Analysis
-
max time kernel
130s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
17/05/2024, 08:58
Static task
static1
Behavioral task
behavioral1
Sample
e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe
-
Size
12KB
-
MD5
e3d56cb8a1888a094bd62f0c55b20120
-
SHA1
1deb91560f6f2d9df5c1e554b14cfd4ab0081bf3
-
SHA256
678a9e0f6907b201d89975a23139c7e9b56fa092e071e67fd1073d82e73730f9
-
SHA512
323d46ca80409e87bb7b26ea0718749e2f0c3bbadc4a8ab413d37d50fade5d17958b38b54e450d16a0cbc47390bf48706edf6197d919dbf59f84a1edd481f4c5
-
SSDEEP
384:cL7li/2zTq2DcEQvdhcJKLTp/NK9xaqd:6fM/Q9cqd
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe -
Deletes itself 1 IoCs
pid Process 2276 tmp3A89.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2276 tmp3A89.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4092 e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4092 wrote to memory of 4984 4092 e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe 86 PID 4092 wrote to memory of 4984 4092 e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe 86 PID 4092 wrote to memory of 4984 4092 e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe 86 PID 4984 wrote to memory of 3120 4984 vbc.exe 88 PID 4984 wrote to memory of 3120 4984 vbc.exe 88 PID 4984 wrote to memory of 3120 4984 vbc.exe 88 PID 4092 wrote to memory of 2276 4092 e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe 89 PID 4092 wrote to memory of 2276 4092 e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe 89 PID 4092 wrote to memory of 2276 4092 e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\leywqeas\leywqeas.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C0F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E07E0549F334ADC83499AECF1EBBD84.TMP"3⤵PID:3120
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp3A89.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3A89.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2276
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5eedf174f3d37f3db44cd42467a85ea6c
SHA14506530ee08b7a9ed77bc0aee61a368fc4062c53
SHA2566cd4e695502c8673f9aa73e753c29d9119dd468abf4b0811c75c740025c64db5
SHA5124a95086e25a83059c8109dce5c598d9247eb623443e44d24704351e1e6d75e07f28ae502a7838cabc3ad985312f024e52d85991d054f8254e5950f8ab967d6aa
-
Filesize
1KB
MD502da12e7d1bf6e0e512fb4be32d9ea60
SHA188c65797f602da5b6c294b7a35fc25db07c18d59
SHA256730a543db846c027d85f905ad572434eaf1d7e33a0872a812741fbb63b8c0303
SHA512d5062f5956fbfa4504c5f14a1efe0356cac899db99a64c9ea3018bec91228b5c5cb05f4356b15994d848144431afe27d7456f49060f7a9eea7af7378a760ffc1
-
Filesize
2KB
MD5e51019abbaa0d7f741344e7a1ba9eff0
SHA1876b1094811e1d95915750ec8da27b44a9fc7b98
SHA2566a20fd14ed00960b4e3f3bf66e46d692a067352609fc8e9ab5199e97baa6b394
SHA512b7e62a57051210c95b6acbcac6114d78fc0ee7c46a5218a13139121a16d7f6a2b117d9421d7333972e95b773fe8c1e30df0a75ba86d8cab36a528b1606d3b50e
-
Filesize
273B
MD52982cb1d1786adce597ec0231dbc5dc9
SHA17ed4e1963f9ce8be0244e17489dd4a6d926c8133
SHA2569681f248d79ca263ded8ddd5cbf7aa54f85e24fa077c420e5b0bc8d76d1f74d8
SHA5128ecc2aab6aed1a86ca4a6614901838ee96cef50a992b8078547b6677ce17ae56385629920c53d64b0ce681addfc448a37773cfbe144a2e2148da5f93f92d9ddd
-
Filesize
12KB
MD52530828be4720405146c031b469f10ef
SHA179945438aa130101b55b249ece9995560d1b38d7
SHA2565b389f9b52b132738798347fcd964f1933c4f980eee81a7b69a8420b5d32cce3
SHA512dad0e63a76adcf9a8dcefd5ceef40b2578d449736afd07b349f40301b9173c0b35976ce2d502c0b73885d9ac5563a199eb952667b16f996e9fc3047c15fb90ce
-
Filesize
1KB
MD536067e06d39fa2b270b2d79f283a3809
SHA14d02a29b8dbecc64b9d30901bc3f13859a9837ef
SHA25625a17ffd5c4b0cb158c0be6e6294d9b26d8753bbf8a0cf9b5f1b6e32c5b9d41c
SHA512aa0e60d05b5669fcb8b4ebe70eaa2ae83a474ac99898a6a77bb0ee1a784e268bd15a87edb612c6ebc34c7726469db42c4b09e6436917b2f654c41e00a441fc17