84c7949f2d5e6e755d54dda67dda9650f709eafa3770b2081c7ddf228be36d14

General

Target

cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe
Size

12KB
MD5

cf7ddd1cb3e997744b015a897ed35e70
SHA1

69a09c2f2b42b804e78f702432c3fca7c7f52463
SHA256

84c7949f2d5e6e755d54dda67dda9650f709eafa3770b2081c7ddf228be36d14
SHA512

164d330414bd3aaff7b1d92d23326836830b7f161c6b4fb03e515fc026ca9ec6715b6500695c6ef4296f3f70c4c1f093bbeee478fed5ae465497de18f10ac862
SSDEEP

384:qL7li/2zAq2DcEQvdQcJKLTp/NK9xa90:0UMCQ9c90

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
1936	tmp1662.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1936	tmp1662.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 3572	2376	cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe	92
PID 2376 wrote to memory of 3572	2376	cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe	92
PID 2376 wrote to memory of 3572	2376	cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe	92
PID 3572 wrote to memory of 3184	3572	vbc.exe	94
PID 3572 wrote to memory of 3184	3572	vbc.exe	94
PID 3572 wrote to memory of 3184	3572	vbc.exe	94
PID 2376 wrote to memory of 1936	2376	cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe	95
PID 2376 wrote to memory of 1936	2376	cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe	95
PID 2376 wrote to memory of 1936	2376	cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe	95

C:\Users\Admin\AppData\Local\Temp\cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5ryebjcl\5ryebjcl.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F4B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7949BE62B0C942C38E4AECB211785F45.TMP"
    3⤵
    PID:3184
- C:\Users\Admin\AppData\Local\Temp\tmp1662.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1662.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5ryebjcl\5ryebjcl.0.vb

Filesize
2KB

MD5
9a7b52e04f8520889d955c3326826d93

SHA1
9ac11d0f7aec288448c8a183e7bdbe799111b184

SHA256
c2e3261f8d581dfd9e9f9e8c97b3232bdff93129afb3af1d91b01a7913042699

SHA512
a34ca2bb77f63d323efa4feefe0d15734ea3b56a04dcc71500a356235f8c19cceb38e6a71f9a3d7c73f6eb50693c24f36722753edd55f8bf9a63c901c33b25c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ryebjcl\5ryebjcl.cmdline

Filesize
273B

MD5
e207963b16f54c539ec96a93589909c5

SHA1
19b22cb6e448bd0ef32bdb2fa6f4415cb1158f4e

SHA256
d220c5134b5d764a111edd7fed869c9d81f4595e38a876782f00942066d7ed6a

SHA512
29d3ab0b62d1e2d4102f4ae5f1ee609bd7cc605b92dd9b67767fd5ffb4c97d053d6e2ba6c490c4e4b01a9870e0bb0e98a40a256599a9dd2a2b1fd72c6051bb20

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
d5205b7c3c93aee3560697287db01585

SHA1
b1430e47da8767c405155d24e27a1ef6164c2fa2

SHA256
615acd83ff2aaceeb76479aaf828605abe0fdad1cf01f9f724be5377193f0417

SHA512
294245a10b6e1d3f1688d7bfe319342ac5e73342baf78fee5d65ba818ded427f17793918adff752430b5a6e0b147d46f2b9937ed6355220e7e84cf2eb69373ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1F4B.tmp

Filesize
1KB

MD5
b723402eef2e09471a55388b31ee093b

SHA1
2fb4387ae167d427412e9b06359d7386a9361dc4

SHA256
3c38b8a5ce1f866a8716a772f32460ef3a38ce42a28312c31a08054cb7a34821

SHA512
7510e87613416a23a86108a952fe67ec32a3062ae1da3a190f8f3d0c025d53f70c532ff5ff75bf71e27aacc3537b8a76c7407bbca55fca1cc9f21426d32368b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1662.tmp.exe

Filesize
12KB

MD5
45e695a159550d0eba4e6670f7d2098b

SHA1
618cfbf12a2e2ab0ec50dc2567b1b81e0b74f0be

SHA256
01ad8be04d94eccd3895bc5be47fee31938b0625abe8097d9b2445f678556e73

SHA512
ebd5cceb40c3895ed6e8a4503d5f1ae619e19c5998e2e396ebc3b37977534aba338f7426ffd99a7cc25bf699b3df963080e20ff68f6a69ba81cedf3172c5bb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7949BE62B0C942C38E4AECB211785F45.TMP

Filesize
1KB

MD5
2ada9d276193f0b644f3af92446529e9

SHA1
dc8b4b66013f7859d99e5e13192047c9e994ee98

SHA256
8d8a748cb0b065aade7746a8acf18f0aacec9f3c66d6806262e46467df942db8

SHA512
54201e2f313777dd636f1c9556bc39310a3773d9d6ad44c6bb5bba23b4ce8efacec30e10c2e7d2577cc54182780e7db593617c8cf23f0c0cdf1162b8d76b8be7

Download Submit
memory/1936-24-0x0000000000EB0000-0x0000000000EBA000-memory.dmp

Filesize
40KB

Download
memory/1936-25-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/1936-27-0x0000000005D90000-0x0000000006334000-memory.dmp

Filesize
5.6MB

Download
memory/1936-28-0x0000000005880000-0x0000000005912000-memory.dmp

Filesize
584KB

Download
memory/1936-30-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/2376-6-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/2376-2-0x0000000004A40000-0x0000000004ADC000-memory.dmp

Filesize
624KB

Download
memory/2376-1-0x0000000000060000-0x000000000006A000-memory.dmp

Filesize
40KB

Download
memory/2376-0-0x00000000744EE000-0x00000000744EF000-memory.dmp

Filesize
4KB

Download
memory/2376-26-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing