42b841392f7517a0a0ade88f3252a6b210f89c12a64789bea4beac6ea10c48bc

General

Target

132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe
Size

12KB
MD5

132e5db6d0fc8a805c901a29d4a237f0
SHA1

1b152941db92bdf154d830d0202711f421a2f519
SHA256

42b841392f7517a0a0ade88f3252a6b210f89c12a64789bea4beac6ea10c48bc
SHA512

04bf7bac50ee74ee104208e58388cf421d26868a6adbd2e97716cf8da1827cf25ec7a365b0c1dd62451e5858e158d4502c4e519d59025e40a4059b25815f1f91
SSDEEP

384:jL7li/2zpq2DcEQvdhcJKLTp/NK9xalA:nxM/Q9clA

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp344F.tmp.exe

pid process

2292 tmp344F.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp344F.tmp.exe

pid process

2292 tmp344F.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 1796 132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe

pid	process
2292	tmp344F.tmp.exe

pid	process
2292	tmp344F.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1796	132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 1796 wrote to memory of 1604	1796	132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe	vbc.exe
PID 1796 wrote to memory of 1604	1796	132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe	vbc.exe
PID 1796 wrote to memory of 1604	1796	132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe	vbc.exe
PID 1604 wrote to memory of 3896	1604	vbc.exe	cvtres.exe
PID 1604 wrote to memory of 3896	1604	vbc.exe	cvtres.exe
PID 1604 wrote to memory of 3896	1604	vbc.exe	cvtres.exe
PID 1796 wrote to memory of 2292	1796	132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe	tmp344F.tmp.exe
PID 1796 wrote to memory of 2292	1796	132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe	tmp344F.tmp.exe
PID 1796 wrote to memory of 2292	1796	132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe	tmp344F.tmp.exe

C:\Users\Admin\AppData\Local\Temp\132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z0apzxr0\z0apzxr0.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3597.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB7249ECE654349CDB5DF91F1B811A4AA.TMP"
3⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\tmp344F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp344F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
7b1818a32322e32a1966cf212aac3b43

SHA1
ff0e3fe9cbc3b6aa63e4f71eb832a12c17b129f0

SHA256
0ac3fec603a25e4209fe3bc6e7655648bcf07808272bca5a963b46c73a0584ea

SHA512
d8e5054429a34117694c4ab7e8e113cf5f4b15345425ab8962906a4366292b074ebf91e0fb3ce72e33c85ca925a49a8752ed4b3dca4820cef616b959e7480d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3597.tmp

Filesize
1KB

MD5
e494fd53472420480c5c3ea773a4c0fa

SHA1
0c1727b0664b1674f1b92fce211b08d8c1576196

SHA256
155e4c8e8b0e4fdad4cbb1d939185702e0d293293b63dc8b5959e439d60dde24

SHA512
015a3926ff1b9308b06e897babffb8cfc09870acdfb24b43daeb028fa4dc72187e174c0d51939d10db7fa6eb0c29b075ec27c5996b162175497b02b88f9ed4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp344F.tmp.exe

Filesize
12KB

MD5
8f5ffce375f0522f9f67095aed7d59d3

SHA1
e729e06d6dd68fa00f4d7cb25512c25140d9eeca

SHA256
a58db92bfc101c6f7b65b1bafc8808186f306f22faa4cc41ce50c6e7e8a2dc47

SHA512
e82a360fca9efbf382b6fc0caee626d8f1371d63b72d3aa47e6bfbf028708a26a75a73a6bc7312dc4bd4119a6955cc263aa38b2710da3587fda5ed501a12b5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB7249ECE654349CDB5DF91F1B811A4AA.TMP

Filesize
1KB

MD5
211894d9a96a52a176cb3e56765baede

SHA1
4bbb72ff16d309d95779f9977bd991ec01b3e64b

SHA256
dddad7646c72ce8cfe909c17fd308da00cbcd13d465a3f03f7657ed5d9f8bf87

SHA512
8b111d73990d0913b8766cfa35ada0915d10221be5c575784e4bc2529c57fbdae102cc74f7bb0045474beb0de0435c04d0ca591096ddcf7fd4c46c9f4d311079

Download Submit
C:\Users\Admin\AppData\Local\Temp\z0apzxr0\z0apzxr0.0.vb

Filesize
2KB

MD5
708632f6b9d50ae1d5d5e22dc4f79199

SHA1
394ba060b29863d126e2487515ce20ec94ea7ae8

SHA256
0b17fbe427d92bc06c88035f7e0b9eec28579fa96d83dfec74acd326cb94f1d8

SHA512
aa7fbd0ebc646ed39ad093b741869ddf4bf0569f905c9caaea1e20b7e3cd4838a3db91396ebd06a2f4c32006c258ebcb9782b18b2befd5c0ea171a6d9f26f064

Download Submit
C:\Users\Admin\AppData\Local\Temp\z0apzxr0\z0apzxr0.cmdline

Filesize
273B

MD5
037d2b78507955b0e6161b0643ee8d47

SHA1
2716b878b122cb6a36b4bff8e44f2d2cfda5ce5d

SHA256
77c3d4dd1aa7fc7529ce3aecd6f471d04fc0808da41de52c61e5957b450954a6

SHA512
6c60df47df82a88b1f0c1751a0e17dac9bb94cd94addc5b0606c8da28be4d91a8f36cc1951ec9c60c5e687ece4b5425ec2965e90b690afb9d19bc4a62b42e66b

Download Submit
memory/1796-0-0x00000000747CE000-0x00000000747CF000-memory.dmp

Filesize
4KB

Download
memory/1796-8-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/1796-2-0x0000000004FD0000-0x000000000506C000-memory.dmp

Filesize
624KB

Download
memory/1796-1-0x0000000000650000-0x000000000065A000-memory.dmp

Filesize
40KB

Download
memory/1796-24-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/2292-25-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/2292-26-0x0000000000290000-0x000000000029A000-memory.dmp

Filesize
40KB

Download
memory/2292-27-0x00000000051E0000-0x0000000005784000-memory.dmp

Filesize
5.6MB

Download
memory/2292-28-0x0000000004C30000-0x0000000004CC2000-memory.dmp

Filesize
584KB

Download
memory/2292-30-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing