678a9e0f6907b201d89975a23139c7e9b56fa092e071e67fd1073d82e73730f9

General

Target

e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe
Size

12KB
MD5

e3d56cb8a1888a094bd62f0c55b20120
SHA1

1deb91560f6f2d9df5c1e554b14cfd4ab0081bf3
SHA256

678a9e0f6907b201d89975a23139c7e9b56fa092e071e67fd1073d82e73730f9
SHA512

323d46ca80409e87bb7b26ea0718749e2f0c3bbadc4a8ab413d37d50fade5d17958b38b54e450d16a0cbc47390bf48706edf6197d919dbf59f84a1edd481f4c5
SSDEEP

384:cL7li/2zTq2DcEQvdhcJKLTp/NK9xaqd:6fM/Q9cqd

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
2276	tmp3A89.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2276	tmp3A89.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4092	e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 4984	4092	e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe	86
PID 4092 wrote to memory of 4984	4092	e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe	86
PID 4092 wrote to memory of 4984	4092	e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe	86
PID 4984 wrote to memory of 3120	4984	vbc.exe	88
PID 4984 wrote to memory of 3120	4984	vbc.exe	88
PID 4984 wrote to memory of 3120	4984	vbc.exe	88
PID 4092 wrote to memory of 2276	4092	e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe	89
PID 4092 wrote to memory of 2276	4092	e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe	89
PID 4092 wrote to memory of 2276	4092	e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\leywqeas\leywqeas.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C0F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E07E0549F334ADC83499AECF1EBBD84.TMP"
    3⤵
    PID:3120
- C:\Users\Admin\AppData\Local\Temp\tmp3A89.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3A89.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
eedf174f3d37f3db44cd42467a85ea6c

SHA1
4506530ee08b7a9ed77bc0aee61a368fc4062c53

SHA256
6cd4e695502c8673f9aa73e753c29d9119dd468abf4b0811c75c740025c64db5

SHA512
4a95086e25a83059c8109dce5c598d9247eb623443e44d24704351e1e6d75e07f28ae502a7838cabc3ad985312f024e52d85991d054f8254e5950f8ab967d6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3C0F.tmp

Filesize
1KB

MD5
02da12e7d1bf6e0e512fb4be32d9ea60

SHA1
88c65797f602da5b6c294b7a35fc25db07c18d59

SHA256
730a543db846c027d85f905ad572434eaf1d7e33a0872a812741fbb63b8c0303

SHA512
d5062f5956fbfa4504c5f14a1efe0356cac899db99a64c9ea3018bec91228b5c5cb05f4356b15994d848144431afe27d7456f49060f7a9eea7af7378a760ffc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\leywqeas\leywqeas.0.vb

Filesize
2KB

MD5
e51019abbaa0d7f741344e7a1ba9eff0

SHA1
876b1094811e1d95915750ec8da27b44a9fc7b98

SHA256
6a20fd14ed00960b4e3f3bf66e46d692a067352609fc8e9ab5199e97baa6b394

SHA512
b7e62a57051210c95b6acbcac6114d78fc0ee7c46a5218a13139121a16d7f6a2b117d9421d7333972e95b773fe8c1e30df0a75ba86d8cab36a528b1606d3b50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\leywqeas\leywqeas.cmdline

Filesize
273B

MD5
2982cb1d1786adce597ec0231dbc5dc9

SHA1
7ed4e1963f9ce8be0244e17489dd4a6d926c8133

SHA256
9681f248d79ca263ded8ddd5cbf7aa54f85e24fa077c420e5b0bc8d76d1f74d8

SHA512
8ecc2aab6aed1a86ca4a6614901838ee96cef50a992b8078547b6677ce17ae56385629920c53d64b0ce681addfc448a37773cfbe144a2e2148da5f93f92d9ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A89.tmp.exe

Filesize
12KB

MD5
2530828be4720405146c031b469f10ef

SHA1
79945438aa130101b55b249ece9995560d1b38d7

SHA256
5b389f9b52b132738798347fcd964f1933c4f980eee81a7b69a8420b5d32cce3

SHA512
dad0e63a76adcf9a8dcefd5ceef40b2578d449736afd07b349f40301b9173c0b35976ce2d502c0b73885d9ac5563a199eb952667b16f996e9fc3047c15fb90ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6E07E0549F334ADC83499AECF1EBBD84.TMP

Filesize
1KB

MD5
36067e06d39fa2b270b2d79f283a3809

SHA1
4d02a29b8dbecc64b9d30901bc3f13859a9837ef

SHA256
25a17ffd5c4b0cb158c0be6e6294d9b26d8753bbf8a0cf9b5f1b6e32c5b9d41c

SHA512
aa0e60d05b5669fcb8b4ebe70eaa2ae83a474ac99898a6a77bb0ee1a784e268bd15a87edb612c6ebc34c7726469db42c4b09e6436917b2f654c41e00a441fc17

Download Submit
memory/2276-24-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/2276-25-0x0000000000C50000-0x0000000000C5A000-memory.dmp

Filesize
40KB

Download
memory/2276-27-0x0000000005BA0000-0x0000000006144000-memory.dmp

Filesize
5.6MB

Download
memory/2276-28-0x00000000055F0000-0x0000000005682000-memory.dmp

Filesize
584KB

Download
memory/2276-30-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/4092-0-0x000000007509E000-0x000000007509F000-memory.dmp

Filesize
4KB

Download
memory/4092-8-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/4092-2-0x0000000005810000-0x00000000058AC000-memory.dmp

Filesize
624KB

Download
memory/4092-1-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

Filesize
40KB

Download
memory/4092-26-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing