4d9727e5e3f23cb170c3b5ec7ca347bc777ae1e7cd6db5bb9a86c289c3444582

General

Target

449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe
Size

12KB
MD5

449485fa6478bcfbc3f74d4b56232370
SHA1

aee35932f650fd4ef65da22cc0b48dddabd03614
SHA256

4d9727e5e3f23cb170c3b5ec7ca347bc777ae1e7cd6db5bb9a86c289c3444582
SHA512

5cd4c08bdcf56bf745b63a79a96722ed29bf8631bab6c0d3e3145316a273e264408b08ad56dd2e7b3aca4757f01bb1f99c13fb5935b16092969205bc7eec34bf
SSDEEP

384:5L7li/2zgq2DcEQvdhcJKLTp/NK9xaIn:JMM/Q9cIn

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp473B.tmp.exe

pid process

2916 tmp473B.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp473B.tmp.exe

pid process

2916 tmp473B.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 4220 449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe

pid	process
2916	tmp473B.tmp.exe

pid	process
2916	tmp473B.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4220	449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 4220 wrote to memory of 3844	4220	449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe	vbc.exe
PID 4220 wrote to memory of 3844	4220	449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe	vbc.exe
PID 4220 wrote to memory of 3844	4220	449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe	vbc.exe
PID 3844 wrote to memory of 2720	3844	vbc.exe	cvtres.exe
PID 3844 wrote to memory of 2720	3844	vbc.exe	cvtres.exe
PID 3844 wrote to memory of 2720	3844	vbc.exe	cvtres.exe
PID 4220 wrote to memory of 2916	4220	449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe	tmp473B.tmp.exe
PID 4220 wrote to memory of 2916	4220	449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe	tmp473B.tmp.exe
PID 4220 wrote to memory of 2916	4220	449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe	tmp473B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\11kppx0w\11kppx0w.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES496D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7AF6D3738C25446B95EEC851AAB0D8B.TMP"
3⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\tmp473B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp473B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11kppx0w\11kppx0w.0.vb

Filesize
2KB

MD5
44f4e37e82306b372df790282d7c588b

SHA1
18756b087d72bc29ae9795c65ebd1d483faa7ac2

SHA256
7ded6796f11d2549c3a9c28e8d71d0afd940822028154cba91cb8e1cf9d6f158

SHA512
03a874361ead4fffde526a65a43ebdad0573a188df6e30beb04eadadefb514071340e225d2daff2f05e8d808d8ad6dd39f21b237b710cc216367bbab0c96f7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\11kppx0w\11kppx0w.cmdline

Filesize
273B

MD5
b1bd6eac05df8e43db9f33cf520fbc78

SHA1
9f28da23a6b88bf5ab2bc71986b964ed6aa7c99c

SHA256
ace194bd8b8bd775557f3f09476661538c73d1dd139db311d1a4bc6c4f7ed8e6

SHA512
cfa630d8aabd06d66800649064a8e38a44d1253f887fab3cfed482ae863902251b7fe407bc9c02fce8b18e937d83ba826b5776466369bc335ad1bbefed32ff6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
5a9672964ade6afe248aa1e9cc31d0f6

SHA1
13f1762a874b311e288d2052cc17fad51c389908

SHA256
73277a4050310ca5dc35d635e3e23a478a86c8feb05c2cfa9195631f5bd013d6

SHA512
8a6da96f84be8f3418194c9fb05a65cd604ae2e5047def8859594c71b9020b2b56e3647f68894d7813b7a9f591658f6dfad0c4841fd3e9bf6312b835bd86e56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES496D.tmp

Filesize
1KB

MD5
dfa155451cc3419296e3b1a3e79e5d02

SHA1
f1f99d4875da5169d3b64ad2bbe1165e796a4154

SHA256
3ecbf4db9bc4a20a202fa4dfc1ae6ce5f0a36f137ce5ed8c00b5048f9b8c7c4c

SHA512
3cfcc0ed11d8c52f4d384df54baec1e78173f27c8f2b28873339ed7b09ecaf0726168c038992a059b5c09ca6d911c240ed235d269c0a945a45d24f3392e34c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp473B.tmp.exe

Filesize
12KB

MD5
f9867c7eda9c5964b690fa10dab73d6e

SHA1
ed06c72dd920ffbc7cdee7ee7517271763f4b1e2

SHA256
70a49b8e0d5c610ae9e89b4c9a20bde16a34de3413ca19dd3cd6f84b07e09087

SHA512
5e38671f3ab995fcd765213ece75e79c00bf3aed3657463ed61cd2c372a563eb2eac308e318269cb7ccb7cafc8c188844d37c12cd3db6561756c765602a8648b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7AF6D3738C25446B95EEC851AAB0D8B.TMP

Filesize
1KB

MD5
53a3228566eb573b71dec6d698a007c2

SHA1
a813554156a40b71550313eef42cbc9978a6e0d4

SHA256
6352fe2f515aa575ef41dbde0e72c5d032c125aa008799027a959b569514d5c6

SHA512
77eb8122fd3bf3265479c420dfdde23df6c752c83389db8817d2e0fbc5c07e2debc771debfac8ed5d0e71f510bbaa9fef0fbadb5556e521d0c5ede2fe3394353

Download Submit
memory/2916-24-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/2916-26-0x0000000000640000-0x000000000064A000-memory.dmp

Filesize
40KB

Download
memory/2916-27-0x0000000005570000-0x0000000005B14000-memory.dmp

Filesize
5.6MB

Download
memory/2916-28-0x0000000004FC0000-0x0000000005052000-memory.dmp

Filesize
584KB

Download
memory/2916-30-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/4220-8-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/4220-2-0x0000000004C30000-0x0000000004CCC000-memory.dmp

Filesize
624KB

Download
memory/4220-1-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/4220-0-0x000000007514E000-0x000000007514F000-memory.dmp

Filesize
4KB

Download
memory/4220-25-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing