1f37bbee512c5d6192c46714e88f6f5ee1e4e7332f64986d92627f089a6d24cb

General

Target

bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe
Size

12KB
MD5

bce60d78d9a86deff1e49741e15ce740
SHA1

cf88457054cf906592e9e0c0ac5980f0e82f3b54
SHA256

1f37bbee512c5d6192c46714e88f6f5ee1e4e7332f64986d92627f089a6d24cb
SHA512

de34ddc946c853b0da2648d443a167436ebd1837e82036e05dd8d903b524f9ed02f16bf41a7ebad5e1755a380463e28202dd115bc966f10ccf312e1aab47c0df
SSDEEP

384:hL7li/2zeq2DcEQvdQcJKLTp/NK9xanx:BGMCQ9cnx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
4228	tmp4D94.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4228	tmp4D94.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4876	bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 5056	4876	bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe	86
PID 4876 wrote to memory of 5056	4876	bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe	86
PID 4876 wrote to memory of 5056	4876	bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe	86
PID 5056 wrote to memory of 4924	5056	vbc.exe	88
PID 5056 wrote to memory of 4924	5056	vbc.exe	88
PID 5056 wrote to memory of 4924	5056	vbc.exe	88
PID 4876 wrote to memory of 4228	4876	bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe	89
PID 4876 wrote to memory of 4228	4876	bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe	89
PID 4876 wrote to memory of 4228	4876	bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uw32jdmm\uw32jdmm.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FA6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6145EA0A50F24C95B2E99368AC251932.TMP"
    3⤵
    PID:4924
- C:\Users\Admin\AppData\Local\Temp\tmp4D94.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4D94.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
023c02ed4be52e8b8865028fa3f0b297

SHA1
bea11ea8f03763e5d9e4944b77cc968a35ce121d

SHA256
c918cf097f5951c363cfa0b830e1e6af33c1c6199948fb30673fc677a9e08313

SHA512
49edd737485488a55d29f85ac20fc15ca757187b4ce178668c0fdd392d639000b440caec2e3f1a41625b00e64b550fe932b3db36d0a7a6e35e9f30309894fb76

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4FA6.tmp

Filesize
1KB

MD5
4931d01669db1eb508c0811fac2b78c9

SHA1
7c86ba7e55d51eda899cd28dbaabcc302ee58103

SHA256
fa04d5d350801d4e8787ccc7817c45595f1cbeca8ff575cbb68a09d2950d23ad

SHA512
59532615dbeafeb23f1488685920d56a5fc492b6555ea28215ebc05b0be8b097f7fd5e3985a71ef26bda5e50e26311b266fc2488b6e655c5c22df50397d1d8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4D94.tmp.exe

Filesize
12KB

MD5
a56f0cf1ea9b3a01971c97782c2055bf

SHA1
1911d322d8831267c01db943a85973bf52e9cf53

SHA256
ac28bf67d95b7f7382d680f97f0f872896765fba8abca33148930f50be59bb0f

SHA512
1a700cf6adc29f12c86a87fd9c8be2243c0f1a93796b1e8c1d1a8d4237e72013c21c756a27cf949ab277554db43357681fbddeb4f32974e56ebd02c97bc6b76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uw32jdmm\uw32jdmm.0.vb

Filesize
2KB

MD5
f63eec507510c73e52deb544bd3489e7

SHA1
070ba85d401b3cc6b9a1030a7d1d9bc6e88cdf72

SHA256
ef1d380f27e5e3f1a104171164dea913c750ac97e08a74301fbd7357358b473c

SHA512
4270a363a567ca93335fed3ac8b2031121c647b40f702be0226f7eac6b33f0b862d90ac6618f963f154e481218b0c3c29d9aedc296e2dd221813256679182c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uw32jdmm\uw32jdmm.cmdline

Filesize
273B

MD5
5af41a2dd719156fa7aa4a25b92f4aec

SHA1
f82314b4f3942465c0c85521daef6473fa37dcaa

SHA256
fcfe7d163da7e468dac0b03776b8362dbe6cb9595d3a935ba8d6c33670860697

SHA512
adc67b568ce0a5775b0fea4253b0cdf185c3ed2c0a42f21229279d80f418d941458d1f7453cde04cbe2354602413b9f233ad5899c562c5dfd9d2efa7548ff285

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6145EA0A50F24C95B2E99368AC251932.TMP

Filesize
1KB

MD5
ed096ae76be0b0962f0cdf8ff3970a19

SHA1
e92b69230ad92f4e05556e04672162e6ec7a90bc

SHA256
9fc7ce2710a76e1708f928dc0a722d6bdf4cc76a6095bd0c055210ccc234bffe

SHA512
52aca15a265dc18940e84e8f7cc7f3654304f50cb2d3ab74ea4f8d8bf571382992d47f8bb552f938150455433064cb549a22adb17f93638db94bbce4e0353a9d

Download Submit
memory/4228-24-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download
memory/4228-26-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/4228-27-0x0000000005420000-0x00000000059C4000-memory.dmp

Filesize
5.6MB

Download
memory/4228-28-0x0000000004F10000-0x0000000004FA2000-memory.dmp

Filesize
584KB

Download
memory/4228-30-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/4876-0-0x0000000074C8E000-0x0000000074C8F000-memory.dmp

Filesize
4KB

Download
memory/4876-8-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/4876-2-0x0000000005580000-0x000000000561C000-memory.dmp

Filesize
624KB

Download
memory/4876-1-0x0000000000C30000-0x0000000000C3A000-memory.dmp

Filesize
40KB

Download
memory/4876-25-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing