bc56d02cab262bc61ddf93b168d4d8570607d9ef55de663195459ddf3e779bfb

General

Target

35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe
Size

12KB
MD5

35a1e6edfbb594a21e5daede5c63e590
SHA1

6d1236953a53d76cf81bf7b82bae34de85d59c66
SHA256

bc56d02cab262bc61ddf93b168d4d8570607d9ef55de663195459ddf3e779bfb
SHA512

3d5b43b48f190d2876f674bf40e53975f5229e773f399b93c571021244bff5507b4e9acf269bf52748050e84510417a374da246445cc0a272d2ba7f7014c6a55
SSDEEP

384:zL7li/2zGq2DcEQvdQcJKLTp/NK9xaX4:XuMCQ9cX4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp4806.tmp.exe

pid process

4228 tmp4806.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp4806.tmp.exe

pid process

4228 tmp4806.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2936 35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe

pid	process
4228	tmp4806.tmp.exe

pid	process
4228	tmp4806.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2936	35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 2936 wrote to memory of 2092	2936	35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe	vbc.exe
PID 2936 wrote to memory of 2092	2936	35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe	vbc.exe
PID 2936 wrote to memory of 2092	2936	35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe	vbc.exe
PID 2092 wrote to memory of 4684	2092	vbc.exe	cvtres.exe
PID 2092 wrote to memory of 4684	2092	vbc.exe	cvtres.exe
PID 2092 wrote to memory of 4684	2092	vbc.exe	cvtres.exe
PID 2936 wrote to memory of 4228	2936	35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe	tmp4806.tmp.exe
PID 2936 wrote to memory of 4228	2936	35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe	tmp4806.tmp.exe
PID 2936 wrote to memory of 4228	2936	35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe	tmp4806.tmp.exe

C:\Users\Admin\AppData\Local\Temp\35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1a1opadi\1a1opadi.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49DA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC254B4D87D52473BBB525FAD99407FAF.TMP"
3⤵
PID:4684

C:\Users\Admin\AppData\Local\Temp\tmp4806.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4806.tmp.exe" C:\Users\Admin\AppData\Local\Temp\35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:4228

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1a1opadi\1a1opadi.0.vb
Filesize
2KB

MD5
e3c53ca3ac4a61ad95ff66b91702917e

SHA1
39892300d4706f547cabd7258d77e756ac997fd5

SHA256
fdf4ce1687e21c07cf4e5e94b3af688f0dd1ef0d0012e667f91551161b2220e7

SHA512
5001da0810230d81f031eea4b6778ea97df1b8863559ccedbb4e8479b4c09126119341fc5c22cc1fae64c86fa7a76f3f8dbbb2e0f0376d6182bfc12720c4a074

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a1opadi\1a1opadi.cmdline
Filesize
273B

MD5
4718913747f9d2e4eab31d2dc6b8d46c

SHA1
0b4ce4dd76a42052a8d7d0b0e8a4a1c7aa4e1836

SHA256
acdb1ce5b9b1840af94cea38bb6c5d0e1d49c19f43e362ffdaf54aa30964dd6e

SHA512
bf07e333551bc445728f434ad5647f7b910dd0b4ce9537deb6baa8260d6bbfa5e5d142754bd98389efe766c623151bd1b1f57f1ec92ec800abbe112b6a0d68be

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
b935bcc751fb3fe741505b454ebe87a5

SHA1
682581c9939163f37ee534a56e7180128a2cf812

SHA256
ece7af9fd44544cf5fc490072b579667af6136fcafb368896a155a50cf7390b9

SHA512
a41323cb2f11d94718229830d11cf82c2e38bea283a63486c98022d2a3255ea2f75d5c4719a5ee5c82515276ebc652bcf4bac6161135ad2342ce5c8e1a00a318

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES49DA.tmp
Filesize
1KB

MD5
a5cd26340883d62b2559bf267121eb9e

SHA1
cf5c11053db3169d797e30ed5f7e815c304aea46

SHA256
12c9eee0a8837e5394045c5d0c5ab45c2fae50013a20f4810ea32065dce985eb

SHA512
1d60d8d5256cf4d18bea227c9a4388c5f76d1fd42552ba6e73e802ff7c4ae7b1f88e498e7a3d67772cd992d016f71074c424e0dfc7601f449092413c273234f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4806.tmp.exe
Filesize
12KB

MD5
c515a3ae846227b3f5c17bb423bd1c0a

SHA1
f6c6eaed5c89a101306169371cf1a11ed99e715b

SHA256
22673a446fdd7543a305b52764656f414eaf5addcde772f14fc8332a0b4b569c

SHA512
47f35b35e3d682bd637ed286a821d9df8556346482e84683b0f8145b7953f85ecf3347ada12f670d684e9710a9e2d652243bd66147564877423b2c6c71399edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC254B4D87D52473BBB525FAD99407FAF.TMP
Filesize
1KB

MD5
e6a866a5e4fdca539fa6f386883b426b

SHA1
7ca4fe2fdcf2d839d2bf2248edd3f177462f3da7

SHA256
cd9b4effbfb5390e7003d87c3b6ace009c82de61b6d428aafb850d049ca7b416

SHA512
3656998e07f40d6a73226855c3ab64b7a2983ea0b65bf59bd5da0381bce9bb004b61805b380b76356734ecaaeb7f5bca7a8cfe3e4f8afa16432ec6c567b3efb7

Download Submit
memory/2936-8-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/2936-2-0x0000000005520000-0x00000000055BC000-memory.dmp

Filesize
624KB

Download
memory/2936-1-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/2936-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

Filesize
4KB

Download
memory/2936-24-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/4228-25-0x0000000000C00000-0x0000000000C0A000-memory.dmp

Filesize
40KB

Download
memory/4228-26-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/4228-27-0x0000000005B20000-0x00000000060C4000-memory.dmp

Filesize
5.6MB

Download
memory/4228-28-0x0000000005610000-0x00000000056A2000-memory.dmp

Filesize
584KB

Download
memory/4228-30-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing