7f4e9f4e7aefcf89eddbbef85ab7f5a4c46282b4948beb5bc7f0049487cc216c

General

Target

4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe
Size

12KB
MD5

4f9ab3609afeb52e8bcae2bc075f3ba0
SHA1

aa570248055a1d813d6f120c3fea1e850413c4b3
SHA256

7f4e9f4e7aefcf89eddbbef85ab7f5a4c46282b4948beb5bc7f0049487cc216c
SHA512

f11e1d74f536312e4a9ed74caf311f4666609871a0e2c6c7f296fa9c7b9b5ee20888bbc09fd8eeb09b9b38ed4b0f29d4865531619842f2b9331ba437973c3f66
SSDEEP

384:aL7li/2zKq2DcEQvdhcJKLTp/NK9xa3v:EaM/Q9c3v

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
4884	tmp56DB.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4884	tmp56DB.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4356	4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 3484	4356	4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe	86
PID 4356 wrote to memory of 3484	4356	4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe	86
PID 4356 wrote to memory of 3484	4356	4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe	86
PID 3484 wrote to memory of 2192	3484	vbc.exe	88
PID 3484 wrote to memory of 2192	3484	vbc.exe	88
PID 3484 wrote to memory of 2192	3484	vbc.exe	88
PID 4356 wrote to memory of 4884	4356	4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe	89
PID 4356 wrote to memory of 4884	4356	4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe	89
PID 4356 wrote to memory of 4884	4356	4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mye4v5lo\mye4v5lo.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5880.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1DFE7A9EE4F949FA97DA8424E6F15F11.TMP"
    3⤵
    PID:2192
- C:\Users\Admin\AppData\Local\Temp\tmp56DB.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp56DB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
9ed16f53235b848172ef73479e3d1306

SHA1
7a770d5dd2e477f833fd26137127110acf6c7ef7

SHA256
d0a70943a30d5a24d6f01623b217af3a444b2355b5de910661a681db0c46e41f

SHA512
cb9b983b06cdc2590b21f7d821938ef03064facad67240628030e044fea2954f837949d49d47c76a19b1a5c0d419f1216de18beb55b563b93d6c728948ec1a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5880.tmp

Filesize
1KB

MD5
c4139bcd1d301015102c1e1410e4aab3

SHA1
b3e22b53e4e2fc1373639e52dc976fe5b9d0d425

SHA256
9ef6fddb07b67a0cd001402257563ce2c16e930d0c534b8acfa9cbd345ec9381

SHA512
64aa7a2ce6a5e387a79e0c1ae06c7deec4061a182c81474d18c1566f02451c2d31178969d94e43d29dcf7c56425077ceaecfd2a9d18cbb236b09400daa0e97ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\mye4v5lo\mye4v5lo.0.vb

Filesize
2KB

MD5
68847e4fbd7b9e0a9d034104d59a9e38

SHA1
a096614ee5b039fdf4b46211143a674e18ccf08d

SHA256
581903c7a01356582ad8d12a0ef11da2d6a3cdc202beeba1149359c92a89d774

SHA512
97d1216d89da71d52fca5038afbaffd18342c2f1366719883d690c2fdb4f4ac8c89dbf180fbe0edb1c6b2cd731761221e783929773f6a31bae8e4a31c5281bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mye4v5lo\mye4v5lo.cmdline

Filesize
273B

MD5
8c89e8964e61e1db8bcd7f0dc421c083

SHA1
b42b47c5394fb17dad3784b5fcb70529801f800f

SHA256
fafe5a98ca833712a42d2980e13407c79348bb9ee08775141cda48b9c647561c

SHA512
5bd57acc283052a3d53267f89c0ea82f4617c2976b23c95bbbfe52dd03d7f1e3c6d5104c2046e4eab6a399c01e7b6da87b1433968387b81646472901c7a388d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp56DB.tmp.exe

Filesize
12KB

MD5
981cdbb7edd6eff1b5bc6ccb9c164f09

SHA1
647d3ef383b349e11fdf17d9431af8e3b49b0b8e

SHA256
850890637d065dd0cc6d640b314b28d8bd608d90a110279330b450ca9684cc27

SHA512
48bcb372766e5b4a312c419551185d17afe54ecff53b1f21ffb8d0d2e8573b48540b4cb97636881f0f01d117fb7f2b5594b4695827418b7df4847fb05086bc5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1DFE7A9EE4F949FA97DA8424E6F15F11.TMP

Filesize
1KB

MD5
00a44eb3fb7136eb64469b494d6638e9

SHA1
79808ad559d31a4b3946bc072f32cccb68a1ecef

SHA256
df46a57da2293a1f30c1d03f4bdd59cd4f60d2bc33c816f720be5e62415fb08f

SHA512
2cb28a284286720f96895b7d197c027f3fa3a715cab4280959d543ec39b16b3f382b81553987d1ed47783b2ddcbb03b69024b6eaaa96a5790020f557f6fad3cc

Download Submit
memory/4356-0-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/4356-8-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4356-2-0x00000000056E0000-0x000000000577C000-memory.dmp

Filesize
624KB

Download
memory/4356-1-0x0000000000CD0000-0x0000000000CDA000-memory.dmp

Filesize
40KB

Download
memory/4356-26-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4884-24-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4884-25-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/4884-27-0x0000000005160000-0x0000000005704000-memory.dmp

Filesize
5.6MB

Download
memory/4884-28-0x0000000004BB0000-0x0000000004C42000-memory.dmp

Filesize
584KB

Download
memory/4884-30-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing