d23dd556831b484947b58cddceb28e9d710d331953f6a03830d9451d8a2a2474

General

Target

4d20e5142e7cd80ca68d48c5b55c7570_NeikiAnalytics.exe
Size

12KB
MD5

4d20e5142e7cd80ca68d48c5b55c7570
SHA1

55bdf8a17b78eaf86cd53c3d506a3598adc3ee08
SHA256

d23dd556831b484947b58cddceb28e9d710d331953f6a03830d9451d8a2a2474
SHA512

e8c9e8f65ec94a8d40031e1545b4479d9736c16b071e5b8a4701595f83a93559d0d7ff10f2d7863430b47f08a617e9c4b659d4936222ec60c3a7247328877ed4
SSDEEP

384:cL7li/2zuq2DcEQvdQcJKLTp/NK9xav4:62MCQ9cv4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	4d20e5142e7cd80ca68d48c5b55c7570_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
2140	tmp4E40.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2140	tmp4E40.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4204	4d20e5142e7cd80ca68d48c5b55c7570_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 1996	4204	4d20e5142e7cd80ca68d48c5b55c7570_NeikiAnalytics.exe	85
PID 4204 wrote to memory of 1996	4204	4d20e5142e7cd80ca68d48c5b55c7570_NeikiAnalytics.exe	85
PID 4204 wrote to memory of 1996	4204	4d20e5142e7cd80ca68d48c5b55c7570_NeikiAnalytics.exe	85
PID 1996 wrote to memory of 3124	1996	vbc.exe	88
PID 1996 wrote to memory of 3124	1996	vbc.exe	88
PID 1996 wrote to memory of 3124	1996	vbc.exe	88
PID 4204 wrote to memory of 2140	4204	4d20e5142e7cd80ca68d48c5b55c7570_NeikiAnalytics.exe	89
PID 4204 wrote to memory of 2140	4204	4d20e5142e7cd80ca68d48c5b55c7570_NeikiAnalytics.exe	89
PID 4204 wrote to memory of 2140	4204	4d20e5142e7cd80ca68d48c5b55c7570_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\4d20e5142e7cd80ca68d48c5b55c7570_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4d20e5142e7cd80ca68d48c5b55c7570_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\em22yht2\em22yht2.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50C0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3281DC87A0F42D6B4DBE05AE48309B.TMP"
    3⤵
    PID:3124
- C:\Users\Admin\AppData\Local\Temp\tmp4E40.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4E40.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4d20e5142e7cd80ca68d48c5b55c7570_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
1175978d3091e9bee5db76440b9bdaa4

SHA1
a6198a5d9d75b7e8ba076d97d5b88f59356cdcb6

SHA256
e523f5fa0a51cd9a6b171ce0f9628359431c8bafb36ee8dd840907a5a613ab33

SHA512
a2937b4a42ad7df2b83ddad1c3817432ac23214594ec1d08e2e3d1718f29c78ecd29c01bc072ec999b0d444bc0e2e029ff36ad70304c413a036d02169e23801b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES50C0.tmp

Filesize
1KB

MD5
60b7c462f76dff7b05782ce6bc1fa73f

SHA1
296920906893a92c0f608e8767124a030bcee89d

SHA256
6d82f4ba06c013e1cfe9b66318528849c10e3991c9c23b9efea3495accc0ed4d

SHA512
dfbf58358a766e830f3899aa84c66c016808d903bc80c86e41f83c893f669adda0ecd5f6025097e30500ca31dbc35c245873ead5ee15666069596e3624c67684

Download Submit
C:\Users\Admin\AppData\Local\Temp\em22yht2\em22yht2.0.vb

Filesize
2KB

MD5
76dd5118cae0ee6772bce2852ee9a49a

SHA1
3067f5badbf12320a3d6def782680f0eba5bbe0a

SHA256
0c071bef990d32964d3f8560bc83593c76697aebd0bae2ffadbd7135808cb973

SHA512
7e4d5c4b17033712685c79e432780d1841e91fc44c011755a57d2ec8c4d9317c46b749b3a38d6dd4cadcea99d74f2f2d4a9ea8e8638e441961866f1c75696540

Download Submit
C:\Users\Admin\AppData\Local\Temp\em22yht2\em22yht2.cmdline

Filesize
273B

MD5
ae08de7de0daf0b63fadcb7592fee4eb

SHA1
13bc1eb7e32d44622896fd3979fcde2f90e40eae

SHA256
1369d4b9eae55813d0849ac790e9508db94e9666241b83f087168d0ec28ae5b8

SHA512
7c86775d9b1b540d07e1ef07e3541101274f78afa08304859602096e4897231766594abdfba02ea3eb033ceaf6236a00db60ae41f6c4498e53d95fab8d4b5d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E40.tmp.exe

Filesize
12KB

MD5
88bd88b59ff1f1b5b7ab7d44e4646fcd

SHA1
63f6fedfb57ae3f7cb085bc0399d5a1e86e833d4

SHA256
8a1d782ec8015b4a99516052cbebf632c383a31f31dcfa4b778db271b9c78175

SHA512
d282cc9875bece1f5aeffffa7a9e5f1b291872de8f2c09e30fcbffa61ec48249dbd20b71b663fdbe76288386dffdf5d3a583a1793e09b928acf8e4e797751cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3281DC87A0F42D6B4DBE05AE48309B.TMP

Filesize
1KB

MD5
551ca94c9579ac8f165309547ade0ef2

SHA1
5f50ac844c729c25dabcb22cbd45cb3fbe1a3828

SHA256
52964f4353ea661b130334abc46d769564fe1d360ba1f0a3018c9bef0da7a19e

SHA512
70d9a4ccacd821e1a0cb3087b15c3c71742c9043b9b1f8aa5ec97ee9a2600b0926a4bb912ffc379841ac5359c8bfe011905d65fc128c6e09f7c6f8ec28cd32b6

Download Submit
memory/2140-25-0x0000000000BD0000-0x0000000000BDA000-memory.dmp

Filesize
40KB

Download
memory/2140-26-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/2140-27-0x0000000005AE0000-0x0000000006084000-memory.dmp

Filesize
5.6MB

Download
memory/2140-28-0x0000000005530000-0x00000000055C2000-memory.dmp

Filesize
584KB

Download
memory/2140-30-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/4204-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

Filesize
4KB

Download
memory/4204-8-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/4204-2-0x0000000004AF0000-0x0000000004B8C000-memory.dmp

Filesize
624KB

Download
memory/4204-1-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/4204-24-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing