0ab3180614dbb7acad5c529f3ec56483d40ae457447012721225e9795b4196bc

General

Target

a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe
Size

12KB
MD5

a52f08fb5c2dfbcad380b60a30e12bb0
SHA1

b814c3cf79e2d9c2e490d3880e6e03bccdc862f8
SHA256

0ab3180614dbb7acad5c529f3ec56483d40ae457447012721225e9795b4196bc
SHA512

255c898bcef5d498877e7529ee7954379f3832d96c8f1dfc88dd8da374493fa2ee58fb384b6bf6ce524429fadba62307f6e213535bc22eb328ec558ddf1da761
SSDEEP

384:vL7li/2ziq2DcEQvdQcJKLTp/NK9xalQ55:DSMCQ9clQ55

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
4772	tmp5276.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4772	tmp5276.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	436	a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 372	436	a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe	85
PID 436 wrote to memory of 372	436	a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe	85
PID 436 wrote to memory of 372	436	a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe	85
PID 372 wrote to memory of 656	372	vbc.exe	87
PID 372 wrote to memory of 656	372	vbc.exe	87
PID 372 wrote to memory of 656	372	vbc.exe	87
PID 436 wrote to memory of 4772	436	a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe	89
PID 436 wrote to memory of 4772	436	a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe	89
PID 436 wrote to memory of 4772	436	a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qd04it0v\qd04it0v.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5488.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD1EC8B435DE440B8F44F1F98DD15.TMP"
    3⤵
    PID:656
- C:\Users\Admin\AppData\Local\Temp\tmp5276.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5276.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
6a6e9ff237efd75dcbe6df94e46d9007

SHA1
9c78df78fcac55555bdd156970b180bd90579fad

SHA256
a14d7807edb416715ab1663db5a49d29a284ab13e6b7d2bbbbb539bb3acb82a9

SHA512
0633659f120e68a3407026076820a56a376f65a0d9f7141c294f49b29b5a558382fbd16f571433e5bfe8956ae567a28833d94b1a5c6f385060f905eba14e82af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5488.tmp

Filesize
1KB

MD5
cfbad02681626e691dd009d677a925cc

SHA1
81ab7962fbe0c594b3db0f15b5d3dd99cd2eb176

SHA256
8626282d8e5c744d260205f796196b2cf6f8f7a12f3df7804b8b2542b86d8ff3

SHA512
96d1db83cf721c1262b64f3ee50102a641760b523c58d992fc153b2dea547713dc395a221e9d071828655e7897b613a2b4f75b99e332508c126f2264d32b3f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qd04it0v\qd04it0v.0.vb

Filesize
2KB

MD5
8662f2f1bf1f8ab81b352f5e41beac41

SHA1
7129f64ce53401bf19301478b9681351989cee1b

SHA256
383ed7fa1fcc2d0897f22cdf4d68b40b4e1cc3d9d7175087af88b6e8eb4bd014

SHA512
4955a199847f263a134cdb927e28bb16f414fdc5c12f04fc16f87ab18ebbe39e7e138142c9dec96dd0165247f20cfcd0b98586dcd18b2838521d553c9a1d238b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qd04it0v\qd04it0v.cmdline

Filesize
273B

MD5
177bb9b46c56984b26a0fd5bc5a6d7eb

SHA1
f297c72f49c75865a894dd0288a9932cf3c45c2a

SHA256
abeabfdda2e522960beb8bb11d30358653baa3f58b8ca6ce7cec43db7424287b

SHA512
1d6e155fa1b0d105d390630ee2f22a2d666a3afc8c90c1d0921b6b9ddd56225d21a1d49ce46146163b02b848b73fa1c0475df1b22eaca4fd424a509e381ab709

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5276.tmp.exe

Filesize
12KB

MD5
869dc7ada814dd838b11c4bbf29c0963

SHA1
072229053f3c71eb482b8fa9fb1d217144a2eaf6

SHA256
b4acb376cbd277a9ceb19b044368900ddf0510ba8afd8ed078807f1aef3bd03e

SHA512
9e37b0ff211977fcad4109972f6ebaaf236978e31ee07b861ef711d841e3d1aaca3be9fdba38d53387887cd797f0265afde6f73b26b2530c1fd545f9cafc32a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD1EC8B435DE440B8F44F1F98DD15.TMP

Filesize
1KB

MD5
408667ccae8793d7907b997aacb4f742

SHA1
2dd7072c6487a8411e063a0ae6afaf0a14d7c2dc

SHA256
57ea38317b7b2bdb2215ce8f723fc72d0aba62f375f47895b9770e65f65a9c40

SHA512
97c0523d535e8fda95e6b9b64558ffb421f04d481c6b8909315a589fde61a6cef8e049fe4611ff4f069cd2eeb913b6123202e433339814378af40062894139d0

Download Submit
memory/436-0-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/436-8-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/436-2-0x0000000005610000-0x00000000056AC000-memory.dmp

Filesize
624KB

Download
memory/436-1-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

Filesize
40KB

Download
memory/436-24-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4772-25-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4772-26-0x00000000000B0000-0x00000000000BA000-memory.dmp

Filesize
40KB

Download
memory/4772-27-0x0000000004F60000-0x0000000005504000-memory.dmp

Filesize
5.6MB

Download
memory/4772-28-0x0000000004A50000-0x0000000004AE2000-memory.dmp

Filesize
584KB

Download
memory/4772-30-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing