cd4f6c1b6c434e5a36b52d0e10e7377ba234746433a0994d0d7cd43a2e27a90e

General

Target

a37e2653b9c59983481c06ac6ffc1096_NeikiAnalytics.exe
Size

1.5MB
MD5

a37e2653b9c59983481c06ac6ffc1096
SHA1

53059e9281356d91871db620329fc232b2dba1b8
SHA256

cd4f6c1b6c434e5a36b52d0e10e7377ba234746433a0994d0d7cd43a2e27a90e
SHA512

4e08db974c0ca2ead351bfba8e3b4a519ebfafc75ef126dacf2c4eff35e71d6fb3c50a6ca4870edb48d8b047e1fa5248f0e0581e14cbed72984ad474dd0b9fae
SSDEEP

12288:XwCXnLquXU99ICwj7xrcqPkePh+RvMaBlYJQCe2m9Or:AFn9pwjFMePh+RpBlU69Or

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	a37e2653b9c59983481c06ac6ffc1096_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	~DFA256.tmp

Executes dropped EXE 3 IoCs

pid	Process
3484	pooquva.exe
3588	~DFA256.tmp
3048	ciofly.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe
3048	ciofly.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3588	~DFA256.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 3484	536	a37e2653b9c59983481c06ac6ffc1096_NeikiAnalytics.exe	85
PID 536 wrote to memory of 3484	536	a37e2653b9c59983481c06ac6ffc1096_NeikiAnalytics.exe	85
PID 536 wrote to memory of 3484	536	a37e2653b9c59983481c06ac6ffc1096_NeikiAnalytics.exe	85
PID 3484 wrote to memory of 3588	3484	pooquva.exe	87
PID 3484 wrote to memory of 3588	3484	pooquva.exe	87
PID 3484 wrote to memory of 3588	3484	pooquva.exe	87
PID 536 wrote to memory of 4892	536	a37e2653b9c59983481c06ac6ffc1096_NeikiAnalytics.exe	88
PID 536 wrote to memory of 4892	536	a37e2653b9c59983481c06ac6ffc1096_NeikiAnalytics.exe	88
PID 536 wrote to memory of 4892	536	a37e2653b9c59983481c06ac6ffc1096_NeikiAnalytics.exe	88
PID 3588 wrote to memory of 3048	3588	~DFA256.tmp	101
PID 3588 wrote to memory of 3048	3588	~DFA256.tmp	101
PID 3588 wrote to memory of 3048	3588	~DFA256.tmp	101

C:\Users\Admin\AppData\Local\Temp\a37e2653b9c59983481c06ac6ffc1096_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a37e2653b9c59983481c06ac6ffc1096_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:536
- C:\Users\Admin\AppData\Local\Temp\pooquva.exe
  C:\Users\Admin\AppData\Local\Temp\pooquva.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Users\Admin\AppData\Local\Temp\~DFA256.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA256.tmp OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\Users\Admin\AppData\Local\Temp\ciofly.exe
      "C:\Users\Admin\AppData\Local\Temp\ciofly.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
307B

MD5
3ee13b8cee0b825b9036f933dfa86fe1

SHA1
e8a0d316b1aa69ce09ba29b9ee6616c305ae16f1

SHA256
b1277a2a0af393178d0b8896abccad5a08a741253c1ec1cf16ad9abe24b283c2

SHA512
350c04aa1dfab741ed9b4774cb1cdc6a30f2f103e962930c0d65d8572256f48db19ecf01164ab7126d659e6ec6ecb05149f29ee25e8cd5c1e8f67970feeade10

Download Submit
C:\Users\Admin\AppData\Local\Temp\ciofly.exe

Filesize
371KB

MD5
baa618206691ff509babd8f2e9db693f

SHA1
8873d3ae3e69fdef8c8f4584501e561b92a7eb76

SHA256
ad90e34560f91d13fa73df82895665f5398cf5c8d9b8e001eeb56b3c59a9cc2c

SHA512
fd8ae3a98a3f4ede0b849b8a90d654e4f80e1a1d64be56b00a3942315b47ce881315c18746e682d0e21f81c543ef679cacc417daee6e0c6fdd3a7dc48dccd69d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
6389ce0d8ac8f062bcb9286515f34611

SHA1
ab18055197988ebaffa9ab8c218376d91b810736

SHA256
417716d094dc4f7dcf630151e091d5447f8443a702f8937d9dfaa20f6d67593e

SHA512
694dd7f0579a44d8e2b5ddc91d100daa00cc80dfe0930fd7d3d453cc373c18685a7a27319219a680a1fb56d0df46503ceebe05ad3b0c06017742ef743b27b124

Download Submit
C:\Users\Admin\AppData\Local\Temp\pooquva.exe

Filesize
1.5MB

MD5
923f0d13f26d5ea4603bcb61d6c2327a

SHA1
b84df18ee2a4e484d0fba0aae05b1f91ecc00e56

SHA256
60fcffa69193d9cdcd24d3798909e619028d870bcb110c648c32076658a7a240

SHA512
d6b5fe90bc1c437284d8124ee79a59478c7bcec60ed474081d9e6671ad9c2369d76055721855be3e8d459a31c97bc4e8413f4a801ded0375986c4b2e9e4a99b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA256.tmp

Filesize
1.5MB

MD5
c8f7935d4100dca04676bc10d6a6544b

SHA1
893694f76e19ee928f10a871779aa7380d1cb7f0

SHA256
4e8d9a448b64a73504ff97186edb6ecb9585709a4076b1788502c7a7f7d389b1

SHA512
1bdfa4d50366237126b15d813d79d4eaadc41da50f336f16f6b00c17b49c863e073a88b437d2820b7b820ee65f671f07ffc55368db2d1255f8a560d24a745960

Download Submit
memory/536-0-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/536-17-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3048-33-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3048-34-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/3048-36-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3048-38-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/3484-10-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3484-19-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3588-20-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing