28b8ebecd0379c57fe368aaddd0ecf30827a9a9889b63ea06384dda5c8e39369

General

Target

7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe
Size

12KB
MD5

7011cc050bdfc4ba002c47a27d7aa470
SHA1

62d0239706dd6bb7406171b3bca55136e251d04a
SHA256

28b8ebecd0379c57fe368aaddd0ecf30827a9a9889b63ea06384dda5c8e39369
SHA512

a4278e19bc6a1038b7cb2610cfd1b4dc80f3436bfda49219797303d24e8d40151c7dcd9333c1a58663a33658e0e65f05ce456b65edf36070bdb5462fe512c931
SSDEEP

384:WL7li/2z5q2DcEQvdhcJKLTp/NK9xabu:Q5M/Q9cbu

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
2676	tmp563F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2676	tmp563F.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 3148	2312	7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe	88
PID 2312 wrote to memory of 3148	2312	7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe	88
PID 2312 wrote to memory of 3148	2312	7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe	88
PID 3148 wrote to memory of 3100	3148	vbc.exe	90
PID 3148 wrote to memory of 3100	3148	vbc.exe	90
PID 3148 wrote to memory of 3100	3148	vbc.exe	90
PID 2312 wrote to memory of 2676	2312	7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe	92
PID 2312 wrote to memory of 2676	2312	7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe	92
PID 2312 wrote to memory of 2676	2312	7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe	92

C:\Users\Admin\AppData\Local\Temp\7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lbecyapp\lbecyapp.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5880.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc653B75227E8D4586A516D5F5B7254A0.TMP"
    3⤵
    PID:3100
- C:\Users\Admin\AppData\Local\Temp\tmp563F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp563F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
4ee05ef616290a4ddac7a82c37bfaddc

SHA1
6e629febb2130d4cb9993ca9789dadcf2e0ed1c0

SHA256
c594b0dcc45becd0b4a36f7f123a6c00e930e4269cd381f304d9e421bc442974

SHA512
b6df40909477f2dc08d962be80ec74dea85604ccc9a69461b6163b61af09ad8e9e583af7ec04c58b49ac1715557b0226bf1ea52f9dc4bb10a4e0b876a7fe2255

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5880.tmp

Filesize
1KB

MD5
16016bcdbf938e1eeb2b008bd8be32d3

SHA1
9dabb8c7de39973f939309e357d6a541ddca2a8e

SHA256
65e996e6efb86a03d55b16c70f63049c2233ed5443d05c0ec65d46bd2649a658

SHA512
14f4429d793a9ecab8825fcdbd92eecc84f48b731e1eafe4d5f6a0235f2a64b442d8c3cc043bc1abbe27fd48541e6316146c6b4a411aa59957ce1819002c8cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbecyapp\lbecyapp.0.vb

Filesize
2KB

MD5
c18d58195b0ec399114aceccfcf881c8

SHA1
8882db53c5d4c8781e891de5cb6b8c525190f3d1

SHA256
35bca2ff0c47484c616ee3fb67fd8e77caa9d626500bf40c688da95a18387588

SHA512
b854b77335b038908af51b8edd67f925905affe0c5e91c20132db06d38b42be614838567665030934b2ba2e130f6aa924cd67f735f6d0c6f958e9913d36e8e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbecyapp\lbecyapp.cmdline

Filesize
273B

MD5
dae4cf5f18d3cc2a97c015a8d7e9aa34

SHA1
5ccda03fc525d4c91743c7e1695cfc0fee9d309b

SHA256
33f628f47f6077bee1ff8c88e98fa91deeff2a81d4f1076e5b5ef51f1df0b2f4

SHA512
8a2b6c3f2f1daa354af244393137352e3031c52636246f9020128644a59edfe0ad75ed720d93742d829eb12730e6b567b7aba7fc3c96abcce20cd6778b9ccfaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp563F.tmp.exe

Filesize
12KB

MD5
487a9ee4fd015f41784545a1dc44fb18

SHA1
93fb31ef5c476545f0ca2464a999ba11c8b9cabb

SHA256
155829b357173de8fdffb174a9fffdce08e026afbef74a44d1f50a61f34e3bf5

SHA512
a314774e61f9482179c3e8bf1731d4273d848a88a7698836df92f59f79ad009f7be96eabfe7966eccb9c355d51a51bfae4fcec5ab6204ea30bdc04536c93de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc653B75227E8D4586A516D5F5B7254A0.TMP

Filesize
1KB

MD5
efef16a4462a292cb418286736b2cdd3

SHA1
3fbdb509d155afa3a2e14169eba08364bb369e7a

SHA256
6f04cf4fe5b9aa11b4408e2a418729b5df8f0b242aee1a702a3c727497ae82a2

SHA512
13f07bfba83d0854cf914c52f1fc5ba280811adf453a5bbe5d57d246dca8cf99b73395e45c22e63e7f0bf97302e658d26c807890ae4f9a3f9db5b17cefde067a

Download Submit
memory/2312-0-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

Filesize
4KB

Download
memory/2312-8-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/2312-2-0x0000000005670000-0x000000000570C000-memory.dmp

Filesize
624KB

Download
memory/2312-1-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download
memory/2312-24-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/2676-25-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/2676-26-0x00000000004C0000-0x00000000004CA000-memory.dmp

Filesize
40KB

Download
memory/2676-27-0x0000000005380000-0x0000000005924000-memory.dmp

Filesize
5.6MB

Download
memory/2676-28-0x0000000004E70000-0x0000000004F02000-memory.dmp

Filesize
584KB

Download
memory/2676-30-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing