6cd60d249bf3bd93bfca7f77b1645ce6a5488e809a626959b9fe6983e5b62220

General

Target

c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe
Size

12KB
MD5

c8921cc603b0ef43c3f937402ec14fa0
SHA1

8dfcb6e2ec2d2ac031b8dfa5f9ca99cce9064cf6
SHA256

6cd60d249bf3bd93bfca7f77b1645ce6a5488e809a626959b9fe6983e5b62220
SHA512

4955ae38a8105cd2366544ebadf4c0fed87b1586b008a98bdf825e4c02de542deea388b4d1adfb1e7e951a1ba4568eca3e0ceb7f07af6d156f6f56a8976b0279
SSDEEP

384:vL7li/2zdq2DcEQvdhcJKLTp/NK9xaeo:DdM/Q9ceo

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
3144	tmpF118.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3144	tmpF118.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3468	c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 4000	3468	c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe	94
PID 3468 wrote to memory of 4000	3468	c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe	94
PID 3468 wrote to memory of 4000	3468	c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe	94
PID 4000 wrote to memory of 1520	4000	vbc.exe	96
PID 4000 wrote to memory of 1520	4000	vbc.exe	96
PID 4000 wrote to memory of 1520	4000	vbc.exe	96
PID 3468 wrote to memory of 3144	3468	c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe	97
PID 3468 wrote to memory of 3144	3468	c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe	97
PID 3468 wrote to memory of 3144	3468	c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe	97

C:\Users\Admin\AppData\Local\Temp\c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cc0ywcly\cc0ywcly.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2BC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD7B66AAC1754C9F8C4332CE8F917487.TMP"
    3⤵
    PID:1520
- C:\Users\Admin\AppData\Local\Temp\tmpF118.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF118.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3848,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=3920 /prefetch:8
1⤵
PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
9e9cdbee36c64c74d4902a58a4aafbe6

SHA1
08a50e2077ee3cd8658a537e5afee8d9cdae75d7

SHA256
40373a534b91478adeb58481ddff312d5f1b72f0c5c9f35721b79afeaf012e1f

SHA512
55d84a5ef92bc0790fb6da475a2bab439df8619cd45443db814f6f261350e46a71ddf4f9cd3a7541057ef33c489776b57dd319bfd774a010d02e06840a30f9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF2BC.tmp

Filesize
1KB

MD5
54652783f437bbdaa2e1399183ca967a

SHA1
5f9308be297ca03b922f2f19062b5ccec7d1e673

SHA256
f95a1b5cf72bef73c3a223275acd7de1f073adda643eb8a096a3fa6e1ac74f90

SHA512
aeee136fd9f1345024916412b16b4408f3f6856afd1976cf72aec84ab3cfc037df7403e1d2b7d510061390e6172d7a8839070eeab6016ec68ed1a47b74510b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc0ywcly\cc0ywcly.0.vb

Filesize
2KB

MD5
91bd59587bf25271221af97fc25e3708

SHA1
cbc794aa79954727fb2fa57d46675064243e8f33

SHA256
7b9a7796d534c9afa5c76e422a565dc913673e4fe35f30341eadb1ecbcff07da

SHA512
55f963e0a5733aab94f5bec15d116c93593189d1c0540ff893ce46c136acd6c7e8db3972ac1a9539ced45ba67359ed67ccdeb33615479b7eda05bc73cbaa4159

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc0ywcly\cc0ywcly.cmdline

Filesize
273B

MD5
afdb202411a039450b02167eb58ef2f0

SHA1
db8c3b57a451bd812232a62fd3771ad93dc24fed

SHA256
af7676f30eea2d3c9081edac1132e8e6d0e3c18d6d07599198f8415c660e501f

SHA512
80a412b40e53366fbe5be79bfd2b834a27ce9fd84dd70b11abc4e38b7e4112e98ec5839169fe3cd1419234d339e0c4ee21cc343e1c409b7ace9714431307cba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF118.tmp.exe

Filesize
12KB

MD5
6cd6f8eb823f8beedfe9e91858d77341

SHA1
e8270ead6dd9a7cbd52b242dc4d16387ba5036e6

SHA256
d2549ccc5a78ff9f7fa69f0924fe312ea0251fbd188036a9c73d7557fc1f9cb1

SHA512
23d6b80cc3d53b6aaef8bfc7cf00b91365fe60bb39e5558c20e497f62e2e9c46b75086074e7548562bfa7b49d2533e21ae1a9d4f0590b9620ca9c674d2744c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD7B66AAC1754C9F8C4332CE8F917487.TMP

Filesize
1KB

MD5
8cd6fb367e42e4b14866087ea24a3116

SHA1
d92c2dc92505eeb457f257c0d134811a5adc6340

SHA256
a13fd5329a3aa9e5fa815b28bf9c086aaf21e66155117ebd919c40635702fa78

SHA512
f7777b5d4a84e10218bcc464b5adf98acaf9a32a6fcad0f2e4365c34a2bd0ac88080b6fd2353a411f54b95cfcf91bc5fae69f6577203c8a4e8f3808802bb3b6c

Download Submit
memory/3144-25-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/3144-26-0x0000000000540000-0x000000000054A000-memory.dmp

Filesize
40KB

Download
memory/3144-27-0x0000000005410000-0x00000000059B4000-memory.dmp

Filesize
5.6MB

Download
memory/3144-28-0x0000000004F00000-0x0000000004F92000-memory.dmp

Filesize
584KB

Download
memory/3144-30-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/3468-0-0x00000000749FE000-0x00000000749FF000-memory.dmp

Filesize
4KB

Download
memory/3468-8-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/3468-2-0x0000000005670000-0x000000000570C000-memory.dmp

Filesize
624KB

Download
memory/3468-1-0x0000000000D20000-0x0000000000D2A000-memory.dmp

Filesize
40KB

Download
memory/3468-24-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing