3557f09c919984f8eba6391c2426cf13e45d568a148774b39c1dd870ae919366

General

Target

9bebde2f1186f6cb7697382b7da73150_NeikiAnalytics.exe
Size

12KB
MD5

9bebde2f1186f6cb7697382b7da73150
SHA1

9a82766fea101477ec98780157e6e73445423771
SHA256

3557f09c919984f8eba6391c2426cf13e45d568a148774b39c1dd870ae919366
SHA512

ee072983f5eceda4f12200654030fd5793d5315b991193be3422382b87f19ac9b4ae5e6a7f2f0fd499ed9c26bb6a0bc7d16f8111f2b0e132592ecdd0af70ab62
SSDEEP

384:6L7li/2zwq2DcEQvdQcJKLTp/NK9xa33:k0MCQ9c33

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	9bebde2f1186f6cb7697382b7da73150_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
2772	tmp6E99.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2772	tmp6E99.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1112	9bebde2f1186f6cb7697382b7da73150_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 3032	1112	9bebde2f1186f6cb7697382b7da73150_NeikiAnalytics.exe	89
PID 1112 wrote to memory of 3032	1112	9bebde2f1186f6cb7697382b7da73150_NeikiAnalytics.exe	89
PID 1112 wrote to memory of 3032	1112	9bebde2f1186f6cb7697382b7da73150_NeikiAnalytics.exe	89
PID 3032 wrote to memory of 5000	3032	vbc.exe	91
PID 3032 wrote to memory of 5000	3032	vbc.exe	91
PID 3032 wrote to memory of 5000	3032	vbc.exe	91
PID 1112 wrote to memory of 2772	1112	9bebde2f1186f6cb7697382b7da73150_NeikiAnalytics.exe	92
PID 1112 wrote to memory of 2772	1112	9bebde2f1186f6cb7697382b7da73150_NeikiAnalytics.exe	92
PID 1112 wrote to memory of 2772	1112	9bebde2f1186f6cb7697382b7da73150_NeikiAnalytics.exe	92

C:\Users\Admin\AppData\Local\Temp\9bebde2f1186f6cb7697382b7da73150_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9bebde2f1186f6cb7697382b7da73150_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bqmlklr5\bqmlklr5.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7000.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF930A0E25703473E869EEEB3008BA8.TMP"
    3⤵
    PID:5000
- C:\Users\Admin\AppData\Local\Temp\tmp6E99.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6E99.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9bebde2f1186f6cb7697382b7da73150_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
1175978d3091e9bee5db76440b9bdaa4

SHA1
a6198a5d9d75b7e8ba076d97d5b88f59356cdcb6

SHA256
e523f5fa0a51cd9a6b171ce0f9628359431c8bafb36ee8dd840907a5a613ab33

SHA512
a2937b4a42ad7df2b83ddad1c3817432ac23214594ec1d08e2e3d1718f29c78ecd29c01bc072ec999b0d444bc0e2e029ff36ad70304c413a036d02169e23801b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7000.tmp

Filesize
1KB

MD5
e2e871fb3a2df91f5a27c077759d718a

SHA1
2dd34fbe6ae3972bab74fb2c7585754647a4bed3

SHA256
4fa0a48ce3f20e15dbd248d74b81aa90f522e5bc85437af3699e619210cd013c

SHA512
2d85d00a2deca62d109a58718835fa5603fa8deec7a9bae5884860e714bd7c12d1ccafc91c187a24a012efcd07bef9bfdc1ad4f6c12313f39f7089298a599b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bqmlklr5\bqmlklr5.0.vb

Filesize
2KB

MD5
76dd5118cae0ee6772bce2852ee9a49a

SHA1
3067f5badbf12320a3d6def782680f0eba5bbe0a

SHA256
0c071bef990d32964d3f8560bc83593c76697aebd0bae2ffadbd7135808cb973

SHA512
7e4d5c4b17033712685c79e432780d1841e91fc44c011755a57d2ec8c4d9317c46b749b3a38d6dd4cadcea99d74f2f2d4a9ea8e8638e441961866f1c75696540

Download Submit
C:\Users\Admin\AppData\Local\Temp\bqmlklr5\bqmlklr5.cmdline

Filesize
273B

MD5
29a36cb95ccda91509e674b979fb86bf

SHA1
69d66feb7af73a879f17f77382ebf85cc193fb3b

SHA256
243bda5f6c91d044f175b72aa954be386cd8f15a14d7491f15d51450990b47e1

SHA512
23ba2803c279a6e0b32035bde77d9bdd6213e3964470ebe13e1ac3de6ae461c7d0b2c7a3fe2f515ea24ebf34bebcce07f6494adc20c5dff447625d9178de68ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6E99.tmp.exe

Filesize
12KB

MD5
f87d898f1357ede372f429174b2f0477

SHA1
fd2a245c364a22784e704aea2b237cd90a943e23

SHA256
f29b1f115613f7f5bca908d47576b01e9ede6ef2f0f63bc4a488131598ef3f16

SHA512
984a2e5d24f3c7c69c9b1197f074111eba13036c3dadd77e7c56d66480d7b1870f0cbd62629bbe2ef39981d8dfef7e786cf18d9bd06ad55f58d00614b8bce615

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF930A0E25703473E869EEEB3008BA8.TMP

Filesize
1KB

MD5
c080e8bdb5419c076f769522dfc06a07

SHA1
e5694dfe6456323982f12e158a462e85e814fdac

SHA256
31bbd5527e581fc3c440832c581e204c828ba3e0ad077b55179bee686581adee

SHA512
507345eb5e7d05bfc9609df285a5e1031d6740c1c12ceee7fb016d00cc1b62f5c43083b08bcdd872403fba5ab312e09476514f1ad66d2ea209516c0dda1e6b74

Download Submit
memory/1112-0-0x000000007509E000-0x000000007509F000-memory.dmp

Filesize
4KB

Download
memory/1112-8-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/1112-2-0x00000000054B0000-0x000000000554C000-memory.dmp

Filesize
624KB

Download
memory/1112-1-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

Filesize
40KB

Download
memory/1112-24-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/2772-25-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/2772-26-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/2772-27-0x00000000050C0000-0x0000000005664000-memory.dmp

Filesize
5.6MB

Download
memory/2772-28-0x0000000004BB0000-0x0000000004C42000-memory.dmp

Filesize
584KB

Download
memory/2772-30-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing