e7e30d1529a9f67fdc329879a8cdb69ccc4e786bea4f1d381bfd5c14000fff0f

General

Target

5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe
Size

12KB
MD5

5327dba4c391612979b365b5879803e0
SHA1

c6932c7ca8601b7429d813e5987b786624df7de5
SHA256

e7e30d1529a9f67fdc329879a8cdb69ccc4e786bea4f1d381bfd5c14000fff0f
SHA512

6d64b8401d4f31a2d7ef9621b974a0f7f8b242a8ac78874db442ca7706953118a37c3b9d62f9ae94c0c32af01668e6c68074cdd7b4f2664855df4808359c242e
SSDEEP

384:9L7li/2zUq2DcEQvdQcJKLTp/NK9xaNv:tIMCQ9cNv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp5516.tmp.exe

pid process

1624 tmp5516.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp5516.tmp.exe

pid process

1624 tmp5516.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 4820 5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe

pid	process
1624	tmp5516.tmp.exe

pid	process
1624	tmp5516.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4820	5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5327dba4c391612979b365b5879803e0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 4820 wrote to memory of 2764	4820	5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe	vbc.exe
PID 4820 wrote to memory of 2764	4820	5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe	vbc.exe
PID 4820 wrote to memory of 2764	4820	5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe	vbc.exe
PID 2764 wrote to memory of 3932	2764	vbc.exe	cvtres.exe
PID 2764 wrote to memory of 3932	2764	vbc.exe	cvtres.exe
PID 2764 wrote to memory of 3932	2764	vbc.exe	cvtres.exe
PID 4820 wrote to memory of 1624	4820	5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe	tmp5516.tmp.exe
PID 4820 wrote to memory of 1624	4820	5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe	tmp5516.tmp.exe
PID 4820 wrote to memory of 1624	4820	5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe	tmp5516.tmp.exe

C:\Users\Admin\AppData\Local\Temp\5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2ewvtye5\2ewvtye5.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES566D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBF612C2611174482BABAF496B79C19.TMP"
3⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\tmp5516.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp5516.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:1624

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2ewvtye5\2ewvtye5.0.vb
Filesize
2KB

MD5
71bda8d0c133758f1ec4a0c726932a9d

SHA1
82d80434046aa2ce8a5ec8604eefd40e436d8683

SHA256
a5229cc61fa427ceaa953706919f4710e39cda292e2ae90a499b3a5f60482800

SHA512
ed06a0f3ce0259505a0d1ea927b00585ed8e3b90e1938be9a07481fe7434adf10f7a236901f960e5ce92983f6c155265f80ad2464eaabedf97b64862399dceb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ewvtye5\2ewvtye5.cmdline
Filesize
273B

MD5
0c03dc107292ad1c762b49857a71d859

SHA1
741460bd30b6a51a599a83810be9da311d974205

SHA256
6596d65fb04262f39c272a4cb0cf84a7af5a3954f1ccf8e70ec0c7fe1d2a9ea3

SHA512
c12ff148859ee7cd6ddb986e9a37d6a0837c091be49d0a81817d14074e528b2e39fbddad40cdec4010491feab6a4066fbcab574371b4973f5a2bf996d53901f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
aea665f61d26923bed7eb877b3f03d36

SHA1
e3d325a96b33130e0180ec697365ea2b88aad5c4

SHA256
d59da9e3a11e044ae1b7dc1c9c6555a578005ab0b0d381fedbcdca5daf6d4602

SHA512
806b867f6c5335463bc48707a6d477e2d331419934560e58eff202c5b3a459a77b41e74b9a393b711c696b81008fe3f6cc0192ec73e74005e23eb58ee5e0db11

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES566D.tmp
Filesize
1KB

MD5
8354056152efd57d571ce4f7ab87f43f

SHA1
033bd0153e000cdc2ad6ae97ca3e217f14b36716

SHA256
b37e8e5fa2a1eba8e1fb3d542356d4457bed44f226bb96c264606d315523f526

SHA512
a6d7d1b54fbb32f5fbab2c4bc24e52a692c456330ce179dc7fcc79997af425e83b6b4acb3da169ca0a990f88f93d1036e3b19b6f5626dffc41887a8cb176864d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5516.tmp.exe
Filesize
12KB

MD5
66ec47a6714ef3d954bed57f1ab1afec

SHA1
a22e290f278c80f6b799b967170e723bfac57360

SHA256
6c4d92fbf786d66ccbd7656fa6f47612f2bd321a5a48b15df777e209eb3f87d7

SHA512
7c40bc587e34abdfe0b1ef43492f6f65863daf172ad8a00b82c4fcae2e341ad0561b44a8fb480927db2a21a0bd97beb5c159b4b7c55f68e18584196ee987298b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBF612C2611174482BABAF496B79C19.TMP
Filesize
1KB

MD5
255f6f9664b7675898bd714196aba6b8

SHA1
520ba5e33f9fdff40368fca1c74b9bc35e574230

SHA256
e8f634c069443bf2b55928af2cf710fed0287aa79e011378415e4b26f6acb0f0

SHA512
51418fed8bf0c5ff71999b497629364833627c9a8874d101596b88fde9d13a24e94039984b3bf0bb9de87a929385c4851db073971a1f2a656a7e71d941d6dca0

Download Submit
memory/1624-25-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/1624-26-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download
memory/1624-27-0x0000000005A40000-0x0000000005FE4000-memory.dmp

Filesize
5.6MB

Download
memory/1624-28-0x0000000005490000-0x0000000005522000-memory.dmp

Filesize
584KB

Download
memory/1624-30-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/4820-8-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/4820-2-0x00000000056A0000-0x000000000573C000-memory.dmp

Filesize
624KB

Download
memory/4820-0-0x00000000752AE000-0x00000000752AF000-memory.dmp

Filesize
4KB

Download
memory/4820-1-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

Filesize
40KB

Download
memory/4820-24-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing