bf33cc062daa2e2d98a8357000519b6cbd72c27c2c137d8f58afd589fb9df3ae

General

Target

078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe
Size

12KB
MD5

078ca4ee8efd4d620b9d033fd678ce60
SHA1

e2caeb7efdf7334c7180242ac194a293e61822f4
SHA256

bf33cc062daa2e2d98a8357000519b6cbd72c27c2c137d8f58afd589fb9df3ae
SHA512

c524e918a5eb0103a2bf87b9615b8f488f5036e289d6ef8e8ecbf2938ec83266ed25100b6fadf892209a9083a7685b577c73eecf2ce46b4afbe575c61aaa088b
SSDEEP

384:zL7li/2zhq2DcEQvdQcJKLTp/NK9xari:XZMCQ9cri

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp48C2.tmp.exe

pid process

916 tmp48C2.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp48C2.tmp.exe

pid process

916 tmp48C2.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 4496 078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe

pid	process
916	tmp48C2.tmp.exe

pid	process
916	tmp48C2.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4496	078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 4496 wrote to memory of 4544	4496	078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe	vbc.exe
PID 4496 wrote to memory of 4544	4496	078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe	vbc.exe
PID 4496 wrote to memory of 4544	4496	078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe	vbc.exe
PID 4544 wrote to memory of 2852	4544	vbc.exe	cvtres.exe
PID 4544 wrote to memory of 2852	4544	vbc.exe	cvtres.exe
PID 4544 wrote to memory of 2852	4544	vbc.exe	cvtres.exe
PID 4496 wrote to memory of 916	4496	078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe	tmp48C2.tmp.exe
PID 4496 wrote to memory of 916	4496	078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe	tmp48C2.tmp.exe
PID 4496 wrote to memory of 916	4496	078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe	tmp48C2.tmp.exe

C:\Users\Admin\AppData\Local\Temp\078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2ux3mtxy\2ux3mtxy.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A67.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB34C8FF547D40D58C19863AABEEF5DA.TMP"
3⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\tmp48C2.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp48C2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:916

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2ux3mtxy\2ux3mtxy.0.vb
Filesize
2KB

MD5
1a225a1fb25e4860f2aa47327b45b0f3

SHA1
d353063d7b58ea265c3f4b74fe72eb84af082ae6

SHA256
b3090f16920cc49a548c9f4843e3f66635a54a2a4d54da940693bdc02b2094ce

SHA512
94ad21fa08cd425a2c4d0f20fa2aa17d654662682a57a6e255ff3e595fdc967d17dce11d0f794a067458563cda89950c6e475e90db680c3df9b7de7a0fd4d4e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ux3mtxy\2ux3mtxy.cmdline
Filesize
273B

MD5
e46245ac4ada568d58502239403f7eaf

SHA1
7dbf3b36fe426b6c24244054420438bcfa43a425

SHA256
b05cdacce9cf9fb7079c23bf1e2e6d16bcf506c6d6e6693f27b27a76b3320c2a

SHA512
5ab7955b4efcb2c38254c59e7d993299cf512dad445ee2d91a09da570e2e020a837e7ffe2cfc5b7b0f0245fcb2baf6b96e9384aa5516c3d1f34fb28a90c09e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
355bd25ba88534d93159551dba52f243

SHA1
b3506efbeac04240bc2e9d922a50d4e96a315746

SHA256
12003933e2a6155e3bdd187a5ec84cc93225c9dea438f25ec4410d1a75040bf1

SHA512
f4be067f3639dba1771c655dd76cce455140737041eecf888958bda8238aa2df0587c3cb455900e60d4a352201e42474cdb3ed86f232bcea53e815178c802a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4A67.tmp
Filesize
1KB

MD5
728e927d34f677d35ab82d468dc76a14

SHA1
60fab95f12f6c02619409c4f83941640d3153353

SHA256
da10cb39ccd0094487c4243e4e545ea7446b9022681cdfe30f1a72607b43c84a

SHA512
c80ab4970fa34024b2ec0e8d008a4b14b041f7998ec51fec7c9f3dde6b9ccd72e9fdad1c989b0de15c41c2afc8e7f313071d6ca0574e4a59424cd7eedf38f5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp48C2.tmp.exe
Filesize
12KB

MD5
bad9ad03130a120c3bdf490815dd44be

SHA1
336ee57e0e330e3bc0dade418aa16947895c06f8

SHA256
b20a3875dfedffad7c7b1ce4fbbead8b65e344528904b310624ad3378cfef4b9

SHA512
313e748a51c959ec462f45ddccde71a3e84504e1d457b21c790169cc5df41663da357acfe5fb412b8cfe76055f771b0af20b3f14cffa8df02489dc4ecc285f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFB34C8FF547D40D58C19863AABEEF5DA.TMP
Filesize
1KB

MD5
a8b34d4ec3b4ae02636a839ece98be34

SHA1
c547413203449a9b38bddbcdd0bbc35d1b392474

SHA256
087f877406ee4e53914cf3836d6e3a28b487b43afa5963e34429e696f0387198

SHA512
78941cc7eb55aab9b5957067be71cf2ef92f3bb51a7065283869b1192f65cc90c06308f19321eb2e1c7d04ee20349511f85c9b0094e830844bdeab9899962624

Download Submit
memory/916-25-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/916-26-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/916-27-0x0000000004FB0000-0x0000000005554000-memory.dmp

Filesize
5.6MB

Download
memory/916-28-0x0000000004A00000-0x0000000004A92000-memory.dmp

Filesize
584KB

Download
memory/916-30-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/4496-8-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/4496-2-0x0000000005230000-0x00000000052CC000-memory.dmp

Filesize
624KB

Download
memory/4496-1-0x00000000008A0000-0x00000000008AA000-memory.dmp

Filesize
40KB

Download
memory/4496-0-0x0000000074CDE000-0x0000000074CDF000-memory.dmp

Filesize
4KB

Download
memory/4496-24-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing