Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 20:27
Static task
static1
Behavioral task
behavioral1
Sample
05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe
-
Size
12KB
-
MD5
05d5f3b522bedac3f1ce6543b32868f0
-
SHA1
f2e788b623b9a0ec0b83a5b1c92d5293fa85dc3f
-
SHA256
197771b0c468783ef5eb8c6d0662a8294773d6d890869ce1dedabd298f674377
-
SHA512
cbed6b69f30455677ab3dca7a2cdf28769c50bf0e03f3c7085163e8a502bcc381a63be6940264314872881c6943975376b878e66b88f938fcbd2b0cd4c2a1985
-
SSDEEP
384:qL7li/2z9q2DcEQvdhcJKLTp/NK9xaYp:0lM/Q9cYp
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe -
Deletes itself 1 IoCs
Processes:
tmp4FD6.tmp.exepid process 2172 tmp4FD6.tmp.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp4FD6.tmp.exepid process 2172 tmp4FD6.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exedescription pid process Token: SeDebugPrivilege 4120 05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exevbc.exedescription pid process target process PID 4120 wrote to memory of 2264 4120 05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe vbc.exe PID 4120 wrote to memory of 2264 4120 05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe vbc.exe PID 4120 wrote to memory of 2264 4120 05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe vbc.exe PID 2264 wrote to memory of 4296 2264 vbc.exe cvtres.exe PID 2264 wrote to memory of 4296 2264 vbc.exe cvtres.exe PID 2264 wrote to memory of 4296 2264 vbc.exe cvtres.exe PID 4120 wrote to memory of 2172 4120 05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe tmp4FD6.tmp.exe PID 4120 wrote to memory of 2172 4120 05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe tmp4FD6.tmp.exe PID 4120 wrote to memory of 2172 4120 05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe tmp4FD6.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y41rzrp1\y41rzrp1.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5208.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc56699619D394C4D8F44C8B7C09E84D3.TMP"3⤵PID:4296
-
C:\Users\Admin\AppData\Local\Temp\tmp4FD6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FD6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2172
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5812ac7253eab35e7d13e8592a6cf276c
SHA1f7d1855835f63eb5dea72c9f4defa830c23c901b
SHA25663bcdfb2dbefb59a5289a0569d2af97fe050b21e7080dab9402aa6a01f5a7add
SHA512625590d513ce3150bfd486ec7753162f9e15f8ccc0683d5275978fd33ce7eff2589386c54cbd23324b830cde269ee2feb6d188951c6d06e1570384b6163dadce
-
Filesize
1KB
MD5d32c8e6d60ad4ea77cfa801df69fc76e
SHA1797582b8887a8aa7753062f3ef969bc998b92469
SHA256fbef14a5a34d90aa04416839812348bb175588d090a3648ab3d42c03fc59dd3d
SHA5128c48c91eb4c2395cba39be048bd97a1cea08c232aa2aa8621316f13cc56679ec0a42e39743d9f68ef38c5554bec58f3107ff93609cf1432e93c3816c56c68962
-
Filesize
12KB
MD55f8e404671b62a696981505c5a248e25
SHA1aed7a740579e78bcbf3799bfb3724f29ec1a70f7
SHA2564435b20f366680e68c90eaaf72d66401b92ad3475c37330a84fbb6c0ae3846af
SHA512e5aa52c0799be1f39876705edf8f54297554fe382d63b1477fb44d803b611d419c9529d2f8f123256ebcc0e4472dd9261a440effc072018167abd3d9ed19ab85
-
Filesize
1KB
MD58dcbbecc3e6f6595d9febd0e0bc7b7a7
SHA16da6318e43983337358ef1dee7be5e8f2fdf4686
SHA256bcad27e8aeee4f9e7dfda5a9d1c65150663f754b228d7e03335568250dd16e4a
SHA512492904190570eefdac16b2d12c654f30c900276ac7f94334014240e0164ac6eb5ca3057d411b249a747a3c7a43a03c4cdfb94e29eecfa7581fe348b6e50bcc5f
-
Filesize
2KB
MD5edadbf063b1883b3957185c82a0cf36b
SHA1cff7c54adb4ffd430b6679b055b0dc3e2097ddc1
SHA2569f015626e39a70a173db871a26425f100749c6589638e8a4982c33a8676770aa
SHA512ddf0ea1cc045b4d737db5c6bcda3a47b1421b16aa306e67c75174572a2c915513586e8584ed4204dc2826df50522551cef8739d5c29e4d2805607bab3b39db08
-
Filesize
273B
MD564867f4924f4d8844d24701256a57bf0
SHA10437939eb189aff1e62a1b4446fbc10db356aeff
SHA256b11380e52640dcb3940ee16e39ce356b74e3057a1a549895c21597e8e902c2b7
SHA51220bafe03ef45842528e643d5d0a5dbad583491e013a794d205626f7ad9909b227a93399f246b2f7cf484f741c4170ce2fb3308b3bf238dd1c5521e7124429d56