ba4ff14179bb978398ee5369218e3523f0ebcdd3ab687a2373bb407a00de0616

General

Target

35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe
Size

12KB
MD5

35c9a14d09a92bd10310b933e49f4be0
SHA1

178588821c7f2966f0822db248f2d4bfa3a1d8ef
SHA256

ba4ff14179bb978398ee5369218e3523f0ebcdd3ab687a2373bb407a00de0616
SHA512

64342406baa8569364da799dffe695fc21d0e229144581a78a1785656a7a007e580821aeac26950c8c34ff7d837b0707bce677ce7a51c82a2dcd74916a6fbc18
SSDEEP

384:pL7li/2zZq2DcEQvdQcJKLTp/NK9xaZH:ZpMCQ9cZH

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp4A58.tmp.exe

pid process

840 tmp4A58.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp4A58.tmp.exe

pid process

840 tmp4A58.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 1576 35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe

pid	process
840	tmp4A58.tmp.exe

pid	process
840	tmp4A58.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1576	35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 1576 wrote to memory of 1200	1576	35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe	vbc.exe
PID 1576 wrote to memory of 1200	1576	35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe	vbc.exe
PID 1576 wrote to memory of 1200	1576	35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe	vbc.exe
PID 1200 wrote to memory of 3240	1200	vbc.exe	cvtres.exe
PID 1200 wrote to memory of 3240	1200	vbc.exe	cvtres.exe
PID 1200 wrote to memory of 3240	1200	vbc.exe	cvtres.exe
PID 1576 wrote to memory of 840	1576	35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe	tmp4A58.tmp.exe
PID 1576 wrote to memory of 840	1576	35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe	tmp4A58.tmp.exe
PID 1576 wrote to memory of 840	1576	35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe	tmp4A58.tmp.exe

C:\Users\Admin\AppData\Local\Temp\35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zt3a1vnt\zt3a1vnt.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BED.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDF4A90D45148413EB2AFECC94B42E741.TMP"
3⤵
PID:3240

C:\Users\Admin\AppData\Local\Temp\tmp4A58.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4A58.tmp.exe" C:\Users\Admin\AppData\Local\Temp\35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
22715223239656fbead9a7c884d8ebb3

SHA1
61a9b70b2a81596b220366f2596c3299f6e4c358

SHA256
9b55c2dfcd12fc05c7c856f2443abd074fc0b3f39995b4420eab842ff76323a4

SHA512
b841503806c7441d493b023ab211f468a111f50ff30603e21398a61f7d690973d5918f882f0e6ee2370ba4969ce3d093f6c442b1ce51b3f22ef8117db6a1c483

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4BED.tmp

Filesize
1KB

MD5
a84725387d4a71f2d02511176de92d01

SHA1
20c0e198a9f0dbbbf0586cd068250cad939aa70a

SHA256
5ea8f6440743e523b53155f008813c56b479f7ffe9bb728843b9c1b11dbaae42

SHA512
1399052ee63daec61c09a7f6744859010b686018c104f92313ff698d6393dc43bc7b3542069827cc18faa898a9a55135cbe48817581c78dd43a3c15aad5531cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4A58.tmp.exe

Filesize
12KB

MD5
27291d8bc24a504afdd25ab1572ce9f8

SHA1
9211c6eacd05f48bd080363ab1841841673ff53d

SHA256
bceef589084f162e3a3832b27e0288455fdec9ad7f4a048b4b6254e3681ac16a

SHA512
fc5551c3ac613d6ecb817063b16888d5ada1b52fcd93a85bfdf345f5b54aefbd3ca0d3e6b56124af81b310503c5c38431ee1cb2e806c20eccbde646ce3859526

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDF4A90D45148413EB2AFECC94B42E741.TMP

Filesize
1KB

MD5
c5963004864b570a099de7645c130c60

SHA1
7580568c1d59198f2f620e1fa08c177b314c8431

SHA256
0b2345d98d4d41e1427413c967a4a13b5aef796eb1d482f6651e140b2aa4794b

SHA512
d65e8bca51fcdfec7748a9ed1b182ac3cc20db55b7cba20ae73975e71a0ef535201f21c8cde3d9185b6b5c2872eb0fccbf950263e86dd60e1bec32528245f64f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zt3a1vnt\zt3a1vnt.0.vb

Filesize
2KB

MD5
7208596604973da8bc8f01e559d4d0a0

SHA1
b551552ba59126da90086a3c567f9b92b1f0b421

SHA256
48037729315ff80410bcd0288eb3ce0337cfc6c4574441b24b9ba3119a184e90

SHA512
0c4346bac0fc5375c1fe46b74697da1200dfb53be455eda092a313d2bf27a305fb15895a43fbee3be787d8ef1dcd1fc79e82b3e921892e045d44c9b6ba694e89

Download Submit
C:\Users\Admin\AppData\Local\Temp\zt3a1vnt\zt3a1vnt.cmdline

Filesize
273B

MD5
b92ec4e043b88e74a2730f06ac029ee7

SHA1
429fa0638e375385f6ef4600060227970f0a2b6e

SHA256
3dbf472535af449cd163f4085e4913ad3cd84ea6aee18dbdf0ee187ec0d28dbe

SHA512
9565e431bdceb25f46b8373acb7151a306f3793f5684faa54e1f4e2fe9f97e2cdfa91a0e86efcd969e8224091b6d6e112f03d126c48a10f5630a4bfc69d17a07

Download Submit
memory/840-24-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/840-25-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/840-27-0x00000000052C0000-0x0000000005864000-memory.dmp

Filesize
5.6MB

Download
memory/840-28-0x0000000004DB0000-0x0000000004E42000-memory.dmp

Filesize
584KB

Download
memory/840-30-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/1576-0-0x000000007465E000-0x000000007465F000-memory.dmp

Filesize
4KB

Download
memory/1576-8-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/1576-2-0x0000000005530000-0x00000000055CC000-memory.dmp

Filesize
624KB

Download
memory/1576-1-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

Filesize
40KB

Download
memory/1576-26-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing