8e8ec620c9d54c70f3c6e8529e06496b3595fe11d3ff65faab8ca1f081a488e9

General

Target

5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe
Size

12KB
MD5

5d8b5b577a3e502a41c81bb3fa0ec520
SHA1

f40dfeaf876e329194d691bec858b5295fa84e18
SHA256

8e8ec620c9d54c70f3c6e8529e06496b3595fe11d3ff65faab8ca1f081a488e9
SHA512

9980f120922ab8386cb6f1db583af32378acaecd2df40e93eb4ffda68da97b9108a63b349c366cd9ac1e146a214c4df35c3ccf4a90d83ff53ca4f8385d7ff7fb
SSDEEP

384:3L7li/2zzq2DcEQvdQcJKLTp/NK9xalY:7fMCQ9clY

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp538F.tmp.exe

pid process

5100 tmp538F.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp538F.tmp.exe

pid process

5100 tmp538F.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 212 5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe

pid	process
5100	tmp538F.tmp.exe

pid	process
5100	tmp538F.tmp.exe

description	pid	process
Token: SeDebugPrivilege	212	5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 212 wrote to memory of 4840	212	5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe	vbc.exe
PID 212 wrote to memory of 4840	212	5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe	vbc.exe
PID 212 wrote to memory of 4840	212	5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe	vbc.exe
PID 4840 wrote to memory of 1716	4840	vbc.exe	cvtres.exe
PID 4840 wrote to memory of 1716	4840	vbc.exe	cvtres.exe
PID 4840 wrote to memory of 1716	4840	vbc.exe	cvtres.exe
PID 212 wrote to memory of 5100	212	5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe	tmp538F.tmp.exe
PID 212 wrote to memory of 5100	212	5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe	tmp538F.tmp.exe
PID 212 wrote to memory of 5100	212	5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe	tmp538F.tmp.exe

C:\Users\Admin\AppData\Local\Temp\5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hsj4pvp0\hsj4pvp0.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5534.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB2D59AE5B3F24D178C0FEB92C91540.TMP"
3⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\tmp538F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp538F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
3df7d3d37bd7c77202c5f6ddd3f321d2

SHA1
1b4e9ed6e92fa6ede3d2289f5d629269b44082b8

SHA256
dcbd734296239d3f2a8cc6cd96856c96b3db2cc91c54565e06c8f4c18b998744

SHA512
3e505ba613bfbe698af17eb4a8662417eb4a38250efd52c9ca9b27cb218c5dc6094dd2916513c9f83c61abf03d3ab7a3d356e589b9f04ce317483954a3f17d2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5534.tmp

Filesize
1KB

MD5
21e4e0ba24f647b5e5a6fcb46e1000e4

SHA1
aa0b4e49226a45a738ddad74e0c634f74d9432a9

SHA256
9f17dc99391a5193f51307b89a6302fd7ae1242323a891c2a3d56480e9e00ec9

SHA512
897fe6c0140a9f92f9c9bd7ac314730ba1ab99881da0ce9d126ec7f5fc2e9af1d4ceeff0b5be686c30470a87722c09e4de7ed98e440be9bc52f8be2bb8c56a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsj4pvp0\hsj4pvp0.0.vb

Filesize
2KB

MD5
a4bc40ac5296ea2c5e652acaf9ddd824

SHA1
e39bfc92c36a202a2a9a3afb41db53fa1fe31a30

SHA256
969990043eceab9387b63f8d49a43f153008b9b6bcc1d6b5d698b38c39f3e4d2

SHA512
0319b9e06b94dbb6f39dbdb5cba288e94ca4abc808968af95bb97ccd99375b33145c6e3ca54536a26c59934c92c657e2da5587ccd7a4aef53720ae302614c22b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsj4pvp0\hsj4pvp0.cmdline

Filesize
273B

MD5
f51abe423dfb0e960b2e23291f34c7fc

SHA1
03b545c76f47c2431997b4021a5119ccc9f1eb07

SHA256
e8b35d4a3c33391ba594e096cd668e10fa3b512f83ad3115ddc9814722fa1c09

SHA512
f7b827cd530d60e6f3d41a1f18323c520cd1790f2ff1bc2201fbeea5b4fe22b44bd69ebc978a044bd6e97dc10920c3843603a4f1ea8e745f9e1387c134cd9b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp538F.tmp.exe

Filesize
12KB

MD5
5f43c5427787388691ceeff8eebd09d4

SHA1
2a016d1f0ef7b8ce62431a73b1626fe131afded8

SHA256
6b7c8383c4aa5a00b7edfe68594ea2db5ee3f33cd72b30bf95db9779dac727ff

SHA512
82a0cf7502c526677ddff6aa61d2958c57316f709fc41d42ceb19aa52caa455f0782d0d6c0d26f5a79ce72511a9ee20aa1b51fcdfa2be99986a0d4dceca5633d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB2D59AE5B3F24D178C0FEB92C91540.TMP

Filesize
1KB

MD5
df0c29a5969c6c32825ce3d98a8d5bc6

SHA1
e0a131bfd983760f8a0aeb98ebccc6bbd834c1ab

SHA256
8676beb612de9d42b33b3734b4f2a6031a2fafcb672eb6d787e0e4c330af18cc

SHA512
88a816a07b8dfccf1065b62c3bdc28d2a11be132cf138fdd30fd898e8729fdbc47f9abeafdd92638d88047091f29f9f11d8ced3ebe8058fa58c3579469e7608c

Download Submit
memory/212-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/212-8-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/212-2-0x0000000004E90000-0x0000000004F2C000-memory.dmp

Filesize
624KB

Download
memory/212-1-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/212-26-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/5100-25-0x0000000000810000-0x000000000081A000-memory.dmp

Filesize
40KB

Download
memory/5100-24-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/5100-27-0x00000000056F0000-0x0000000005C94000-memory.dmp

Filesize
5.6MB

Download
memory/5100-28-0x00000000051E0000-0x0000000005272000-memory.dmp

Filesize
584KB

Download
memory/5100-30-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing