a500881ec6d3ce6972e1395afc31409029b9fdb22060f2a38f3e45288d84bb3e

General

Target

b59aa96e92c20cdeaa9cef6cabbd39e0_NeikiAnalytics.exe
Size

12KB
MD5

b59aa96e92c20cdeaa9cef6cabbd39e0
SHA1

66382a7e06e7dbfe0badafac0510ba7614172925
SHA256

a500881ec6d3ce6972e1395afc31409029b9fdb22060f2a38f3e45288d84bb3e
SHA512

6dc05c1b072613db594249da3e902930c8c86797bbeab05e2caf61d955da77c969a0db3724766edac33b16f80cca9714215beeaf4df85ae0730bd3c6e59ae74f
SSDEEP

384:GL7li/2zReq2DcEQvdhcJKLTp/NK9xa5y:gAM/Q9c5y

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	b59aa96e92c20cdeaa9cef6cabbd39e0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
2360	tmp5C88.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2360	tmp5C88.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4456	b59aa96e92c20cdeaa9cef6cabbd39e0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 1880	4456	b59aa96e92c20cdeaa9cef6cabbd39e0_NeikiAnalytics.exe	86
PID 4456 wrote to memory of 1880	4456	b59aa96e92c20cdeaa9cef6cabbd39e0_NeikiAnalytics.exe	86
PID 4456 wrote to memory of 1880	4456	b59aa96e92c20cdeaa9cef6cabbd39e0_NeikiAnalytics.exe	86
PID 1880 wrote to memory of 2548	1880	vbc.exe	88
PID 1880 wrote to memory of 2548	1880	vbc.exe	88
PID 1880 wrote to memory of 2548	1880	vbc.exe	88
PID 4456 wrote to memory of 2360	4456	b59aa96e92c20cdeaa9cef6cabbd39e0_NeikiAnalytics.exe	89
PID 4456 wrote to memory of 2360	4456	b59aa96e92c20cdeaa9cef6cabbd39e0_NeikiAnalytics.exe	89
PID 4456 wrote to memory of 2360	4456	b59aa96e92c20cdeaa9cef6cabbd39e0_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\b59aa96e92c20cdeaa9cef6cabbd39e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b59aa96e92c20cdeaa9cef6cabbd39e0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bjnqelgp\bjnqelgp.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E5C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc390F357F9F7F4D4DB8EA85044948354.TMP"
    3⤵
    PID:2548
- C:\Users\Admin\AppData\Local\Temp\tmp5C88.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5C88.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b59aa96e92c20cdeaa9cef6cabbd39e0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
8b6e2c948a017baa227397257de36d3a

SHA1
7b58fecd9c8fc7493b9c934998183acb82559756

SHA256
5282c44f8588d7a08e203d9583b34a0cea3446d5ba7f4c997cd0b0e4b8f3c692

SHA512
c243e294da32c811e8e94eb26629f0ea95798f47c279287538799412185615afdcbed8666fee30f54a7a027618098d048c00fef9949ca1bb5dbce3c8fa85c8b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5E5C.tmp

Filesize
1KB

MD5
2117cf7d456d995d75dadd276e02dd8b

SHA1
1bfcc5e65f1e4cdc76519acba8d35c8bf6929122

SHA256
bf3a3217678b31079b033539d8900988fdd4254df4d764b7d4f03602627d8d06

SHA512
b942b202ed1216e3aaf618f4e9fb3c455f860b3af766fae6b4a51613fbd80d80d8999a1765b313ad4dba16748014ed59b11961477d67a4d5401f573db7d2c087

Download Submit
C:\Users\Admin\AppData\Local\Temp\bjnqelgp\bjnqelgp.0.vb

Filesize
2KB

MD5
32581b1edc4b846940859e1d216fabaa

SHA1
bf3eecd6ddee5fb36e747ce8d31f48d2699f1756

SHA256
14d43dfe140ad598c0de425d66dc952af65fa065e53f7903c4db9224c12af1c9

SHA512
e6efc68557de82c0612978d60539d2ac2caf9c8c258f989de8371fe2ba7c91b2e9e4e9a4ad81dcad32a1a13c16a52aa6fb72702171e835137f6e2505a7e562e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bjnqelgp\bjnqelgp.cmdline

Filesize
273B

MD5
9f91bc66be4a792583c584da2d6b2be0

SHA1
f48838aff25cb28fbf1099b8c24b7ad74887e2bb

SHA256
2aa26a3c34084af8610fae16cb6f0d8ec33a99eb43844e7b0256243187caecf6

SHA512
5b560dac1dc761924589d5f7372cdc904ca7d6e5966db3b0ffc39dfd22ee0c72b0102682434382c76f86f7454ad9c5b2b53accf1e08f0f0a8d486568a51712ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5C88.tmp.exe

Filesize
12KB

MD5
bbe5866d35d0242fadd9f4f69a205f32

SHA1
12a2a8c7a2c0b35467b53ff827bede28cd9c9511

SHA256
051867759d23ca4abf59e3f531c2139bcb2d98b7bae39ac3248d8aab2fa4865b

SHA512
659f5908ae6d93caedd8cc86153f1e27ba59b535ef07eeabde37e277fd09b60c85ed92446898fb2b5562baf0a04e0c34b6bc102ffeb30b78b864d8ad89b1adf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc390F357F9F7F4D4DB8EA85044948354.TMP

Filesize
1KB

MD5
116add55a680019d9b7aa6ca4949afe4

SHA1
006a4b79ed1502e881a80307d4bb3110f87de775

SHA256
630e7084d3b9b6bfa865eb9b1dd2165946641a0abc72fec83ed349da981aecf9

SHA512
73df4cf794e9e843bbd6cdd00770a8ef531ec14c3853df046d341dc86149683e5464ef9b0d97a91c1c51dc54a67012c3e97d2b7879a3a2c586d0b42a6637198c

Download Submit
memory/2360-26-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/2360-25-0x0000000000F00000-0x0000000000F0A000-memory.dmp

Filesize
40KB

Download
memory/2360-27-0x0000000005DE0000-0x0000000006384000-memory.dmp

Filesize
5.6MB

Download
memory/2360-28-0x00000000058D0000-0x0000000005962000-memory.dmp

Filesize
584KB

Download
memory/2360-30-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/4456-0-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

Filesize
4KB

Download
memory/4456-8-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/4456-2-0x00000000049E0000-0x0000000004A7C000-memory.dmp

Filesize
624KB

Download
memory/4456-1-0x00000000000A0000-0x00000000000AA000-memory.dmp

Filesize
40KB

Download
memory/4456-24-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing