3deaec794b01e29a75c4564f54a8e77be9586a0c4ebfe121020537afc75f115e

General

Target

0d1cc2731340f812debaa24b8af490f0_NeikiAnalytics.exe
Size

12KB
MD5

0d1cc2731340f812debaa24b8af490f0
SHA1

4ac074c6d034b02d3b8432138b34dcd4b6caf3ca
SHA256

3deaec794b01e29a75c4564f54a8e77be9586a0c4ebfe121020537afc75f115e
SHA512

24d4e1cd126fd75c020beeda0ce532a3019b21584acf093bb77e038df999a15a42d3a5023bb8f4361458b0cf97da7a0719b8f0d367bccaa19799f4531c5a037f
SSDEEP

384:DL7li/2zRq2DcEQvdQcJKLTp/NK9xanv:HhMCQ9cnv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0d1cc2731340f812debaa24b8af490f0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	0d1cc2731340f812debaa24b8af490f0_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmpDED8.tmp.exe

pid process

736 tmpDED8.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmpDED8.tmp.exe

pid process

736 tmpDED8.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0d1cc2731340f812debaa24b8af490f0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 3096 0d1cc2731340f812debaa24b8af490f0_NeikiAnalytics.exe

pid	process
736	tmpDED8.tmp.exe

pid	process
736	tmpDED8.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3096	0d1cc2731340f812debaa24b8af490f0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0d1cc2731340f812debaa24b8af490f0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 3096 wrote to memory of 3900	3096	0d1cc2731340f812debaa24b8af490f0_NeikiAnalytics.exe	vbc.exe
PID 3096 wrote to memory of 3900	3096	0d1cc2731340f812debaa24b8af490f0_NeikiAnalytics.exe	vbc.exe
PID 3096 wrote to memory of 3900	3096	0d1cc2731340f812debaa24b8af490f0_NeikiAnalytics.exe	vbc.exe
PID 3900 wrote to memory of 348	3900	vbc.exe	cvtres.exe
PID 3900 wrote to memory of 348	3900	vbc.exe	cvtres.exe
PID 3900 wrote to memory of 348	3900	vbc.exe	cvtres.exe
PID 3096 wrote to memory of 736	3096	0d1cc2731340f812debaa24b8af490f0_NeikiAnalytics.exe	tmpDED8.tmp.exe
PID 3096 wrote to memory of 736	3096	0d1cc2731340f812debaa24b8af490f0_NeikiAnalytics.exe	tmpDED8.tmp.exe
PID 3096 wrote to memory of 736	3096	0d1cc2731340f812debaa24b8af490f0_NeikiAnalytics.exe	tmpDED8.tmp.exe

C:\Users\Admin\AppData\Local\Temp\0d1cc2731340f812debaa24b8af490f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0d1cc2731340f812debaa24b8af490f0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oahbhj1p\oahbhj1p.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE09C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc75BEFA1916F4307BC36A6B0EC227870.TMP"
3⤵
PID:348

C:\Users\Admin\AppData\Local\Temp\tmpDED8.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpDED8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0d1cc2731340f812debaa24b8af490f0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2856,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4012 /prefetch:8
1⤵
PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
159c107fd08487bb3d3b18121ceab8c4

SHA1
bacf0634e95321c489fa9c04884f1a90696e07af

SHA256
5cfc2000d96e96a249f212e9b03c7d813906f983f3572879626f9faa684e1687

SHA512
b953a17ab8b5640bbbd1900083ac1a897f09d6522bff0952b4d55d5e9e8c1309d57dfe1093bd647630905d645dd2a246ff3444a40cccaa1fbc2ab324f843161d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE09C.tmp

Filesize
1KB

MD5
185690c9aff74a7970fb1403600a0b79

SHA1
ea6e6382463c8a3629f0ddea086f75769bd2fb65

SHA256
2797485975cb6b0acd993ffe6ebf61be7c1024bea4a96b936297d6ee3a530d23

SHA512
ae2df9e6bea03ccdd5dbed363407c9f7ca757a56366b15ce702404c51f22b48f028284b89f2355768c434b3e1a355502be999918c5d636b2b86d91dd457c173b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oahbhj1p\oahbhj1p.0.vb

Filesize
2KB

MD5
21303903aa90e227af6bbdae014152b5

SHA1
9dfab9828827d9370b8c65641e9b1b5b77a2e4c1

SHA256
9fd46c542828c6dccd0aec7bbccc4601515d7ba61a3974d91cd0570fc30e1d29

SHA512
fd8ad92637aaeee6233a023f1bb162455f984cd52d36f97e34eddfcb5ed3ab5abb45c2feceddc91638e63e408b1e88bf4987f4aaa4997f50df3e27d3a841d0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\oahbhj1p\oahbhj1p.cmdline

Filesize
273B

MD5
3daa254dadc2c32cdf24b5a420f80793

SHA1
c606ccc4205b0a67382393e3ab73a36cb11fa31e

SHA256
401bfc8e287c510c296ca2be8e9ff46654d95a88449a91f27db6ebc7aee94c29

SHA512
2e4d014cdfd22e01b313329a5d2d4437c6681dbfd75ff7272206be00666ca3e700a3f6224d9158809ec9781b9133ef9e40c351a086a90a79c1cc939d59892222

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDED8.tmp.exe

Filesize
12KB

MD5
a63bf75ef705ca192722877e113bb2f2

SHA1
83b5adaaf8b0bec2c6cc422853cad6f707f48b6e

SHA256
045a0a561526e61caed818d97026d9f9ef471ef9733914eb2495c57843bc0b9c

SHA512
77ccebbb723184302a2af6708ee290ff63eb5434465e7d937735c3a4fd34f0f93cafd10d0f449aadf0dddd5aadad27d273ff8e44463bbe33b7963089dcf37fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc75BEFA1916F4307BC36A6B0EC227870.TMP

Filesize
1KB

MD5
49333aa3e200ec23958b0440a8f940f8

SHA1
b1b770d33369a5a5e4bcf083acaa641514fedabc

SHA256
462198f0271005272d400c6b6f4dfb60fceaf3aa341d8866243aac84fd06f786

SHA512
40876c14c26dab19e0953144710d57412734312cc8fc7ea0f883c0bbb128f7bafd61e3f4ff49adb5cbf01e083adf1d525b304fd39bc4ab8a1a1ee582a3dfe9df

Download Submit
memory/736-25-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/736-26-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download
memory/736-27-0x0000000005310000-0x00000000058B4000-memory.dmp

Filesize
5.6MB

Download
memory/736-28-0x0000000004E00000-0x0000000004E92000-memory.dmp

Filesize
584KB

Download
memory/736-30-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/3096-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

Filesize
4KB

Download
memory/3096-8-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/3096-2-0x00000000055C0000-0x000000000565C000-memory.dmp

Filesize
624KB

Download
memory/3096-1-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

Filesize
40KB

Download
memory/3096-24-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing