d31ad3018fc3d309e862d5bdadd979716b030d414c0e593938e84c3fbf663096

General

Target

5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe
Size

12KB
MD5

5430912b5e0babca8426a2defbe5df30
SHA1

83097dbc256d389977ec4167f8349c13b1cc8796
SHA256

d31ad3018fc3d309e862d5bdadd979716b030d414c0e593938e84c3fbf663096
SHA512

00d1a16a5b6d346d63a9370b45ab16c7c0685efe4b14256d0ec05ea29c1f0bf1cb7d4f2d2f5e764fb5026cae7527be5ee4fce3034123e2e9e4f7e0aad8b330e7
SSDEEP

384:cL7li/2zKq2DcEQvdQcJKLTp/NK9xams:6aMCQ9cms

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp3549.tmp.exe

pid process

2712 tmp3549.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp3549.tmp.exe

pid process

2712 tmp3549.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 1664 5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe

pid	process
2712	tmp3549.tmp.exe

pid	process
2712	tmp3549.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1664	5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 1664 wrote to memory of 4444	1664	5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe	vbc.exe
PID 1664 wrote to memory of 4444	1664	5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe	vbc.exe
PID 1664 wrote to memory of 4444	1664	5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe	vbc.exe
PID 4444 wrote to memory of 1960	4444	vbc.exe	cvtres.exe
PID 4444 wrote to memory of 1960	4444	vbc.exe	cvtres.exe
PID 4444 wrote to memory of 1960	4444	vbc.exe	cvtres.exe
PID 1664 wrote to memory of 2712	1664	5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe	tmp3549.tmp.exe
PID 1664 wrote to memory of 2712	1664	5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe	tmp3549.tmp.exe
PID 1664 wrote to memory of 2712	1664	5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe	tmp3549.tmp.exe

C:\Users\Admin\AppData\Local\Temp\5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wkoqj05a\wkoqj05a.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES371D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD7F73DD86D4C4AEF8F53B733E0FB64AE.TMP"
3⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\tmp3549.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3549.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
9e9cdbee36c64c74d4902a58a4aafbe6

SHA1
08a50e2077ee3cd8658a537e5afee8d9cdae75d7

SHA256
40373a534b91478adeb58481ddff312d5f1b72f0c5c9f35721b79afeaf012e1f

SHA512
55d84a5ef92bc0790fb6da475a2bab439df8619cd45443db814f6f261350e46a71ddf4f9cd3a7541057ef33c489776b57dd319bfd774a010d02e06840a30f9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES371D.tmp

Filesize
1KB

MD5
d758e37b3534a51a3986529768b57d73

SHA1
bdfd8cf60359595dee157943873b27fb2d5276b9

SHA256
2c21c61f63033378c5bcd4e8964b3882b15b4fec362659e77fa749146ab06424

SHA512
5449db1a56d9c5e342f4776df7bff5863bc4cfa838353a6ddfc28fc92e577e31e269d60b9b8d3c6eafac825e6ad93253f92563a23faceaa03574e889fb097a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3549.tmp.exe

Filesize
12KB

MD5
9a06e0fc59985d7f8bd7bcf59673d5e1

SHA1
9aa7de1e9c99d170766153593cee55b4c9dbc791

SHA256
009aa192eb968e113d66bb7123b41da8407d2104fa7635eaee367649c925fcfc

SHA512
dadef53580677946d50e6d5308c2d44d6cca6bd5158a3573073de02052be550e0fdea465d2bd1a22c7d8211ecc3c0a074258a01c30f8c21be3ba9ad4ce3ba7b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD7F73DD86D4C4AEF8F53B733E0FB64AE.TMP

Filesize
1KB

MD5
d829b2d83e6abb686e9d24dc7958f899

SHA1
3b26a956b618024e7319fc3e612cce8d0828f3e9

SHA256
4785adf98bb9472ff437bfc75ac88043a4e9c55727786364cb833190320933f4

SHA512
3446917398b5757523e2ddd287f8b7d2cb70d9a5b4882074ad03af1b0b099102f1a35dae5302c26689b13c508d818b74f73c5f1210dcb06be17630a92297abfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkoqj05a\wkoqj05a.0.vb

Filesize
2KB

MD5
91bd59587bf25271221af97fc25e3708

SHA1
cbc794aa79954727fb2fa57d46675064243e8f33

SHA256
7b9a7796d534c9afa5c76e422a565dc913673e4fe35f30341eadb1ecbcff07da

SHA512
55f963e0a5733aab94f5bec15d116c93593189d1c0540ff893ce46c136acd6c7e8db3972ac1a9539ced45ba67359ed67ccdeb33615479b7eda05bc73cbaa4159

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkoqj05a\wkoqj05a.cmdline

Filesize
273B

MD5
05aacc0308fa0228bef767eedbad5c85

SHA1
e3cc5cf1c8879055d74d75c4fd1eb5b6995b856c

SHA256
0eb2b0e2fdd8d5d0af0cae66bae5c6c819f8ade141e37dccad03a467a41ac7c2

SHA512
0feef32e350551351e45b89136aad2438f61249c709fa358eb79a4ae5b1358086e6e7480d6efa72d497b1e4ebd20ff7880d3d52710404cd13e0955007a0de9fe

Download Submit
memory/1664-0-0x00000000747CE000-0x00000000747CF000-memory.dmp

Filesize
4KB

Download
memory/1664-8-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/1664-2-0x0000000004F90000-0x000000000502C000-memory.dmp

Filesize
624KB

Download
memory/1664-1-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/1664-24-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/2712-26-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2712-25-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/2712-27-0x0000000005110000-0x00000000056B4000-memory.dmp

Filesize
5.6MB

Download
memory/2712-28-0x0000000004C00000-0x0000000004C92000-memory.dmp

Filesize
584KB

Download
memory/2712-30-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing