a6dab7902ff7cb81dd907b2a21a0a6c518c2471db75ef04f6568c0a095f7e060

General

Target

a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe
Size

12KB
MD5

a036b44bd7663a0bf4b8cf9c4e86fef0
SHA1

aa3e57265d54e04136e2035df4a18b9670b30340
SHA256

a6dab7902ff7cb81dd907b2a21a0a6c518c2471db75ef04f6568c0a095f7e060
SHA512

78067682d69519465717b468e7d6ac95184fde6435adaddd8dd931a2881435234ee37f5ef59dcd120a1c6de9f8115d10b37423f164f0510b885b4c590041f1ac
SSDEEP

384:lL7li/2zhq2DcEQvdhcJKLTp/NK9xaDj:lxM/Q9cDj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
440	tmp493F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
440	tmp493F.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3632	a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3632 wrote to memory of 2068	3632	a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe	86
PID 3632 wrote to memory of 2068	3632	a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe	86
PID 3632 wrote to memory of 2068	3632	a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe	86
PID 2068 wrote to memory of 1492	2068	vbc.exe	88
PID 2068 wrote to memory of 1492	2068	vbc.exe	88
PID 2068 wrote to memory of 1492	2068	vbc.exe	88
PID 3632 wrote to memory of 440	3632	a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe	89
PID 3632 wrote to memory of 440	3632	a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe	89
PID 3632 wrote to memory of 440	3632	a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sdq3jufw\sdq3jufw.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B03.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC2A7DA83455D42FEA97FDFB43435BDA7.TMP"
    3⤵
    PID:1492
- C:\Users\Admin\AppData\Local\Temp\tmp493F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp493F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
a608f3d17cf3e13a09f79f83671a3237

SHA1
32eb5211499900d9e97742810d5207f9b51c0c01

SHA256
ab93f0739556adfb881e9cc0f0eaf657dc64f21716f4513b8cd6c211825e80f1

SHA512
8c314efae68f7346e5f9b72c5a50f8d0fae752f9055950beba3560f8e39bf19582a24f31ae3ea87e117db1e43b1759074e298dcd37d86c845cd45454bc685777

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4B03.tmp

Filesize
1KB

MD5
2fbd32792c60db233359405807b2bf6b

SHA1
d9b7cf4a82c8366f3b8af14b46d55dda970cf741

SHA256
761446b6eb5824e3107aba37b7020c2bc962dc738d7929b99f2db4f6ff6404c2

SHA512
746a376b147c05728d68276c15860a3146cdb0b2c746c997591a36174e4fd4033fddb4a2c61b5049b5c8db42117e96534308ce842843e982310a6388b155c579

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdq3jufw\sdq3jufw.0.vb

Filesize
2KB

MD5
aad386b656968393dadadc31077f08cd

SHA1
e6f8fab527f199d3b14233d32069e23ead986aa9

SHA256
e01e133e16a7257117c76e3dc18a3cfa935a19277a747f6fcb40d61096630564

SHA512
2feb01b1587dffda12578d870fcae242100d3a16ed9803d21200026e823e7c839479f4ca071e479b0df34f32c4567c921b37872ddf7cdef4796d04204edeb394

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdq3jufw\sdq3jufw.cmdline

Filesize
273B

MD5
4a19510a9f9fa7e97bad755352bfab7f

SHA1
7a152a75e5a6a53b455a366834494e5b746632df

SHA256
367c06cdf1056783de9fabebb35b54f30d74fa7eb1e87ce61759813dba042518

SHA512
8407d0e3bda50b725f6259f3e2ce222389d629f0a94ae2e8ecad19808a49afe018d9792390c81f2a623aaec7505c770fa7f80fbbac7ebb0bc232c0e92cfc4558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp493F.tmp.exe

Filesize
12KB

MD5
ee6c4d59d27e824cfb695d4807b9bcd5

SHA1
f76364667864142b942ea91388b15cb142d5e179

SHA256
91616cd640fc897b789204033c336d1392ed250514aa043f62767b8b7e4eeef3

SHA512
e697ba2b29997b48e837921ee932af868d17e80b87aa92ad782985b9ac0c651a47da44e79396dc0f3d71bc1f55c4956a8c7cb39a933d73e0386059c014dc641e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC2A7DA83455D42FEA97FDFB43435BDA7.TMP

Filesize
1KB

MD5
1e2c5e160e69d3104e28572c5b8a5f2a

SHA1
f3871ab1c3bb605e5d8fb5eb571f2b8961f40d58

SHA256
0f8efce0157d9c59d74f53e29c9eec86913dd1466be168a8a00670cda2e81fcd

SHA512
e72136a7ba5deaf1067246bd3c7efdddf9b5b1cb0666213a0f4c8a0201920d2be32780545dc4867816cb7e25590ed5357ee242a965d37d3f3c89c2ea9db6c462

Download Submit
memory/440-25-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/440-26-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

Filesize
40KB

Download
memory/440-27-0x00000000059C0000-0x0000000005F64000-memory.dmp

Filesize
5.6MB

Download
memory/440-28-0x00000000054B0000-0x0000000005542000-memory.dmp

Filesize
584KB

Download
memory/440-30-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/3632-0-0x000000007503E000-0x000000007503F000-memory.dmp

Filesize
4KB

Download
memory/3632-8-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/3632-2-0x0000000005470000-0x000000000550C000-memory.dmp

Filesize
624KB

Download
memory/3632-1-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

Filesize
40KB

Download
memory/3632-24-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing