c7190d27b7fa474d280802c5e614bd537738ad226c410b026024d7ef80adfb95

General

Target

e3acea2c86f00e7e80b2494fefe210c0_NeikiAnalytics.exe
Size

12KB
MD5

e3acea2c86f00e7e80b2494fefe210c0
SHA1

626966dded35bd56b1eb4382bac9adc24669b31e
SHA256

c7190d27b7fa474d280802c5e614bd537738ad226c410b026024d7ef80adfb95
SHA512

454df15e760a0c67c7c1cc1779dc79d80578063b4df599f703ba2115a7c10aad67a1d5d06dd2b2a6475e4a705110af8eb6612252ba32989839ad0743a2fb3067
SSDEEP

384:fL7li/2zjq2DcEQvdhcJKLTp/NK9xa/y:THM/Q9c/y

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	e3acea2c86f00e7e80b2494fefe210c0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
2300	tmp475A.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2300	tmp475A.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1220	e3acea2c86f00e7e80b2494fefe210c0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 3280	1220	e3acea2c86f00e7e80b2494fefe210c0_NeikiAnalytics.exe	86
PID 1220 wrote to memory of 3280	1220	e3acea2c86f00e7e80b2494fefe210c0_NeikiAnalytics.exe	86
PID 1220 wrote to memory of 3280	1220	e3acea2c86f00e7e80b2494fefe210c0_NeikiAnalytics.exe	86
PID 3280 wrote to memory of 3224	3280	vbc.exe	88
PID 3280 wrote to memory of 3224	3280	vbc.exe	88
PID 3280 wrote to memory of 3224	3280	vbc.exe	88
PID 1220 wrote to memory of 2300	1220	e3acea2c86f00e7e80b2494fefe210c0_NeikiAnalytics.exe	89
PID 1220 wrote to memory of 2300	1220	e3acea2c86f00e7e80b2494fefe210c0_NeikiAnalytics.exe	89
PID 1220 wrote to memory of 2300	1220	e3acea2c86f00e7e80b2494fefe210c0_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\e3acea2c86f00e7e80b2494fefe210c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e3acea2c86f00e7e80b2494fefe210c0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s4p5zchg\s4p5zchg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES490F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5A9BB63F97A74883A24C528DC22D1D2A.TMP"
    3⤵
    PID:3224
- C:\Users\Admin\AppData\Local\Temp\tmp475A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp475A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e3acea2c86f00e7e80b2494fefe210c0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
a3eacc7b0731ad65b5166c942d5b1ca2

SHA1
ff7efeebdb6d0e3e9c0076e9ab1dbf3121068767

SHA256
8a913daad27129c510d8e7da6bb2c73711dab036972496f915cf9996bbf4468f

SHA512
a196aaa8d651c676a22f6d22842bd4e9a0239416f9454916dcdb4ab3cb6589f7bb745ed494df202fb9e2dd96969b76be02929c23d47506340d59f77a45c2f0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES490F.tmp

Filesize
1KB

MD5
678415a3a9e3c87f11c07a09192ebbbb

SHA1
dc0c23f72bb266547e4e20850c66dd71cf2c465b

SHA256
2bb4e7a6bc9cb6321a8afd4f8f29d5173d79a743f6cbe064548d32c356010797

SHA512
89424a013031cd364dca6f944425e04914dc131a0cf4f9c0d48eb93a606478fe43257ff7bf0e0026ba08ee5c0cb99855ea2e4b5e3305b9aad545bbe06b6b1523

Download Submit
C:\Users\Admin\AppData\Local\Temp\s4p5zchg\s4p5zchg.0.vb

Filesize
2KB

MD5
fd34ab7ea14dd17f2df76b30ab76fa60

SHA1
844e71092b4c0c8a5e850214479fd036d3248867

SHA256
fd14ff4935df8c393e264be7ab71948acae34dfac60a7eaeffa80090174ae8ce

SHA512
7f9f5ffaeeab935d98c83b7479da8091033b16664793e86bde0ecddb1fd5dcabc2f902faa5b7c9d2f55c17ea9809c1cf21b34649ef4629b2a69a49c6f0a3be30

Download Submit
C:\Users\Admin\AppData\Local\Temp\s4p5zchg\s4p5zchg.cmdline

Filesize
273B

MD5
63dafb087858c0e282085154080f66a2

SHA1
ec7c2242161da836962da1aa70f6acb8cc276d21

SHA256
46a6eb342764924575ac3cec61c4e85ac762186ceb6a3c1fba91b40e4ea1d5e1

SHA512
8eedb937140805010afd7160255fb265208e68d9fce257492557970805b8e834af269729e5772037b003f4ad1c30dc53758492d4d44160c7ea8ca420d441c01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp475A.tmp.exe

Filesize
12KB

MD5
301ff2fda9a80e7776055c29534b71c5

SHA1
cc08f1737f8451853717c3ab28331f5a1efd0bb6

SHA256
2f90a48a71a5041573128dccb68e24517fa8b9aeb3023bd9d48d97d63eb49be0

SHA512
dfad7e7be05abb7225a2f2ee68dfdb3b7b1871013b05d66ee631aaaf4238ecba16609d1e62a10940156212680478f6cbe51be6e7a14459b249f108a3de332103

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5A9BB63F97A74883A24C528DC22D1D2A.TMP

Filesize
1KB

MD5
d5c377667f799ade24ec8c7a487528a7

SHA1
92e88c23de6717a5f9a18b708927738d5c55cbe8

SHA256
8f25a2652916f8d2eb3bc31adbcc7b3767b2e0f6cab4c299b153f154817f43c3

SHA512
cc93247d801c8014e43288f415b16ac06f1fdd8bdd89e95d60cbf1231de24a96ed6f3c3eff68e18fd53cd5179112662d5ff6f238e067930ee35d0a829b59c032

Download Submit
memory/1220-0-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

Filesize
4KB

Download
memory/1220-8-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/1220-2-0x0000000004AC0000-0x0000000004B5C000-memory.dmp

Filesize
624KB

Download
memory/1220-1-0x00000000000E0000-0x00000000000EA000-memory.dmp

Filesize
40KB

Download
memory/1220-24-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/2300-25-0x0000000000EB0000-0x0000000000EBA000-memory.dmp

Filesize
40KB

Download
memory/2300-26-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/2300-27-0x0000000005DA0000-0x0000000006344000-memory.dmp

Filesize
5.6MB

Download
memory/2300-28-0x0000000005890000-0x0000000005922000-memory.dmp

Filesize
584KB

Download
memory/2300-30-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing