8947b42a2b82096d6f610b6d8576fe6cb5ca788340cb4973339c77ea3ca51555

General

Target

206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe
Size

12KB
MD5

206a64a5e4ff4159260d03a7b74e6f20
SHA1

a562d4744cdda7b4904ecb084cce75f47eee4263
SHA256

8947b42a2b82096d6f610b6d8576fe6cb5ca788340cb4973339c77ea3ca51555
SHA512

b656cf424fb913c2142a610dee5e62948577e75dd1affda129774adbe5c6739ef2eefc712c7322948a79a5a8b6c6874adeb65fdca878c791567816b44b41014d
SSDEEP

384:vL7li/2zsq2DcEQvdhcJKLTp/NK9xaQ9:DYM/Q9cQ9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp4BB0.tmp.exe

pid process

4188 tmp4BB0.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp4BB0.tmp.exe

pid process

4188 tmp4BB0.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 4428 206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe

pid	process
4188	tmp4BB0.tmp.exe

pid	process
4188	tmp4BB0.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4428	206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 4428 wrote to memory of 3532	4428	206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe	vbc.exe
PID 4428 wrote to memory of 3532	4428	206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe	vbc.exe
PID 4428 wrote to memory of 3532	4428	206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe	vbc.exe
PID 3532 wrote to memory of 4960	3532	vbc.exe	cvtres.exe
PID 3532 wrote to memory of 4960	3532	vbc.exe	cvtres.exe
PID 3532 wrote to memory of 4960	3532	vbc.exe	cvtres.exe
PID 4428 wrote to memory of 4188	4428	206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe	tmp4BB0.tmp.exe
PID 4428 wrote to memory of 4188	4428	206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe	tmp4BB0.tmp.exe
PID 4428 wrote to memory of 4188	4428	206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe	tmp4BB0.tmp.exe

C:\Users\Admin\AppData\Local\Temp\206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1afvrm1a\1afvrm1a.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3532
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D93.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAEE79BDFEE194FB38169F846E2A48B3.TMP"
    3⤵
    PID:4960
- C:\Users\Admin\AppData\Local\Temp\tmp4BB0.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4BB0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1afvrm1a\1afvrm1a.0.vb

Filesize
2KB

MD5
189088dc382635c7cd1351b71a9e0bfb

SHA1
4f427a5b2231792562cbd4df45a5db6dac1f5c99

SHA256
af59014fe0e8ec7d6cdfdaa5fb8a9062fe341d01675f55abbbed0f0fcf68b4dc

SHA512
e57493f75a58cb00b2d63333cdfa67f8868c87dfc467d95104fafc57f0c1c890b59774d1922d13956e13ffeb1e150232440f1c67aae67d22cadc6a20d9bb6a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\1afvrm1a\1afvrm1a.cmdline

Filesize
273B

MD5
abe1a4c09efe072ef3308fa4ad28d04e

SHA1
fdf38d8b174c796b40dfa1f000019ee36e53f28b

SHA256
a940722a6b0655e4992673f088a2edf82f7ce02b8e6deddf7da1b9b03ff2e0c0

SHA512
03663b675d5c653948878760199a93a2387fe1c02d6d0df8d9b568731473e6eba16e8a0a089d4b792157aaebdf4b8d4474f244ed02a709218a05d9ba58131994

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
716b3a6cc4be83f3e9b93a29b8971174

SHA1
cb4746d9bb779cfbc51af03550ab90eb1a839855

SHA256
d062360320e286487f9419ab278adb4fdefa9bfafc4b74356d5c8a59a3d3b160

SHA512
3e88f318f48edbb6316e8639b3d0727e66e3e8630eb89d4e7f2edb22765e054b4df05568365fb4879f98fde8cb5370541ab411a4f8af58d8dbf8c299539d637f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4D93.tmp

Filesize
1KB

MD5
d184792c598100f9f66c27ec8a573bc6

SHA1
d63604019627c5885c581b4c5ba6549248090a1a

SHA256
42ede87125c15e78030ccfa10096c97907524c0b9fc488696624cf1a8e443082

SHA512
b374f51899b43e4ad2ec46ff732b03a054f654ebba6f8a3b53829106b01750da7d5b08832ee86eabb1684b0832fe148ac5ca8f4662286ecf3a6c0000e49af316

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4BB0.tmp.exe

Filesize
12KB

MD5
252fe7b63aeb4c0578882adb1316e1b1

SHA1
682ff807441f48f36f65e3674b3f3d1a6d59bfd8

SHA256
4a73934a64de4c74bf138bc06d3fba29d94c5c8a6dfd1d621b53ba544db91282

SHA512
f9a6f43710c31835b9109d43badcf8c8bc3bbfb5aa93b0afff8f233cc3837f050809948d9f972f1fd74d700df99c46905c7035d3fcfb5de8a59f1eab5bf3d31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAEE79BDFEE194FB38169F846E2A48B3.TMP

Filesize
1KB

MD5
c2979eba3721a933e7bff3191db160b3

SHA1
8ee3cfd87c059bcbeb70d4fc8e212c44ed80d303

SHA256
4028c1ead946209f24caad37e225f801ecff15481869082b4dcfbd20a8e3e5e1

SHA512
ac9affd3eb9106de6647c89e174b633459d85a705657e25af78f1873b0a95786196410cee9f1877693702cc22813179b51434f1883c9602c72927733b23d26f4

Download Submit
memory/4188-24-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/4188-25-0x00000000008A0000-0x00000000008AA000-memory.dmp

Filesize
40KB

Download
memory/4188-27-0x00000000057D0000-0x0000000005D74000-memory.dmp

Filesize
5.6MB

Download
memory/4188-28-0x00000000052C0000-0x0000000005352000-memory.dmp

Filesize
584KB

Download
memory/4188-30-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/4428-8-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/4428-2-0x0000000005260000-0x00000000052FC000-memory.dmp

Filesize
624KB

Download
memory/4428-1-0x00000000008E0000-0x00000000008EA000-memory.dmp

Filesize
40KB

Download
memory/4428-0-0x000000007539E000-0x000000007539F000-memory.dmp

Filesize
4KB

Download
memory/4428-26-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing