28eb656bfceda52d98ae02b4ef0e41f76204b4190f09ebf337e5d24cf392c1f5

General

Target

662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe
Size

12KB
MD5

662ab5937404a31318e2846afe557cc0
SHA1

f7073403235d3689c728ec4746755ac968b434f7
SHA256

28eb656bfceda52d98ae02b4ef0e41f76204b4190f09ebf337e5d24cf392c1f5
SHA512

06f026b1762f466f121123454a736e964ae84569208ebc9c68e325a4d64ce7842808c8b84ca0622d888a5d66a9ecc4546a7f69fb929440338cc394fbcd50d3a2
SSDEEP

384:nL7li/2zwq2DcEQvdQcJKLTp/NK9xaly:LUMCQ9cly

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp6080.tmp.exe

pid process

4752 tmp6080.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp6080.tmp.exe

pid process

4752 tmp6080.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2604 662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe

pid	process
4752	tmp6080.tmp.exe

pid	process
4752	tmp6080.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2604	662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 2604 wrote to memory of 2552	2604	662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe	vbc.exe
PID 2604 wrote to memory of 2552	2604	662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe	vbc.exe
PID 2604 wrote to memory of 2552	2604	662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe	vbc.exe
PID 2552 wrote to memory of 4828	2552	vbc.exe	cvtres.exe
PID 2552 wrote to memory of 4828	2552	vbc.exe	cvtres.exe
PID 2552 wrote to memory of 4828	2552	vbc.exe	cvtres.exe
PID 2604 wrote to memory of 4752	2604	662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe	tmp6080.tmp.exe
PID 2604 wrote to memory of 4752	2604	662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe	tmp6080.tmp.exe
PID 2604 wrote to memory of 4752	2604	662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe	tmp6080.tmp.exe

C:\Users\Admin\AppData\Local\Temp\662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\swsigegs\swsigegs.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62B1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc16DE190E866E4174A0AF1168E771DA80.TMP"
3⤵
PID:4828

C:\Users\Admin\AppData\Local\Temp\tmp6080.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6080.tmp.exe" C:\Users\Admin\AppData\Local\Temp\662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:4752

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
181c2da9764b9be13d1adc181d86e360

SHA1
68e3a0fb138a38cc61c07115b08d4e20797a4640

SHA256
728e26ca1c87c88bd5b561ba099c655a01be2625ed43516a0003d2bde08a1e90

SHA512
e5b7f162a0bc088ac85712a429a8920e74952b2b5386cb4391c4162e4dc33c3f2e9c347340d8f1262fb45ac4958db78fe49a3576b302c283549976fe068ab71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES62B1.tmp
Filesize
1KB

MD5
a0576afab83799477dec9b6388eb13c9

SHA1
0b930e2bc576b1df008d16383baee3dca76c03a2

SHA256
fc21e65a185268fa49cfd87e1c5dfa616eea80e62cb16093748301a0cd3ea71b

SHA512
6912da78fedd4cdbb774eed46e079ebfac473c6bef624a6f3fad9300f8d1fbdec6c6dab98edbf3f88d178d07b575685273107e0f8d12ebd3c3adbefa8a975a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\swsigegs\swsigegs.0.vb
Filesize
2KB

MD5
2d3e8141f3935bdc14737681c98c4d30

SHA1
65e5641fbb5ddeea8401396c32a9764c5d915f71

SHA256
f041c30bc2e70c834c52cbf4ec67f4308738864012d5dc01491d8395e8c158b0

SHA512
aff1d582cc7579ec08c8538d98095a07531d4197eb0fd58243195df5256ece01c4b560f07d5c8363ce45b4a19debc6974034b17fdaf5528e553bf7940a076e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\swsigegs\swsigegs.cmdline
Filesize
273B

MD5
879e1c2825a0f82e1967e9d9e12f8baf

SHA1
fb350d3ff9676f1f2dc30767e64c63b67ab4b9a5

SHA256
7440fd415fd87517a9c641e050b6e1ffd0c509423bc55bb65384f95b36656e7d

SHA512
5e5e0bfab4df08f353c3c090899192afaa2e47f1be2f344a68a3649cf64b1b56f4c8409f36f727fd0a60fc4bfa6c4e9a9e81f0c1a10b7930ab914732d4a77dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6080.tmp.exe
Filesize
12KB

MD5
e48b804979da29f4e7815775967b16c2

SHA1
b2440385743067b581967484268ca185cf0b7894

SHA256
ec7040b5666073dbfb916a12ae675a2bf8a1ef336ca2d69a04dfa9d17592a21a

SHA512
373b1ed342794a4435eb92e1d30f38528915ecf9976b927866930f37b49a703a68c235dc80cf4c62e9ef3b007a5561976c8f967405af6997c75ad4cb58b71876

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc16DE190E866E4174A0AF1168E771DA80.TMP
Filesize
1KB

MD5
44b51b774730bbf8fe724b09305ae781

SHA1
ff9bf67090130235ff29cffc02aad2c54d8f57b3

SHA256
b69d32121610faacf3cb72a13e4c3a1d4a51ef65a75adc35bc4c8a8466636cc3

SHA512
fd5f458432e31d2cb1d1f8911cba9768638f742a8ff7c2463a216b59d5a5ad071997a6023bb8fc31338f90d93b4e54c0644b829f905102a9cdc3cc8635f05fce

Download Submit
memory/2604-8-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/2604-2-0x0000000004CF0000-0x0000000004D8C000-memory.dmp

Filesize
624KB

Download
memory/2604-0-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/2604-1-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download
memory/2604-24-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/4752-26-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/4752-25-0x00000000009E0000-0x00000000009EA000-memory.dmp

Filesize
40KB

Download
memory/4752-27-0x0000000005910000-0x0000000005EB4000-memory.dmp

Filesize
5.6MB

Download
memory/4752-28-0x0000000005360000-0x00000000053F2000-memory.dmp

Filesize
584KB

Download
memory/4752-30-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing