77d8effb48e17967be15e01e79c94918fc511886421d8a49c498740248336250

General

Target

4aed43aaf96bb52379e121f531bff450_NeikiAnalytics.exe
Size

12KB
MD5

4aed43aaf96bb52379e121f531bff450
SHA1

ce41377b9d98a35b484ddaafaa6467a2ebfc1902
SHA256

77d8effb48e17967be15e01e79c94918fc511886421d8a49c498740248336250
SHA512

13d0fdb7732e67ab1de658a1a093ac965f101b61fc3f77df1ceddb200ea454d5e99f38a7141040e4bcb9fdfaeb03bb9ccb5f5a1c92a192a965c3e43f27342613
SSDEEP

384:YL7li/2z/q2DcEQvdQcJKLTp/NK9xa0j:mrMCQ9c0j

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4aed43aaf96bb52379e121f531bff450_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	4aed43aaf96bb52379e121f531bff450_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmpEDDB.tmp.exe

pid process

3520 tmpEDDB.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmpEDDB.tmp.exe

pid process

3520 tmpEDDB.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4aed43aaf96bb52379e121f531bff450_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 5052 4aed43aaf96bb52379e121f531bff450_NeikiAnalytics.exe

pid	process
3520	tmpEDDB.tmp.exe

pid	process
3520	tmpEDDB.tmp.exe

description	pid	process
Token: SeDebugPrivilege	5052	4aed43aaf96bb52379e121f531bff450_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

4aed43aaf96bb52379e121f531bff450_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 5052 wrote to memory of 3128	5052	4aed43aaf96bb52379e121f531bff450_NeikiAnalytics.exe	vbc.exe
PID 5052 wrote to memory of 3128	5052	4aed43aaf96bb52379e121f531bff450_NeikiAnalytics.exe	vbc.exe
PID 5052 wrote to memory of 3128	5052	4aed43aaf96bb52379e121f531bff450_NeikiAnalytics.exe	vbc.exe
PID 3128 wrote to memory of 1916	3128	vbc.exe	cvtres.exe
PID 3128 wrote to memory of 1916	3128	vbc.exe	cvtres.exe
PID 3128 wrote to memory of 1916	3128	vbc.exe	cvtres.exe
PID 5052 wrote to memory of 3520	5052	4aed43aaf96bb52379e121f531bff450_NeikiAnalytics.exe	tmpEDDB.tmp.exe
PID 5052 wrote to memory of 3520	5052	4aed43aaf96bb52379e121f531bff450_NeikiAnalytics.exe	tmpEDDB.tmp.exe
PID 5052 wrote to memory of 3520	5052	4aed43aaf96bb52379e121f531bff450_NeikiAnalytics.exe	tmpEDDB.tmp.exe

C:\Users\Admin\AppData\Local\Temp\4aed43aaf96bb52379e121f531bff450_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4aed43aaf96bb52379e121f531bff450_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fpxxnovi\fpxxnovi.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF71.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD1AB9FD1F8304261A324AE8828BF5E5.TMP"
    3⤵
    PID:1916
- C:\Users\Admin\AppData\Local\Temp\tmpEDDB.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpEDDB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4aed43aaf96bb52379e121f531bff450_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4672 /prefetch:8
1⤵
PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
00ccd431185c907d76b35c3ae5c13369

SHA1
025ceb956b93c9602a627f1df47eb13d89a64752

SHA256
24deccf4bb0b97e3f226dd9b93ae5a6ce0a40a3956418d3ff104e674c7446879

SHA512
e8bc685dbbf1b18c5554eab54fd483381870643b6907f26f3f80acd2cde7f8b50b4404c9676f6a3f30ec8a2e2be93619f8c62e1a13befc8d5e16b8212df37c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEF71.tmp

Filesize
1KB

MD5
2682a07179b415679ac17468984a79a7

SHA1
42437d448b2f86451e4abc42cafbcefeedaf1a3a

SHA256
31af7cd28e47cdf9bed32c99d53f0f10642e3bc4159b9b5faf45995668bcda30

SHA512
c8a4eae3d1b03dd2a2904d6057290525bca50e7fc1c421fcd26c6c264694e1e6de6275b10cc637952f650af747415ce27531213fef5edc21d461b324681362c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fpxxnovi\fpxxnovi.0.vb

Filesize
2KB

MD5
04e3106f94de239f7a9ef57c693aafaf

SHA1
00071f11496be02a1251b566cff232929f0198d1

SHA256
da1e30214aae6c88e9d9a8a4157f9d2bc15571ac312de4a56e498481064b9bf8

SHA512
b750f866cc72628c69d4026c82f3211998f323b7ae6e7f3b6a696dea05a110806d8330abe467687096dced541bf45663c4d58f9e96134d00db01e8f0a1b5bdba

Download Submit
C:\Users\Admin\AppData\Local\Temp\fpxxnovi\fpxxnovi.cmdline

Filesize
273B

MD5
4b3a8a681068e20fc3a446a2e7daeddf

SHA1
8b6dda5bbc549e749c9bafa046d8a1b9e9f1f070

SHA256
a8073a2f4a1bf53963058260923c061809bf269d592c76aa7080fa68aec123d4

SHA512
c262c4cb63fa9932d12823f0b6c5cb9a1232d0a7c901bf4f00d18bc7a183af8263a921245dbb276eb88bcc8d112da9053a7a0f22717984c2eab2de77cbc549cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEDDB.tmp.exe

Filesize
12KB

MD5
c325278afc793231ac081eb9aff5008b

SHA1
e92b4f547460f49328c09f64a180e3c08d1dd3c9

SHA256
44e6776a2f25e28ac1c3b805681de414bb3cbf4db8f5eece5889082a8ce4cc95

SHA512
4959968e91353c14afe56358bd779e34361377176542aafc25b45d1a288451d1fb0f2be011493fe49f2b7a35a374270b6b403011abd19307c9c8818ba2af320d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD1AB9FD1F8304261A324AE8828BF5E5.TMP

Filesize
1KB

MD5
20afb436e7d4efb9aef1c4d373a71eef

SHA1
271ef9d1338f8ad8895930a3d8ea51eade246e3b

SHA256
c7ed622d745d665fb2c084f2fb83d1cc1b42e7981327ebe9371717d8d1f2df73

SHA512
c64a4cf4c2a2cbd0a12128371fd13c631237b99d9f241d9e6a25801634f8436887a2839a972b9eb1979444d0b12170d0d71086899cd32120207578581e201c01

Download Submit
memory/3520-26-0x00000000009E0000-0x00000000009EA000-memory.dmp

Filesize
40KB

Download
memory/3520-25-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/3520-27-0x00000000058E0000-0x0000000005E84000-memory.dmp

Filesize
5.6MB

Download
memory/3520-28-0x00000000053D0000-0x0000000005462000-memory.dmp

Filesize
584KB

Download
memory/3520-30-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/5052-0-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

Filesize
4KB

Download
memory/5052-8-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/5052-2-0x0000000005350000-0x00000000053EC000-memory.dmp

Filesize
624KB

Download
memory/5052-1-0x0000000000A10000-0x0000000000A1A000-memory.dmp

Filesize
40KB

Download
memory/5052-24-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing