ae2036bd2a36b61a0a644ae1b22ccc7d47e911584bbab043f821dd10e6866181

General

Target

f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe
Size

12KB
MD5

f3b0ef89d1aae3162f183c6287a7bd90
SHA1

aa571d5d25bffa0da454d1440da6cebc57503ee8
SHA256

ae2036bd2a36b61a0a644ae1b22ccc7d47e911584bbab043f821dd10e6866181
SHA512

d766cc9631198e53d6cd985fa827fa59d3408c43f2bca64999406e1ab4a5764f77f96198bad55ba0ff96751496e494ba443d769c99d5e11aa10b76b88e22edd7
SSDEEP

384:UL7li/2zZq2DcEQvdQcJKLTp/NK9xawF:CxMCQ9cwF

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
5092	tmp5DF0.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
5092	tmp5DF0.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4652	f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 2476	4652	f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe	82
PID 4652 wrote to memory of 2476	4652	f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe	82
PID 4652 wrote to memory of 2476	4652	f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe	82
PID 2476 wrote to memory of 4612	2476	vbc.exe	84
PID 2476 wrote to memory of 4612	2476	vbc.exe	84
PID 2476 wrote to memory of 4612	2476	vbc.exe	84
PID 4652 wrote to memory of 5092	4652	f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe	85
PID 4652 wrote to memory of 5092	4652	f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe	85
PID 4652 wrote to memory of 5092	4652	f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe	85

C:\Users\Admin\AppData\Local\Temp\f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j0agsp2k\j0agsp2k.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5FD3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5E379D283A9A4CEC9B5EC7EE7F4AED5B.TMP"
    3⤵
    PID:4612
- C:\Users\Admin\AppData\Local\Temp\tmp5DF0.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5DF0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
3ee75ab6c06f911690cf80ea7735a34f

SHA1
a356850b1948c567d779a874880b0589083a4e74

SHA256
e52ba1ad767ccf638f182f6ee44e1ddb505b9b3e09abd4e88289fd879c9ac772

SHA512
9401667b0213a67cea7028c02a25238d0496e725212f70b88fcb7bd207b180d59a17db79e8a043211cd0cdf6d1eadaefc8eab73e037ffeac06892fd7654260b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5FD3.tmp

Filesize
1KB

MD5
25ba1df552618fd405584aacf44ed3de

SHA1
9e5edb85aa939c71ee6fae82ef59e22fc83b9a1b

SHA256
386ae2ad6a5aa8db0ccf045ad8a72e13113a023df28867a18bb73f22c55e4a76

SHA512
e7f353c65632b521d7d85e9184cdf9caaa95e852c37064774ee4a2c33c65c5d3d2e9896869006c4ad0860935c5db0d120ec8ed17f5d48c29aad6cbd8c840c6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\j0agsp2k\j0agsp2k.0.vb

Filesize
2KB

MD5
5f37b37d9b05dbd56583ae5aebf70026

SHA1
7bf9a3ec5d3542d55be045365cf5819ca3d5f9ef

SHA256
6f6c7359ce6361a6690849821926921e15aa4a688aaf62b1816cc8cb5280b0f4

SHA512
145f078e834bba646ef65fc9a515bff5c23b20518f4cdfbf401baa1ec23187e4134ffe139631371e50dc0cc59af2d5477d9f66d9bce62c5eee5eb616cc31d179

Download Submit
C:\Users\Admin\AppData\Local\Temp\j0agsp2k\j0agsp2k.cmdline

Filesize
273B

MD5
a63556065bb79377d63e89f8dd922525

SHA1
29aa08ad82d106e56d46a480f7595226e659aab1

SHA256
ede473c527861662b5ed9dae7350078ce7dc11d58eb87de5fbc514b0b7ad8f48

SHA512
77c81663bd8f738956c32f59f83c5afabec411d8445873ebc80901e3a0dce7935db9de5f9d8ac0c3ad34e8bde98098a2abbb68ae379460682648a78d0ed2e79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5DF0.tmp.exe

Filesize
12KB

MD5
9f3f8a209b4e03109b88dea757548ab6

SHA1
72f333d1aaca36872fba99c991440ed0ec31bb4e

SHA256
98f561571b1a8c08dc933a9b64142eef770a345fb6b33999b1d35c38eaba2154

SHA512
7654dd2685210e2b61d04c7e9f85d1363eccbaa4f69c29464c2b3a8166ff57c7697cac89cff5b0edc4677ef52c8355b42826591051d84b03e80bddd4d874cbb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5E379D283A9A4CEC9B5EC7EE7F4AED5B.TMP

Filesize
1KB

MD5
f1055691b898d13fa1433a2c35612971

SHA1
68c4f24427556bfa1d1379a1c2811851f3a31066

SHA256
d14b1973aeadfd8935f5ff3976dd5ecfda54652e3b60921dd9dfe3d5717f0a4d

SHA512
0426c51f9645c8e3ccd11c51d7eaf82af76ef6fc6dc5a7abc6f10941dd61c3469569cf9a459f538bba16bb9b75e8be06691b3506dfe20be887cfd2db40d7a9fc

Download Submit
memory/4652-0-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/4652-8-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/4652-2-0x0000000005820000-0x00000000058BC000-memory.dmp

Filesize
624KB

Download
memory/4652-1-0x0000000000EB0000-0x0000000000EBA000-memory.dmp

Filesize
40KB

Download
memory/4652-24-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/5092-26-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/5092-25-0x0000000000EF0000-0x0000000000EFA000-memory.dmp

Filesize
40KB

Download
memory/5092-27-0x0000000005DE0000-0x0000000006384000-memory.dmp

Filesize
5.6MB

Download
memory/5092-28-0x00000000058D0000-0x0000000005962000-memory.dmp

Filesize
584KB

Download
memory/5092-30-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing