c392336ce40a0e5fd21978898d7814b4a106a177a1113636e81d5babb675c48b

General

Target

d34a4fb49868a07637ff78539d9a98b0_NeikiAnalytics.exe
Size

12KB
MD5

d34a4fb49868a07637ff78539d9a98b0
SHA1

6b9d005662c65598814abd8aeadc5866928f7c8c
SHA256

c392336ce40a0e5fd21978898d7814b4a106a177a1113636e81d5babb675c48b
SHA512

ceff157513ab97cff0e43b85dbf328e1c0409e76c5413020dd4fb6fcddce130d831ffd56598d49f99f361605d7449ccf74ee7517acd09eb71ac241576af2d711
SSDEEP

384:GL7li/2zqq2DcEQvdhcJKLTp/NK9xaU1:giM/Q9cU1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	d34a4fb49868a07637ff78539d9a98b0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
2016	tmp4E6F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2016	tmp4E6F.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3496	d34a4fb49868a07637ff78539d9a98b0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 3004	3496	d34a4fb49868a07637ff78539d9a98b0_NeikiAnalytics.exe	85
PID 3496 wrote to memory of 3004	3496	d34a4fb49868a07637ff78539d9a98b0_NeikiAnalytics.exe	85
PID 3496 wrote to memory of 3004	3496	d34a4fb49868a07637ff78539d9a98b0_NeikiAnalytics.exe	85
PID 3004 wrote to memory of 3440	3004	vbc.exe	87
PID 3004 wrote to memory of 3440	3004	vbc.exe	87
PID 3004 wrote to memory of 3440	3004	vbc.exe	87
PID 3496 wrote to memory of 2016	3496	d34a4fb49868a07637ff78539d9a98b0_NeikiAnalytics.exe	88
PID 3496 wrote to memory of 2016	3496	d34a4fb49868a07637ff78539d9a98b0_NeikiAnalytics.exe	88
PID 3496 wrote to memory of 2016	3496	d34a4fb49868a07637ff78539d9a98b0_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\d34a4fb49868a07637ff78539d9a98b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d34a4fb49868a07637ff78539d9a98b0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b1ls4mdk\b1ls4mdk.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5023.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBEC3DE13976B4B8189C1A6DCE399A95E.TMP"
    3⤵
    PID:3440
- C:\Users\Admin\AppData\Local\Temp\tmp4E6F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4E6F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d34a4fb49868a07637ff78539d9a98b0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
93839726a3eadd78ef9b050ec3d6b9ea

SHA1
0aea49beeb7f5fa1d4d5370a3f2a0277516cd683

SHA256
066998c5bfce98e321cd91a1d133f58dea679d61113a64d1615e7749b51149a3

SHA512
49965c63dab7b39c1f59e1afe61e79e050e6b1d150556056f899b50e27099513115fa6eeb0c1be02e309f1091b802aad07997d8f9b64e0bbf095dbcef8882712

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5023.tmp

Filesize
1KB

MD5
bcf5f61733f10b2790baf719054f17b2

SHA1
2f46046319fcaf08c33aa67244bde6b5fba40b48

SHA256
781f4a5d729be5fdb52fe334f2776343cc6a5c222e19db9eba075fb2e80a76c7

SHA512
ba2dcb7ece688e1d7dce0674bad1ecbb7a259f463feb7eff64a382ea58cb89cbfb3ec289d6d5d2314a7d24a7dc244b7eff2e496104db2b2f0a1afc40ccec5b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1ls4mdk\b1ls4mdk.0.vb

Filesize
2KB

MD5
3974a7cbeec3b44333aa18eb72133282

SHA1
bf59ed62b0c109060203e514c5f4aae06fdbd21b

SHA256
d75c4f18da263e9f24c0a0bf1ec3801ff921975f3a7584418b5a7c85ef71e14e

SHA512
41ba6c1bce148eebbcdd36b73aeede0f3881a49f6d5dbe5a6dde2b255a295d00543ca4b4e5125cd4dc9bced559c67e785ce2f1dcf1c2896dea3fbed2bdf933c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1ls4mdk\b1ls4mdk.cmdline

Filesize
273B

MD5
cdf188c128f8869c505751473d0c995c

SHA1
89fa1fbd432781bf58b8cc4e884bcd9790d4fb0d

SHA256
e5181d18bc2a9776c9610ec93416a3b763fe364684d510fc942869dc3a35286a

SHA512
7596d5e18ac911df0e9bc92001375b00ff6cf3f8a9cf471d96fe75d5f08e4e2a01eb1de6e9c84f66a54127136323a312a0968a8108cc1430a28c6202f4617b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E6F.tmp.exe

Filesize
12KB

MD5
7f62dfade6bc61632cb12ea2c6bbee9b

SHA1
a17ee1ef787380a19873d95c08481e5ea3ac75dc

SHA256
fdcece55980273cd21d020a303b2696486472b4a37b79caf15d93117dab8d0bf

SHA512
db3d5dbd0c6d6a972e4c701891b1c79ac68c765a6141c6c7960526cab4b224930a7349a4225a12a108319cb02fa25eaa9ef16a3ef4d37a2c9475f25a3750a702

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBEC3DE13976B4B8189C1A6DCE399A95E.TMP

Filesize
1KB

MD5
600225ea75e0f8aa9b595da9790b6069

SHA1
4aff7eb3c3ef0a3d1d1359e61573d5448ae60fdf

SHA256
4497ba592d89f1b920c859ddce13d0129f0e0a93812957945688ada3cdeaca0a

SHA512
204c5631f0a38e7361e9db391daf760b8fb92c05e57eda224f86e53347c5322cc8719073ae0ebebeb2d8c0146050a6564eef27de47d2d9431ebff4b8d79a3180

Download Submit
memory/2016-25-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/2016-26-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/2016-27-0x00000000051F0000-0x0000000005794000-memory.dmp

Filesize
5.6MB

Download
memory/2016-28-0x0000000004CE0000-0x0000000004D72000-memory.dmp

Filesize
584KB

Download
memory/2016-30-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3496-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

Filesize
4KB

Download
memory/3496-8-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3496-2-0x00000000050E0000-0x000000000517C000-memory.dmp

Filesize
624KB

Download
memory/3496-1-0x00000000006B0000-0x00000000006BA000-memory.dmp

Filesize
40KB

Download
memory/3496-24-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing