7cd3647b0e93352d2cedd0103a16ef794b5618f20df6387eeabc8a013bdeb9a9

General

Target

10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe
Size

12KB
MD5

10e8917546bc43cd789a3135d5558830
SHA1

f45838965abc8b031970380cfe22361d0e796b50
SHA256

7cd3647b0e93352d2cedd0103a16ef794b5618f20df6387eeabc8a013bdeb9a9
SHA512

4282081c1bfb21bdb13b11bde62a5bfde9d9a8af86e3d84af3ef03ff8cae26e903f710f7a3057ed6cf67fc45d1edff484ed7bfb775b4d3df3333abfbd8436d52
SSDEEP

384:wL7li/2zDq2DcEQvdhcJKLTp/NK9xa+/:u/M/Q9c+/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
4816	tmp4DA4.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4816	tmp4DA4.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4480	10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 4240	4480	10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe	85
PID 4480 wrote to memory of 4240	4480	10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe	85
PID 4480 wrote to memory of 4240	4480	10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe	85
PID 4240 wrote to memory of 3680	4240	vbc.exe	87
PID 4240 wrote to memory of 3680	4240	vbc.exe	87
PID 4240 wrote to memory of 3680	4240	vbc.exe	87
PID 4480 wrote to memory of 4816	4480	10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe	88
PID 4480 wrote to memory of 4816	4480	10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe	88
PID 4480 wrote to memory of 4816	4480	10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\axxnf4g1\axxnf4g1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FC6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9F73F5113B8E4919836251F5742B65B9.TMP"
    3⤵
    PID:3680
- C:\Users\Admin\AppData\Local\Temp\tmp4DA4.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4DA4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
9b4eed5ebf860b83f0a22304ac435220

SHA1
c3054a87870584f24cca07fbf0838a57c135e191

SHA256
fb2dc9283562c8595be3c17c26523e6247f1c147434695cd109607a36909cedd

SHA512
578aaacdc8360c64ea4d0ba3d0f141edb8572927a60a75868682d2dc6f4af9c37b938f27ce1e982239dda5d5f5ecd5f698ef49afe31972d514eca642fb056fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4FC6.tmp

Filesize
1KB

MD5
d3451359ff06dd25df2f2d5318c20b2b

SHA1
9cf2b6bf6c42c7422f15277487be15f25dfc0801

SHA256
8f1f8c5816b905091bdb410dee4c27233c89f4c73c62a35f7acc0fe6ce547316

SHA512
cff4cf83d4ec11b723681a4438e9398038b549d5802bd9ee9520dbd82b4e18580c60e8e08ab81bdaea0ef32f0f5ef419fed420dc5b95df964aaef9b0c1e9eb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\axxnf4g1\axxnf4g1.0.vb

Filesize
2KB

MD5
6c14afd336530c6dd7cf16cee296f770

SHA1
7bb1b5dcb78ee5d3472df95f918e06da4d3890aa

SHA256
21cd2eecbd9927212e56c08d69d73f6af05082783eb603dd7898bd22986924a5

SHA512
45bfbc5ef83b20c8f7bc5d955410265b1d502fe719bde68e7fc8e58b16048db70bbc93eff1bfa6b60faaca4fea06944e8a9acf336ac4370fc64c680ea4bdaa6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\axxnf4g1\axxnf4g1.cmdline

Filesize
273B

MD5
10afe7f3d13fb1fed393c8a5497254e5

SHA1
b91ef0c1c2b8f80f58b5ee6aebeefa74908eb532

SHA256
5a2599b1920e47c982435a48dba0d874bda36289b3874f98c04b1dcf4ed4cf51

SHA512
421fb8d0e26da2e65f8140baf64fb63f7a66fbe3e0164d45a6b2b6172a2e235a170b3600d704ffdc5febb584a1cfa4f9c870fede3e0d3a6fe9358785cebeeae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4DA4.tmp.exe

Filesize
12KB

MD5
d26e61393c078a9e123521e6da7d996c

SHA1
6e5c028a50f9272723816c7b5a8d5c4a6602ab95

SHA256
fbcf2998038f57827194b7494fd4b6f9ea49ab5b74dea38172deeb534ef12220

SHA512
fd74d46cebda29f12329667bf4f29020c35a56d4181c8cf007299849d375c775c9ce37c81b0c7b1bde508cc0889d9df411d3357420642d11c0f08734348c9c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9F73F5113B8E4919836251F5742B65B9.TMP

Filesize
1KB

MD5
9e4e6b75f127cb425a5215f8e3efdf4b

SHA1
6d321a64e11d615f16112cb99676fd1847483c09

SHA256
76358af8456ba564befe6337a1c2a375746a35da4616457d3eaa8fb5258dbfcb

SHA512
f616b382ff39887914338603f4976cb3a3b1526dd49252930dc5781cae648dd0ba34fb094ca3579c7393f6f6524037905a58b6463b4a022ffb48cd41c9703f6e

Download Submit
memory/4480-0-0x0000000074BAE000-0x0000000074BAF000-memory.dmp

Filesize
4KB

Download
memory/4480-8-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4480-2-0x0000000005040000-0x00000000050DC000-memory.dmp

Filesize
624KB

Download
memory/4480-1-0x00000000006B0000-0x00000000006BA000-memory.dmp

Filesize
40KB

Download
memory/4480-24-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4816-25-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4816-26-0x0000000000110000-0x000000000011A000-memory.dmp

Filesize
40KB

Download
memory/4816-27-0x0000000005080000-0x0000000005624000-memory.dmp

Filesize
5.6MB

Download
memory/4816-28-0x0000000004B70000-0x0000000004C02000-memory.dmp

Filesize
584KB

Download
memory/4816-30-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing