8a48a7111f63b5e96b09ba8f1b7e27b0ad7f3acd157b1a3bb9984c6d6c0c4500

General

Target

140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe
Size

12KB
MD5

140bb9e967f15182f0b6b4446615e790
SHA1

75f56daceed685ede96cd7eeb5d9409dff9db37e
SHA256

8a48a7111f63b5e96b09ba8f1b7e27b0ad7f3acd157b1a3bb9984c6d6c0c4500
SHA512

7a8b9e597086059efa5038a7f28d6d665d080602559da78775376a0849c72daa3a2c3cda5a6b1bfc4dd14bb198d2e4ec2012f167a3f11a37e9d937928d4c20ea
SSDEEP

384:BL7li/2zBq2DcEQvdhcJKLTp/NK9xayI:hhM/Q9cyI

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp4CAA.tmp.exe

pid process

1960 tmp4CAA.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp4CAA.tmp.exe

pid process

1960 tmp4CAA.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 1132 140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe

pid	process
1960	tmp4CAA.tmp.exe

pid	process
1960	tmp4CAA.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1132	140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 1132 wrote to memory of 2736	1132	140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe	vbc.exe
PID 1132 wrote to memory of 2736	1132	140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe	vbc.exe
PID 1132 wrote to memory of 2736	1132	140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe	vbc.exe
PID 2736 wrote to memory of 3064	2736	vbc.exe	cvtres.exe
PID 2736 wrote to memory of 3064	2736	vbc.exe	cvtres.exe
PID 2736 wrote to memory of 3064	2736	vbc.exe	cvtres.exe
PID 1132 wrote to memory of 1960	1132	140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe	tmp4CAA.tmp.exe
PID 1132 wrote to memory of 1960	1132	140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe	tmp4CAA.tmp.exe
PID 1132 wrote to memory of 1960	1132	140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe	tmp4CAA.tmp.exe

C:\Users\Admin\AppData\Local\Temp\140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ucty5p1a\ucty5p1a.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4DA3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6CEAA458E96A47CD9FA85BBBAC61D387.TMP"
3⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\tmp4CAA.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4CAA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
716b3a6cc4be83f3e9b93a29b8971174

SHA1
cb4746d9bb779cfbc51af03550ab90eb1a839855

SHA256
d062360320e286487f9419ab278adb4fdefa9bfafc4b74356d5c8a59a3d3b160

SHA512
3e88f318f48edbb6316e8639b3d0727e66e3e8630eb89d4e7f2edb22765e054b4df05568365fb4879f98fde8cb5370541ab411a4f8af58d8dbf8c299539d637f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4DA3.tmp

Filesize
1KB

MD5
d973561e4a8fd85d44b0853f54a5f012

SHA1
2bd3805d77fac3e65c6faf9bf59e39c32e1fb561

SHA256
1d90e428c4e045ff14de3172e4ac0e5d8bdb7c6a53c5b0203b0bc058771794e6

SHA512
a96e359d3cfe0ddffe5f87f81f0aa041126bb0d5585151b96e54c77063b211189f67ed0d17904fdf05b586f08fe7c83035503de7154d898024ec12c1ea0788db

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4CAA.tmp.exe

Filesize
12KB

MD5
48ca4481e4c8c630ccfe98f239eb942c

SHA1
c05ff14f409b583e7edfda3af4740d43a388ea4f

SHA256
5726fdf10c16ab8db5d27db691efa5ed749393cc678918cef37a336f942f0bed

SHA512
a1110bafb1f4b7a50b79f84d2c5eb1911c00298dea94c28b1f185e26a9b120159253000a05ad850dae3b484626f0328cb07dfd38e60395916490b6dbf3428467

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucty5p1a\ucty5p1a.0.vb

Filesize
2KB

MD5
189088dc382635c7cd1351b71a9e0bfb

SHA1
4f427a5b2231792562cbd4df45a5db6dac1f5c99

SHA256
af59014fe0e8ec7d6cdfdaa5fb8a9062fe341d01675f55abbbed0f0fcf68b4dc

SHA512
e57493f75a58cb00b2d63333cdfa67f8868c87dfc467d95104fafc57f0c1c890b59774d1922d13956e13ffeb1e150232440f1c67aae67d22cadc6a20d9bb6a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucty5p1a\ucty5p1a.cmdline

Filesize
273B

MD5
e7ebb4cbf8db4afdc1c161ff053038a9

SHA1
71d95f238538cc4f30812d0fb57b38105717d1d6

SHA256
72a6fc5125f23ece14d95ba55f9aa81a880b35c2a8659c455e0920cfc35f1f9d

SHA512
3e7261c19b6b0e5d643a71d70c24bae1d5f20b70b0dca5d3168538b3d2d456c5543f80611d0eafc35026ef06c5945d5a211dc5b288f72dca7b1340722f36e16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6CEAA458E96A47CD9FA85BBBAC61D387.TMP

Filesize
1KB

MD5
4c7c06b1ab2407b9084836c660b1d5d3

SHA1
331c3467673023ad8f0e4633550338c3ba0e063b

SHA256
ad54dd668bfd9e09f6d0db90edc494eb560853bd10f703b5406f7fff52484cb5

SHA512
1fbb157a0d10e219498ed96873c7a644f23b1766d5c79933d30987fdf1872f5f79c2e5a093c78ff7e0e0da21539fc502eacb0f36382cae8fc485efa498270f90

Download Submit
memory/1132-0-0x00000000751EE000-0x00000000751EF000-memory.dmp

Filesize
4KB

Download
memory/1132-8-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/1132-2-0x0000000005240000-0x00000000052DC000-memory.dmp

Filesize
624KB

Download
memory/1132-1-0x0000000000950000-0x000000000095A000-memory.dmp

Filesize
40KB

Download
memory/1132-24-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/1960-25-0x0000000000770000-0x000000000077A000-memory.dmp

Filesize
40KB

Download
memory/1960-26-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/1960-27-0x0000000005610000-0x0000000005BB4000-memory.dmp

Filesize
5.6MB

Download
memory/1960-28-0x0000000005100000-0x0000000005192000-memory.dmp

Filesize
584KB

Download
memory/1960-30-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing