44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f

General

Target

44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe
Size

12KB
MD5

ddc67ba23fec835725342dd541961f40
SHA1

28b215b450110d1f9bb9b058f1536a8fcec61d81
SHA256

44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f
SHA512

9cc849d87bdc0e87f4f8e68114536f6dad7d2b0ac66ec09a5cf08347cd2ab4b5e2aa92a87ffa6608adcc1c67307dd59af4296c4b29d8c0b5d1c8d413d19db5ea
SSDEEP

384:qL7li/2zqq2DcEQvdQcJKLTp/NK9xaQC:0iMCQ9cQC

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
4512	tmp4D85.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4512	tmp4D85.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 1016	2732	44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe	88
PID 2732 wrote to memory of 1016	2732	44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe	88
PID 2732 wrote to memory of 1016	2732	44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe	88
PID 1016 wrote to memory of 4280	1016	vbc.exe	90
PID 1016 wrote to memory of 4280	1016	vbc.exe	90
PID 1016 wrote to memory of 4280	1016	vbc.exe	90
PID 2732 wrote to memory of 4512	2732	44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe	91
PID 2732 wrote to memory of 4512	2732	44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe	91
PID 2732 wrote to memory of 4512	2732	44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pdgt5vju\pdgt5vju.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E5E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc44DD5B392B0B4FBEADE3CF2FF363FE7.TMP"
    3⤵
    PID:4280
- C:\Users\Admin\AppData\Local\Temp\tmp4D85.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4D85.tmp.exe" C:\Users\Admin\AppData\Local\Temp\44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
7b1818a32322e32a1966cf212aac3b43

SHA1
ff0e3fe9cbc3b6aa63e4f71eb832a12c17b129f0

SHA256
0ac3fec603a25e4209fe3bc6e7655648bcf07808272bca5a963b46c73a0584ea

SHA512
d8e5054429a34117694c4ab7e8e113cf5f4b15345425ab8962906a4366292b074ebf91e0fb3ce72e33c85ca925a49a8752ed4b3dca4820cef616b959e7480d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4E5E.tmp

Filesize
1KB

MD5
185b49340460d62526686856e114cdd2

SHA1
073c325dca39cedbbe689ac6920f0812886b9820

SHA256
4f47470645b07a45db4ae2460170f112a5b4233d9ba8ad410365b84d74be9f62

SHA512
6d7af43a6833ac0a90d0cd03fe80c2ac69fccfaedcde8c73a62561e9345252c6ab9a78c775c3f62fb8aac792eb126dd1e6244c57a1f45128eebd1af10e7118fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdgt5vju\pdgt5vju.0.vb

Filesize
2KB

MD5
708632f6b9d50ae1d5d5e22dc4f79199

SHA1
394ba060b29863d126e2487515ce20ec94ea7ae8

SHA256
0b17fbe427d92bc06c88035f7e0b9eec28579fa96d83dfec74acd326cb94f1d8

SHA512
aa7fbd0ebc646ed39ad093b741869ddf4bf0569f905c9caaea1e20b7e3cd4838a3db91396ebd06a2f4c32006c258ebcb9782b18b2befd5c0ea171a6d9f26f064

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdgt5vju\pdgt5vju.cmdline

Filesize
273B

MD5
55a297e38ff92d6eef81ba43f9e696c8

SHA1
9966d61bc5e93329986f0ec52abdf4cf6fe2a72f

SHA256
94afcaac439d1f61639d44194d3034472af74d4411185353016eefe17a83fb0a

SHA512
eac7e0f1df69f4a1f696c6b40cc3cbb79acc1a68eaff760e8ed7d9a9bb54360681cc0be85e258472c95f5260fd4313dcb59bf6e81ba7fa8e4e6c0c9e1a30e4e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4D85.tmp.exe

Filesize
12KB

MD5
94f4a410b8c1585b1c27d4cf046d97d1

SHA1
721611d2e7d7045ba71736fa42a4e2b96f97f5f9

SHA256
6a002fc81fcc26a9a4dc9ffd0a17e607fc928828054032b05823886139882987

SHA512
ce93fa12cc295d6102535e36c3b5df3d949df1ac2b531807b36a9d7325b2dbea0e0476268ff2f543da37a314d40b34cc3cfa632a4d9a9d505043cd742c62a2a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc44DD5B392B0B4FBEADE3CF2FF363FE7.TMP

Filesize
1KB

MD5
06ea1e1c196aba73bfeed31b929ef5df

SHA1
b5bb868c75e8905c44966fad0d64dec1fa75f769

SHA256
3d5a57dd29d3080e13ce8bb8c7aadc6e76ba696f0b6f19281733b3a0ef174aef

SHA512
6909eb64dca8b2325b17c494e803e7226dab4479fa1251b17c133ae89fbddb8db8dc1981f8b567c693edaf945664918323c29de7a7bbae3f597fad7d07a83d82

Download Submit
memory/2732-0-0x000000007492E000-0x000000007492F000-memory.dmp

Filesize
4KB

Download
memory/2732-8-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/2732-2-0x00000000049D0000-0x0000000004A6C000-memory.dmp

Filesize
624KB

Download
memory/2732-24-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/2732-1-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/4512-26-0x0000000000B60000-0x0000000000B6A000-memory.dmp

Filesize
40KB

Download
memory/4512-25-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/4512-27-0x0000000005AF0000-0x0000000006094000-memory.dmp

Filesize
5.6MB

Download
memory/4512-28-0x0000000005540000-0x00000000055D2000-memory.dmp

Filesize
584KB

Download
memory/4512-30-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing