a369ae72022ab826237f423b80ad7d3c610deef78c5e9389da9d941f35f5690d

General

Target

5684e968d5c2325fd45ec950b898b5d0_NeikiAnalytics.exe
Size

12KB
MD5

5684e968d5c2325fd45ec950b898b5d0
SHA1

56fef1b7401bbdf39788b49b88766563e763f136
SHA256

a369ae72022ab826237f423b80ad7d3c610deef78c5e9389da9d941f35f5690d
SHA512

129953e417a0837d53e951ae15e6c2bdd8cccbd7f017c58f5effb0a9162448322832ac05de5fe34f4e1bf33dfe703d1de5200a157eb60c56940eb9ab7b5a96c1
SSDEEP

384:aL7li/2zpq2DcEQvdQcJKLTp/NK9xaQz:EhMCQ9cQz

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5684e968d5c2325fd45ec950b898b5d0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	5684e968d5c2325fd45ec950b898b5d0_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp293F.tmp.exe

pid process

2524 tmp293F.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp293F.tmp.exe

pid process

2524 tmp293F.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5684e968d5c2325fd45ec950b898b5d0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 4292 5684e968d5c2325fd45ec950b898b5d0_NeikiAnalytics.exe

pid	process
2524	tmp293F.tmp.exe

pid	process
2524	tmp293F.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4292	5684e968d5c2325fd45ec950b898b5d0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5684e968d5c2325fd45ec950b898b5d0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 4292 wrote to memory of 1408	4292	5684e968d5c2325fd45ec950b898b5d0_NeikiAnalytics.exe	vbc.exe
PID 4292 wrote to memory of 1408	4292	5684e968d5c2325fd45ec950b898b5d0_NeikiAnalytics.exe	vbc.exe
PID 4292 wrote to memory of 1408	4292	5684e968d5c2325fd45ec950b898b5d0_NeikiAnalytics.exe	vbc.exe
PID 1408 wrote to memory of 4708	1408	vbc.exe	cvtres.exe
PID 1408 wrote to memory of 4708	1408	vbc.exe	cvtres.exe
PID 1408 wrote to memory of 4708	1408	vbc.exe	cvtres.exe
PID 4292 wrote to memory of 2524	4292	5684e968d5c2325fd45ec950b898b5d0_NeikiAnalytics.exe	tmp293F.tmp.exe
PID 4292 wrote to memory of 2524	4292	5684e968d5c2325fd45ec950b898b5d0_NeikiAnalytics.exe	tmp293F.tmp.exe
PID 4292 wrote to memory of 2524	4292	5684e968d5c2325fd45ec950b898b5d0_NeikiAnalytics.exe	tmp293F.tmp.exe

C:\Users\Admin\AppData\Local\Temp\5684e968d5c2325fd45ec950b898b5d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5684e968d5c2325fd45ec950b898b5d0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2znvqr14\2znvqr14.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES318B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc89271F46FB8E42CD8FCEFF931E85271F.TMP"
3⤵
PID:4708

C:\Users\Admin\AppData\Local\Temp\tmp293F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp293F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5684e968d5c2325fd45ec950b898b5d0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:2452

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2znvqr14\2znvqr14.0.vb
Filesize
2KB

MD5
a70992d43eb9d24eb87888a538686506

SHA1
804038391e87453695cfc70dd9f612b131124c2b

SHA256
3fcb4b7ebd4a02a827513c003786524bf7454d601890bd9760ed6e94bfbfd63e

SHA512
cd2b209217fddd941082d4b4cfad2e80e3906c91f87d2f68087bb147f06eaaf9e5153e4bb2b734f7f02afb85043426411661f570513a4e21f731c06ebb606553

Download Submit
C:\Users\Admin\AppData\Local\Temp\2znvqr14\2znvqr14.cmdline
Filesize
273B

MD5
3fe476400dc11e218a5151b2b721abad

SHA1
f8c72abf6fe50339e2a3663a2515e9dbc6a0378b

SHA256
3efe6b9a3dd840d7f582e2269451b1d84de83ae674539f34840603759d5e357a

SHA512
e31aed88ed3be2e59fecc90a44cc20a5861c7410b4ccecb7e0316d8bb34180e3c3d4ab62205bcacbd95cf653f68ee8d23700861a81ce8a0f705ac638445eb25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
eabb16ba774dceb67be50bc773cba4d3

SHA1
b97fe47de339b96cd4c507fd21a75196ed47dce2

SHA256
7da0c6486285f72685113c3a9233a125656b5fc6faca95551701f8d088e34abc

SHA512
f04e6943d33b9408b694b65402eb8a3dc6694cfee9ef354b643360d4f143eff1b5c25b9da0f19ecb0088a2579db35ea33de8bc112c0b41bb661fa3e43ec2b2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES318B.tmp
Filesize
1KB

MD5
2277b42c893a9f4c15a068d117406ee8

SHA1
66f98574a35621625f2d2e6919f2b369424b4a5d

SHA256
ef21a83dbbd39d0b1acb40a18fc41413839e2c1e8845ff2f87138462973ce484

SHA512
9e1baa027aa4084ac14f81feae44b47622372c1de2c68292a50216bb90ecceed86b6992b3bcc125008a2c77afae592fa9359e7fe298525ce5e6ca0b871c447c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp293F.tmp.exe
Filesize
12KB

MD5
662364dd18dadad0b3b3f6f350070a88

SHA1
e5ca69ad609d685bec8860b16e63f8a8545c5a9c

SHA256
53b923f3aee8329f130015627356bdbd89e3fa1a88a40b107fef0c9542d11ddf

SHA512
2f78a773e96c9abad7bb39e9360eb597d35020fc2004816ce06c77d792b5f71d966033e2f0d00496fac2924ed236f76fa48cf6fb595eb57a88123bedb401daa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc89271F46FB8E42CD8FCEFF931E85271F.TMP
Filesize
1KB

MD5
31b986a35ba6c6e1c276c0514aca9616

SHA1
f0ac0a9b7b73c5554fc270a96f5eefdca53a679c

SHA256
7b1e991581d7c305bf46580208c371cba364990189748b42b90b80fbd072e7a6

SHA512
00b9298b99f135c8a7c785616133d48c65fe5b39ea3a5d26b319990e2166edebb7158238122ce38d594dba1ae273cf7353add13610e3e0d13e8878f4aad55d36

Download Submit
memory/2524-24-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/2524-25-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/2524-27-0x00000000054A0000-0x0000000005A44000-memory.dmp

Filesize
5.6MB

Download
memory/2524-28-0x0000000004EF0000-0x0000000004F82000-memory.dmp

Filesize
584KB

Download
memory/2524-30-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/4292-7-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/4292-2-0x0000000004D30000-0x0000000004DCC000-memory.dmp

Filesize
624KB

Download
memory/4292-1-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/4292-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/4292-26-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing