197771b0c468783ef5eb8c6d0662a8294773d6d890869ce1dedabd298f674377

General

Target

05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe
Size

12KB
MD5

05d5f3b522bedac3f1ce6543b32868f0
SHA1

f2e788b623b9a0ec0b83a5b1c92d5293fa85dc3f
SHA256

197771b0c468783ef5eb8c6d0662a8294773d6d890869ce1dedabd298f674377
SHA512

cbed6b69f30455677ab3dca7a2cdf28769c50bf0e03f3c7085163e8a502bcc381a63be6940264314872881c6943975376b878e66b88f938fcbd2b0cd4c2a1985
SSDEEP

384:qL7li/2z9q2DcEQvdhcJKLTp/NK9xaYp:0lM/Q9cYp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp4FD6.tmp.exe

pid process

2172 tmp4FD6.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp4FD6.tmp.exe

pid process

2172 tmp4FD6.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 4120 05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe

pid	process
2172	tmp4FD6.tmp.exe

pid	process
2172	tmp4FD6.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4120	05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 4120 wrote to memory of 2264	4120	05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe	vbc.exe
PID 4120 wrote to memory of 2264	4120	05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe	vbc.exe
PID 4120 wrote to memory of 2264	4120	05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe	vbc.exe
PID 2264 wrote to memory of 4296	2264	vbc.exe	cvtres.exe
PID 2264 wrote to memory of 4296	2264	vbc.exe	cvtres.exe
PID 2264 wrote to memory of 4296	2264	vbc.exe	cvtres.exe
PID 4120 wrote to memory of 2172	4120	05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe	tmp4FD6.tmp.exe
PID 4120 wrote to memory of 2172	4120	05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe	tmp4FD6.tmp.exe
PID 4120 wrote to memory of 2172	4120	05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe	tmp4FD6.tmp.exe

C:\Users\Admin\AppData\Local\Temp\05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y41rzrp1\y41rzrp1.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5208.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc56699619D394C4D8F44C8B7C09E84D3.TMP"
3⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\tmp4FD6.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4FD6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
812ac7253eab35e7d13e8592a6cf276c

SHA1
f7d1855835f63eb5dea72c9f4defa830c23c901b

SHA256
63bcdfb2dbefb59a5289a0569d2af97fe050b21e7080dab9402aa6a01f5a7add

SHA512
625590d513ce3150bfd486ec7753162f9e15f8ccc0683d5275978fd33ce7eff2589386c54cbd23324b830cde269ee2feb6d188951c6d06e1570384b6163dadce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5208.tmp

Filesize
1KB

MD5
d32c8e6d60ad4ea77cfa801df69fc76e

SHA1
797582b8887a8aa7753062f3ef969bc998b92469

SHA256
fbef14a5a34d90aa04416839812348bb175588d090a3648ab3d42c03fc59dd3d

SHA512
8c48c91eb4c2395cba39be048bd97a1cea08c232aa2aa8621316f13cc56679ec0a42e39743d9f68ef38c5554bec58f3107ff93609cf1432e93c3816c56c68962

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4FD6.tmp.exe

Filesize
12KB

MD5
5f8e404671b62a696981505c5a248e25

SHA1
aed7a740579e78bcbf3799bfb3724f29ec1a70f7

SHA256
4435b20f366680e68c90eaaf72d66401b92ad3475c37330a84fbb6c0ae3846af

SHA512
e5aa52c0799be1f39876705edf8f54297554fe382d63b1477fb44d803b611d419c9529d2f8f123256ebcc0e4472dd9261a440effc072018167abd3d9ed19ab85

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc56699619D394C4D8F44C8B7C09E84D3.TMP

Filesize
1KB

MD5
8dcbbecc3e6f6595d9febd0e0bc7b7a7

SHA1
6da6318e43983337358ef1dee7be5e8f2fdf4686

SHA256
bcad27e8aeee4f9e7dfda5a9d1c65150663f754b228d7e03335568250dd16e4a

SHA512
492904190570eefdac16b2d12c654f30c900276ac7f94334014240e0164ac6eb5ca3057d411b249a747a3c7a43a03c4cdfb94e29eecfa7581fe348b6e50bcc5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\y41rzrp1\y41rzrp1.0.vb

Filesize
2KB

MD5
edadbf063b1883b3957185c82a0cf36b

SHA1
cff7c54adb4ffd430b6679b055b0dc3e2097ddc1

SHA256
9f015626e39a70a173db871a26425f100749c6589638e8a4982c33a8676770aa

SHA512
ddf0ea1cc045b4d737db5c6bcda3a47b1421b16aa306e67c75174572a2c915513586e8584ed4204dc2826df50522551cef8739d5c29e4d2805607bab3b39db08

Download Submit
C:\Users\Admin\AppData\Local\Temp\y41rzrp1\y41rzrp1.cmdline

Filesize
273B

MD5
64867f4924f4d8844d24701256a57bf0

SHA1
0437939eb189aff1e62a1b4446fbc10db356aeff

SHA256
b11380e52640dcb3940ee16e39ce356b74e3057a1a549895c21597e8e902c2b7

SHA512
20bafe03ef45842528e643d5d0a5dbad583491e013a794d205626f7ad9909b227a93399f246b2f7cf484f741c4170ce2fb3308b3bf238dd1c5521e7124429d56

Download Submit
memory/2172-25-0x00000000007C0000-0x00000000007CA000-memory.dmp

Filesize
40KB

Download
memory/2172-26-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/2172-27-0x00000000056B0000-0x0000000005C54000-memory.dmp

Filesize
5.6MB

Download
memory/2172-28-0x00000000051A0000-0x0000000005232000-memory.dmp

Filesize
584KB

Download
memory/2172-30-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/4120-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

Filesize
4KB

Download
memory/4120-8-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/4120-2-0x0000000005310000-0x00000000053AC000-memory.dmp

Filesize
624KB

Download
memory/4120-1-0x00000000008D0000-0x00000000008DA000-memory.dmp

Filesize
40KB

Download
memory/4120-24-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing