57825a7159ffc039e603df819537cc86b22c8dabd6ae377e1947d303fa4a435c

General

Target

587c174ab3f3747cd6d8c0e310d1fc10_NeikiAnalytics.exe
Size

12KB
MD5

587c174ab3f3747cd6d8c0e310d1fc10
SHA1

8c44a280f87d939c15390b830daa8b85cb0177d1
SHA256

57825a7159ffc039e603df819537cc86b22c8dabd6ae377e1947d303fa4a435c
SHA512

3c6b5f1011293f48f14d6556d040000aa909b13c4b91e81b4fa4a1cbca1ce169b923fc89d581b4279ea6992d880609d129f36ef48af1c6f02ad159bf10ba54fe
SSDEEP

384:lL7li/2zTq2DcEQvdQcJKLTp/NK9xam/:l/MCQ9cm/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

587c174ab3f3747cd6d8c0e310d1fc10_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	587c174ab3f3747cd6d8c0e310d1fc10_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp4660.tmp.exe

pid process

4572 tmp4660.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp4660.tmp.exe

pid process

4572 tmp4660.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

587c174ab3f3747cd6d8c0e310d1fc10_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 3572 587c174ab3f3747cd6d8c0e310d1fc10_NeikiAnalytics.exe

pid	process
4572	tmp4660.tmp.exe

pid	process
4572	tmp4660.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3572	587c174ab3f3747cd6d8c0e310d1fc10_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

587c174ab3f3747cd6d8c0e310d1fc10_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 3572 wrote to memory of 2368	3572	587c174ab3f3747cd6d8c0e310d1fc10_NeikiAnalytics.exe	vbc.exe
PID 3572 wrote to memory of 2368	3572	587c174ab3f3747cd6d8c0e310d1fc10_NeikiAnalytics.exe	vbc.exe
PID 3572 wrote to memory of 2368	3572	587c174ab3f3747cd6d8c0e310d1fc10_NeikiAnalytics.exe	vbc.exe
PID 2368 wrote to memory of 4024	2368	vbc.exe	cvtres.exe
PID 2368 wrote to memory of 4024	2368	vbc.exe	cvtres.exe
PID 2368 wrote to memory of 4024	2368	vbc.exe	cvtres.exe
PID 3572 wrote to memory of 4572	3572	587c174ab3f3747cd6d8c0e310d1fc10_NeikiAnalytics.exe	tmp4660.tmp.exe
PID 3572 wrote to memory of 4572	3572	587c174ab3f3747cd6d8c0e310d1fc10_NeikiAnalytics.exe	tmp4660.tmp.exe
PID 3572 wrote to memory of 4572	3572	587c174ab3f3747cd6d8c0e310d1fc10_NeikiAnalytics.exe	tmp4660.tmp.exe

C:\Users\Admin\AppData\Local\Temp\587c174ab3f3747cd6d8c0e310d1fc10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\587c174ab3f3747cd6d8c0e310d1fc10_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xh0ntgli\xh0ntgli.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4825.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc41F74011A374DD095A6FB9B16BAC61.TMP"
3⤵
PID:4024

C:\Users\Admin\AppData\Local\Temp\tmp4660.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4660.tmp.exe" C:\Users\Admin\AppData\Local\Temp\587c174ab3f3747cd6d8c0e310d1fc10_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
eedf174f3d37f3db44cd42467a85ea6c

SHA1
4506530ee08b7a9ed77bc0aee61a368fc4062c53

SHA256
6cd4e695502c8673f9aa73e753c29d9119dd468abf4b0811c75c740025c64db5

SHA512
4a95086e25a83059c8109dce5c598d9247eb623443e44d24704351e1e6d75e07f28ae502a7838cabc3ad985312f024e52d85991d054f8254e5950f8ab967d6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4825.tmp

Filesize
1KB

MD5
26043998b84fd81e03053fbd03e5e64a

SHA1
107421b5e7e4871b808613dfc7c05b43df740651

SHA256
1e707130854c16bfeefec69de2a8fa135cf92ff70a1cbf65d11c2eebbb762469

SHA512
02fd850475bb0e4c533501fe9a8223d6f1c106fc3c4cb6f4e3613f037e5eec4424f5b6ae996114fcf444b2f3f71bdc7d44a800893ee116d3565b3fa0203813fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4660.tmp.exe

Filesize
12KB

MD5
cf34dc70ad3e6258438004683cf68cbe

SHA1
21f5bad38b624a6369515c74c5117ccab897a8ae

SHA256
fa56af335ed543ad6288c12e37ea5d8edefc18dc0d5f2118575e31e5a1a3300f

SHA512
e1cf900add87dad087151944dcec34be3883f579e05060ca232ec9586fd02ff6091f7a6042f562c14eaa9dedf375d512f0c0974688caecc33570bec5dc0daefe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc41F74011A374DD095A6FB9B16BAC61.TMP

Filesize
1KB

MD5
ecaa20639475e2c767db41626c7a93b3

SHA1
6ba8642daf7e97d901684a8c0e7a10ef6037faab

SHA256
c1e518ed78e92f9e0a4c8ed622e8a695d0923fca2cdf5d7b3bcc8fc247de55c2

SHA512
8d3bfd9d41275a51356075c197bd53d3c7bc738d21a2f5017ecdaf0272bc239a889cd1daef0390d90dc5f9894ca5fe9f028b28147502991c78941b0067b1f73d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh0ntgli\xh0ntgli.0.vb

Filesize
2KB

MD5
e51019abbaa0d7f741344e7a1ba9eff0

SHA1
876b1094811e1d95915750ec8da27b44a9fc7b98

SHA256
6a20fd14ed00960b4e3f3bf66e46d692a067352609fc8e9ab5199e97baa6b394

SHA512
b7e62a57051210c95b6acbcac6114d78fc0ee7c46a5218a13139121a16d7f6a2b117d9421d7333972e95b773fe8c1e30df0a75ba86d8cab36a528b1606d3b50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh0ntgli\xh0ntgli.cmdline

Filesize
273B

MD5
cf113966c4a1e92f2daabf21cd2d08fc

SHA1
84864ec1f3e8e6ce68b520b4e79ff652e0c8fe05

SHA256
84ccf8aa0569dde689810de82b7f0738ad50af470b2c92435d670e283e47d49d

SHA512
f14157ffa3e8b4ffa50791cc8af3ac92ae4ab8d032ffed31cf2047868ae577877eddc296585838b4898546c0e5907cfd021b48f7140dfd490c9ae62f5002e187

Download Submit
memory/3572-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/3572-8-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/3572-2-0x0000000005480000-0x000000000551C000-memory.dmp

Filesize
624KB

Download
memory/3572-1-0x0000000000B20000-0x0000000000B2A000-memory.dmp

Filesize
40KB

Download
memory/3572-24-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/4572-26-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/4572-25-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/4572-27-0x0000000005090000-0x0000000005634000-memory.dmp

Filesize
5.6MB

Download
memory/4572-28-0x0000000004AE0000-0x0000000004B72000-memory.dmp

Filesize
584KB

Download
memory/4572-30-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing