97664cecd758e1a4a64ec2a4d91168884805c8921d13c7837090d4d4c5ec727d

General

Target

0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe
Size

12KB
MD5

0772bbcbf7c04c4c2279bebe015029f0
SHA1

a97ee7848579fd3acb2433b5d8b9bd371a26eb73
SHA256

97664cecd758e1a4a64ec2a4d91168884805c8921d13c7837090d4d4c5ec727d
SHA512

5985d5056ade14ac85dd7b1854bdcdb7bf37d46a0c230f00d77a9dd500d81580d6b433be6cb115ced97beb1937a09b8753d1bd0aab43d5258aede7ae99697ade
SSDEEP

384:jL7li/2zisq2DcEQvdhcJKLTp/NK9xaa9s:neMM/Q9ca9s

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
4244	tmp5E3E.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4244	tmp5E3E.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3600	0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 3604	3600	0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe	86
PID 3600 wrote to memory of 3604	3600	0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe	86
PID 3600 wrote to memory of 3604	3600	0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe	86
PID 3604 wrote to memory of 5036	3604	vbc.exe	88
PID 3604 wrote to memory of 5036	3604	vbc.exe	88
PID 3604 wrote to memory of 5036	3604	vbc.exe	88
PID 3600 wrote to memory of 4244	3600	0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe	90
PID 3600 wrote to memory of 4244	3600	0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe	90
PID 3600 wrote to memory of 4244	3600	0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2s1knhbp\2s1knhbp.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6021.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE95AA738466458D9D299CCDEA4DB9.TMP"
    3⤵
    PID:5036
- C:\Users\Admin\AppData\Local\Temp\tmp5E3E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5E3E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2s1knhbp\2s1knhbp.0.vb

Filesize
2KB

MD5
d7ee0368948fd0890d7fc1f21504a52f

SHA1
16fba447337e802175b82c19195d9e3ff5134d5b

SHA256
7a70867a0bd7571759a569d459560ab453c564684959f5648d012422db6ebce7

SHA512
cd2e9bf5ba05d04d496b573a2af1c2dc28ac347d8d9839d3db9877cab365fa7074df2cd2717462df7346a14c6522c09a9617ff03dd8cd3dc7930dfe4e0c77b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\2s1knhbp\2s1knhbp.cmdline

Filesize
273B

MD5
58aebb855161cc1c3b55692149b6d0d4

SHA1
21ac923ca1afac8c8d4f79b28dcb72624fa5b87f

SHA256
950b54886d15b476cec1d971024ca6ccf688e708814267b1160c2dcba6055e2e

SHA512
abdced1429cc226aa9d2d6810dfe38324275b8867b10b343a1745fde5277548e90e78f2b41a8608266c4bff1496374f82d47926c991c933db811f5669be6c67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
4c7ed5e8d25b868e347aab0d14a73a71

SHA1
72acda4130483adaaeb370d0caea105f17bd46af

SHA256
f7ee904f6e2b94b2a6a54325f5adbf5d561c10a03b616988732ea3a54e53a057

SHA512
9fbcfce28ba1ae92ec64fb8d28cecc415580e534d8b878bdc8b8e3056ce64f2cf0201686b6479652b430c2828b3e7b24414a6fa13c0b39b40e7ecb962c7e330e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6021.tmp

Filesize
1KB

MD5
5be9164e65a341916e967636c1714307

SHA1
ee71907bc34c92845b9e0057bc1862df47e9a153

SHA256
ba5656e795fa0336062528dcc5c4d6e18877626113e2f230fd534a3481a24abc

SHA512
1fd21ad44937c06cf21ce1852271664f3ec937ff564bdad025759624731494a2be4ba9298fec54b9fc7626a8357f7e39c5a66c895b5f75a05c746bc9b77e4542

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5E3E.tmp.exe

Filesize
12KB

MD5
8909a52a8550f0c7134aecb709438db4

SHA1
1787e624b81c6ab4da8b16cc09efb3568ca41e29

SHA256
c300240c6df84e1683007b214fbd3196b3fe8102a41dd27aa7a069d2444bed24

SHA512
e70b9f14439a5984c8aecbfa4b4ca1f13bc40bf610fc2e540ef606225e35697534dfe25a4cb489d330c06cb1113eb332dc93c5b431bdb6ee96e7275542200423

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE95AA738466458D9D299CCDEA4DB9.TMP

Filesize
1KB

MD5
dc031af39dd94c9efcfe67ae5cb2f7a7

SHA1
0e175471364f34614a908fe1eb0a8b32364f7a9c

SHA256
21034e12307baaf1a41711712b6c300d53621c7f6f4b0673c5bb40fb3ac18f08

SHA512
6cecb846439a7058d049e555fbe5a44a6d65bca36989aa431d30a91a97d077a5b642dcd7ec5fcaef6cf0cab58f4a8ef7defbee65824b139b40f9bd2a305dc084

Download Submit
memory/3600-8-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/3600-2-0x0000000004B50000-0x0000000004BEC000-memory.dmp

Filesize
624KB

Download
memory/3600-1-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download
memory/3600-0-0x000000007471E000-0x000000007471F000-memory.dmp

Filesize
4KB

Download
memory/3600-24-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/4244-25-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/4244-26-0x0000000000F50000-0x0000000000F5A000-memory.dmp

Filesize
40KB

Download
memory/4244-27-0x0000000005EB0000-0x0000000006454000-memory.dmp

Filesize
5.6MB

Download
memory/4244-28-0x00000000059A0000-0x0000000005A32000-memory.dmp

Filesize
584KB

Download
memory/4244-30-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing