3404-1-0x0000000000C10000-0x0000000000C1A000-memory.dmp

Filesize
40KB

Download
memory/3404-0-0x00000000748FE000-0x00000000748FF000-memory.dmp

Filesize
4KB

Download
memory/3404-24-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing