9d21daf919cd28711bd38b01ff929a9c2fd465a019c7599ec11da3a197a134f4

General

Target

213a09acf704428f6b6243618a56ba80_NeikiAnalytics.exe
Size

12KB
MD5

213a09acf704428f6b6243618a56ba80
SHA1

753f5c321d085824772191850dfa977b54a97a9a
SHA256

9d21daf919cd28711bd38b01ff929a9c2fd465a019c7599ec11da3a197a134f4
SHA512

1256267aa74714b05b1bc6bbddb74b8c7db64825e1e2d48cd2840c74ede6bbef8eb86df8f29169692f2ac940ba3da0ea8cb8b00c38317813f4872a7572f13779
SSDEEP

384:mL7li/2zgq2DcEQvdQcJKLTp/NK9xa/dY:AMMCQ9cFY

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	213a09acf704428f6b6243618a56ba80_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
3888	tmp48C2.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3888	tmp48C2.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4448	213a09acf704428f6b6243618a56ba80_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 2128	4448	213a09acf704428f6b6243618a56ba80_NeikiAnalytics.exe	85
PID 4448 wrote to memory of 2128	4448	213a09acf704428f6b6243618a56ba80_NeikiAnalytics.exe	85
PID 4448 wrote to memory of 2128	4448	213a09acf704428f6b6243618a56ba80_NeikiAnalytics.exe	85
PID 2128 wrote to memory of 2684	2128	vbc.exe	89
PID 2128 wrote to memory of 2684	2128	vbc.exe	89
PID 2128 wrote to memory of 2684	2128	vbc.exe	89
PID 4448 wrote to memory of 3888	4448	213a09acf704428f6b6243618a56ba80_NeikiAnalytics.exe	91
PID 4448 wrote to memory of 3888	4448	213a09acf704428f6b6243618a56ba80_NeikiAnalytics.exe	91
PID 4448 wrote to memory of 3888	4448	213a09acf704428f6b6243618a56ba80_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\213a09acf704428f6b6243618a56ba80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\213a09acf704428f6b6243618a56ba80_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pt3j3qhh\pt3j3qhh.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A38.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3B2FC0A530B94EDC99592B931C6D6E4D.TMP"
    3⤵
    PID:2684
- C:\Users\Admin\AppData\Local\Temp\tmp48C2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp48C2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\213a09acf704428f6b6243618a56ba80_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
291ce671e59dd15cd582a80bf5f766c0

SHA1
90a82ccfed533d1fdbc118e9706bb8eac1c5cdd8

SHA256
a9226b442476c16fb6224c02d6e88578f4f415db61355381fcc12c702217e253

SHA512
c2c55b7501910dbf2af09a0e7e4349b40728709151c5e645b158e1d7ec9f29251cabd9ff71c62a6b79c8690c7bb73e2cb086d6f896f21a67a62bce293a590997

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4A38.tmp

Filesize
1KB

MD5
e8d219e42e23b8c6b3c746e6de7fc6e1

SHA1
8a84a0fd91da5aaf2619d9fbdeb6a51cfeea74d2

SHA256
489fd1760bb51a25d06139fdf6aac267b237d263984bbec54e4311423f9da58d

SHA512
d940c6307e8d3f4f5462eb7799d2c6a740c5bc602e55fb511d6a8f25ab50f4705ab48d573515328577d32dde68fc17a0e2e8c9f4cd76f49439eb4a19f4cbf77d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pt3j3qhh\pt3j3qhh.0.vb

Filesize
2KB

MD5
c8dbd612fdbaf98e936d6940e4fb9d08

SHA1
187b6e0f04ce21596e707486b204ac489e26e785

SHA256
9a3b20fdedf220e1a40fe1fffb3ab1b37e1f19bd4b4fc08c363f86f7e328db04

SHA512
c5489088f399b2eba801c4efe85b4961dccf4b48fda22ea83a9edd80c6977f6e7899fa613a05d84f0b49b2ddfcbf1bc4244d1ebe0b0d1f3db69f782add606cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pt3j3qhh\pt3j3qhh.cmdline

Filesize
273B

MD5
c377b2141481dc99ebf1d24692ed5f9a

SHA1
5a53b80e685b56bc6e15d68e5d6894f2491c8f1c

SHA256
cced29b15ecf42e202368debd167263243fa5a97ccb35cfcfbcc5837cd90fd39

SHA512
50e5b1c3b03a646c2f50d2146927612ca0f6a890c55ca69cfe38119069b5ed911c4f8508485b036a45a37a63e6ca499e1d7fb3ad47055d4e00a362510d7c1f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp48C2.tmp.exe

Filesize
12KB

MD5
545929e817412f00537075caec64a5e3

SHA1
2002001d237c0b80e96e67a46b641757eef34f1c

SHA256
6089555adb029a91349c7cfec106ac9511f26914de7ce1c3182d72638e91523e

SHA512
334cc7341b8ab6123e9404c311362c3cef0b83598085a40cd5d4af38b355bfd40cc4736df6ebf1c6c0c96372e806032353d859c7d11dff00892ab98946afcc98

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3B2FC0A530B94EDC99592B931C6D6E4D.TMP

Filesize
1KB

MD5
a8b34d4ec3b4ae02636a839ece98be34

SHA1
c547413203449a9b38bddbcdd0bbc35d1b392474

SHA256
087f877406ee4e53914cf3836d6e3a28b487b43afa5963e34429e696f0387198

SHA512
78941cc7eb55aab9b5957067be71cf2ef92f3bb51a7065283869b1192f65cc90c06308f19321eb2e1c7d04ee20349511f85c9b0094e830844bdeab9899962624

Download Submit
memory/3888-25-0x00000000000B0000-0x00000000000BA000-memory.dmp

Filesize
40KB

Download
memory/3888-26-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/3888-27-0x0000000004FC0000-0x0000000005564000-memory.dmp

Filesize
5.6MB

Download
memory/3888-28-0x0000000004AB0000-0x0000000004B42000-memory.dmp

Filesize
584KB

Download
memory/3888-30-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4448-0-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/4448-8-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4448-2-0x00000000050F0000-0x000000000518C000-memory.dmp

Filesize
624KB

Download
memory/4448-1-0x0000000000700000-0x000000000070A000-memory.dmp

Filesize
40KB

Download
memory/4448-24-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing