c5763ac37f7e6584d7c77112bb21e5fc4f54c67240e8ab53ea3728fba7907d39

General

Target

5b6ac7506801860708ded99e9e853e90_NeikiAnalytics.exe
Size

2.2MB
MD5

5b6ac7506801860708ded99e9e853e90
SHA1

a0fb60df467f30e363f50415aca4d3bdb1bc1279
SHA256

c5763ac37f7e6584d7c77112bb21e5fc4f54c67240e8ab53ea3728fba7907d39
SHA512

42bb8bb51fbfc326b846e6a835adcd4c5ab390b2b2f0f5c0371e910dc56506cd54fec0c20a36941580aa8368eb450c52fedeaa63022907279b7f2de6d050232e
SSDEEP

49152:mW94v+AWYCIl1lwdQ/etn5HfH1hLQ/NE25OqCWViCAB:bJAWYll1lwd/npPLm+PRW

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5b6ac7506801860708ded99e9e853e90_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	5b6ac7506801860708ded99e9e853e90_NeikiAnalytics.exe

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

3276 MsiExec.exe

pid	process
3276	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

5b6ac7506801860708ded99e9e853e90_NeikiAnalytics.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	5b6ac7506801860708ded99e9e853e90_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	3016	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3016	msiexec.exe
Token: SeSecurityPrivilege	852	msiexec.exe
Token: SeCreateTokenPrivilege	3016	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3016	msiexec.exe
Token: SeLockMemoryPrivilege	3016	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3016	msiexec.exe
Token: SeMachineAccountPrivilege	3016	msiexec.exe
Token: SeTcbPrivilege	3016	msiexec.exe
Token: SeSecurityPrivilege	3016	msiexec.exe
Token: SeTakeOwnershipPrivilege	3016	msiexec.exe
Token: SeLoadDriverPrivilege	3016	msiexec.exe
Token: SeSystemProfilePrivilege	3016	msiexec.exe
Token: SeSystemtimePrivilege	3016	msiexec.exe
Token: SeProfSingleProcessPrivilege	3016	msiexec.exe
Token: SeIncBasePriorityPrivilege	3016	msiexec.exe
Token: SeCreatePagefilePrivilege	3016	msiexec.exe
Token: SeCreatePermanentPrivilege	3016	msiexec.exe
Token: SeBackupPrivilege	3016	msiexec.exe
Token: SeRestorePrivilege	3016	msiexec.exe
Token: SeShutdownPrivilege	3016	msiexec.exe
Token: SeDebugPrivilege	3016	msiexec.exe
Token: SeAuditPrivilege	3016	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3016	msiexec.exe
Token: SeChangeNotifyPrivilege	3016	msiexec.exe
Token: SeRemoteShutdownPrivilege	3016	msiexec.exe
Token: SeUndockPrivilege	3016	msiexec.exe
Token: SeSyncAgentPrivilege	3016	msiexec.exe
Token: SeEnableDelegationPrivilege	3016	msiexec.exe
Token: SeManageVolumePrivilege	3016	msiexec.exe
Token: SeImpersonatePrivilege	3016	msiexec.exe
Token: SeCreateGlobalPrivilege	3016	msiexec.exe
Token: SeCreateTokenPrivilege	3016	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3016	msiexec.exe
Token: SeLockMemoryPrivilege	3016	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3016	msiexec.exe
Token: SeMachineAccountPrivilege	3016	msiexec.exe
Token: SeTcbPrivilege	3016	msiexec.exe
Token: SeSecurityPrivilege	3016	msiexec.exe
Token: SeTakeOwnershipPrivilege	3016	msiexec.exe
Token: SeLoadDriverPrivilege	3016	msiexec.exe
Token: SeSystemProfilePrivilege	3016	msiexec.exe
Token: SeSystemtimePrivilege	3016	msiexec.exe
Token: SeProfSingleProcessPrivilege	3016	msiexec.exe
Token: SeIncBasePriorityPrivilege	3016	msiexec.exe
Token: SeCreatePagefilePrivilege	3016	msiexec.exe
Token: SeCreatePermanentPrivilege	3016	msiexec.exe
Token: SeBackupPrivilege	3016	msiexec.exe
Token: SeRestorePrivilege	3016	msiexec.exe
Token: SeShutdownPrivilege	3016	msiexec.exe
Token: SeDebugPrivilege	3016	msiexec.exe
Token: SeAuditPrivilege	3016	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3016	msiexec.exe
Token: SeChangeNotifyPrivilege	3016	msiexec.exe
Token: SeRemoteShutdownPrivilege	3016	msiexec.exe
Token: SeUndockPrivilege	3016	msiexec.exe
Token: SeSyncAgentPrivilege	3016	msiexec.exe
Token: SeEnableDelegationPrivilege	3016	msiexec.exe
Token: SeManageVolumePrivilege	3016	msiexec.exe
Token: SeImpersonatePrivilege	3016	msiexec.exe
Token: SeCreateGlobalPrivilege	3016	msiexec.exe
Token: SeCreateTokenPrivilege	3016	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3016	msiexec.exe
Token: SeLockMemoryPrivilege	3016	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

3016 msiexec.exe

pid	process
3016	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5b6ac7506801860708ded99e9e853e90_NeikiAnalytics.exemsiexec.exe

description	pid	process	target process
PID 2488 wrote to memory of 3016	2488	5b6ac7506801860708ded99e9e853e90_NeikiAnalytics.exe	msiexec.exe
PID 2488 wrote to memory of 3016	2488	5b6ac7506801860708ded99e9e853e90_NeikiAnalytics.exe	msiexec.exe
PID 2488 wrote to memory of 3016	2488	5b6ac7506801860708ded99e9e853e90_NeikiAnalytics.exe	msiexec.exe
PID 852 wrote to memory of 3276	852	msiexec.exe	MsiExec.exe
PID 852 wrote to memory of 3276	852	msiexec.exe	MsiExec.exe
PID 852 wrote to memory of 3276	852	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\5b6ac7506801860708ded99e9e853e90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5b6ac7506801860708ded99e9e853e90_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\setup.msi"
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3016

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 602BEB1551FA4543C5A66A4C631F95F9 C
2⤵
- Loads dropped DLL
PID:3276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI3FC8.tmp

Filesize
6KB

MD5
078f637d0fe4ed0375ce4ed3a067b814

SHA1
00e9f95a60145ccc04095601dd49b663e987c588

SHA256
5e7e010023cd0373fcb4fa0fb2d7ff328a53295f6b2fdb9ff805854e6410fbcc

SHA512
20b531d3dcbafe9d815633b6cc20cd53ca2b8854183ff72e2f7c1fbf3ac23a3cf70a3271e55b30156de341af785a1b2411c0d76aaf08e4e2c426b8e4a551ecc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.msi

Filesize
167KB

MD5
b400ceb855c02706a0aab7fe04d88874

SHA1
7d94b32c3872509ab48d323f1dc6970fbb4a6ced

SHA256
0d0cbe96167970f698586269325e8321f91a3d2d5f2afd149f34eebbed2a36ae

SHA512
736295deef177f9b67826cd76eaa7ddd1e0bf403d22cff2dddcda4a0968e4889057a1500a373759c27f06456072f66f8eb4fd1e76d3c26660b4ac320b440d054

Download Submit
memory/2488-0-0x0000000000400000-0x0000000000641000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads