492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054

General

Target

492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe
Size

12KB
MD5

18be8734f158add81a1d6123270c7e10
SHA1

33e6e05ec5f55c7945b8993dcb947ad4b3a6c165
SHA256

492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054
SHA512

a87de3c25201319c005c14a9328eada2640b220c8c618df3cf6e22dfcecd80b9deb240a87ed33f3e7a5ba2ab62a851003a8661187a52b931d3bc825d57f3ce47
SSDEEP

384:EL7li/2z8q2DcEQvdhcJKLTp/NK9xaet:S4M/Q9cet

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
4740	tmp4305.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4740	tmp4305.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4040	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4040 wrote to memory of 3176	4040	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe	86
PID 4040 wrote to memory of 3176	4040	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe	86
PID 4040 wrote to memory of 3176	4040	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe	86
PID 3176 wrote to memory of 3364	3176	vbc.exe	88
PID 3176 wrote to memory of 3364	3176	vbc.exe	88
PID 3176 wrote to memory of 3364	3176	vbc.exe	88
PID 4040 wrote to memory of 4740	4040	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe	89
PID 4040 wrote to memory of 4740	4040	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe	89
PID 4040 wrote to memory of 4740	4040	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hjqwvxfo\hjqwvxfo.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES43FE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC563F9C1942F496AB2B06531387669DD.TMP"
    3⤵
    PID:3364
- C:\Users\Admin\AppData\Local\Temp\tmp4305.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4305.tmp.exe" C:\Users\Admin\AppData\Local\Temp\492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
a1527c67f9483e90a3e12f80f8147fb4

SHA1
cda9b38d937bfc7a761c6fec11141511a4d4d175

SHA256
0e537e1f1179455803cfc4b22f3626167aa7dcb115e7b8cf94855d03f6ea348f

SHA512
db57795c9085218ee0ddf63f12ab071509724a19a296c9cff17a12f0a1d45148e8c6dbd1686369e529a72916b5fb410d74dd14bbad36f3812c1d72102968556d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES43FE.tmp

Filesize
1KB

MD5
1a0bb3cc05ce8aedc66dd8ed77cb8334

SHA1
4f5a2ae163e2091b9eb74dae4de596cb6c4e9efa

SHA256
de764a470214c2cd2c1506b6df0753996ca1e5f9a2fe41aef17dcb1f55ab1f6f

SHA512
070e17e7c535e2d45ea6dd83853c0b25cf5f90bc8e6e6181289e4383a702a60e683232a011344bc7056351f6b0e4559b68cd86401fa1385008c483d954e611ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\hjqwvxfo\hjqwvxfo.0.vb

Filesize
2KB

MD5
0d1d6fac6de7dbc18f17afc938cd1fa4

SHA1
2ae43f22236768008876228294c18552b8cfe182

SHA256
00fbfffdcc639b09a10c5e3be067e23213513d64e9d366b64b4586840a102b22

SHA512
9ff777253caa1e804c89d866f7b496044b30ec2f68c1cc9bb8d03537936e390a91ca29bcce9f4bd0338c6cea07938d352c8cf932f864da05d212e14fedacafdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\hjqwvxfo\hjqwvxfo.cmdline

Filesize
273B

MD5
211898ed55d36620ebdc2d47640a56fa

SHA1
9a99e27608d75bf849dd8524d95b0148c80dd039

SHA256
9d151be64f155fa8c9274a271a95707bc00a2d505ee8951b2a9ae20d2dfd99db

SHA512
8e22bbf7d2aa1cd1f5ccfeebbb698ae34e60c6ec453d87173891ccb73b1c247a96d7b2dfac76df7351cadc80f9ed7c6bc24a62cbc276363672eaefa99d37d7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4305.tmp.exe

Filesize
12KB

MD5
1c5bd0d21d8477d61165df7673bbef9a

SHA1
fe1fcb0771370c34e6213f3e1de265ad411c31ec

SHA256
348a31ff97c461008ace9b163766b80e009b452ecd2fb8e974f3f9124b41332d

SHA512
0817d61496a26409d86ca051142eb30729ef3f206297a7662ab57b11193b9e486eb27f31c86a539de47c2240baeb6c79387aae9269af1c9704b238175b33865c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC563F9C1942F496AB2B06531387669DD.TMP

Filesize
1KB

MD5
b903f6512922d4f0f6c301b88f78eeb8

SHA1
195b8260278da2b000f5e79d46f09474e5f2cf64

SHA256
90a74d9b526149e12de8b1b141fc208d6b56a6619ad118e82365c6568563abb9

SHA512
f928ecf0bb5efa2a676222da7d9b9f7767a77c5ec3902ce13fcf2602d23499883b8d6e0604967aba7dad8af4e97ea391527c78cc4216cd77540c0a7a5640a8fd

Download Submit
memory/4040-0-0x000000007504E000-0x000000007504F000-memory.dmp

Filesize
4KB

Download
memory/4040-8-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/4040-2-0x0000000004BD0000-0x0000000004C6C000-memory.dmp

Filesize
624KB

Download
memory/4040-1-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download
memory/4040-24-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/4740-25-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/4740-26-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/4740-27-0x00000000054A0000-0x0000000005A44000-memory.dmp

Filesize
5.6MB

Download
memory/4740-28-0x0000000004EF0000-0x0000000004F82000-memory.dmp

Filesize
584KB

Download
memory/4740-30-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing