4c9ee97549c688f88cb2cbbbcc0d9e9c5a637e36c9cdea1fa66403f92f78cc27

General

Target

5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe
Size

12KB
MD5

5dd1818c9d8aba19127024e1618337b0
SHA1

b2649530ffc6f7e08f14b36af2341e13184744ed
SHA256

4c9ee97549c688f88cb2cbbbcc0d9e9c5a637e36c9cdea1fa66403f92f78cc27
SHA512

37927eab99b6f1fa5d1ede6bdd99764a060129a4a45e465645a8e0ae6bbcf340f7c669f5a45b076324d2a2eab526868cb1a3ecb049f92bc18f9191e195ebb1d4
SSDEEP

384:JL7li/2zpq2DcEQvdQcJKLTp/NK9xa5V:5ZMCQ9c5V

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp7F14.tmp.exe

pid process

2084 tmp7F14.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp7F14.tmp.exe

pid process

2084 tmp7F14.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 3152 5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe

pid	process
2084	tmp7F14.tmp.exe

pid	process
2084	tmp7F14.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3152	5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 3152 wrote to memory of 2888	3152	5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe	vbc.exe
PID 3152 wrote to memory of 2888	3152	5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe	vbc.exe
PID 3152 wrote to memory of 2888	3152	5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe	vbc.exe
PID 2888 wrote to memory of 384	2888	vbc.exe	cvtres.exe
PID 2888 wrote to memory of 384	2888	vbc.exe	cvtres.exe
PID 2888 wrote to memory of 384	2888	vbc.exe	cvtres.exe
PID 3152 wrote to memory of 2084	3152	5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe	tmp7F14.tmp.exe
PID 3152 wrote to memory of 2084	3152	5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe	tmp7F14.tmp.exe
PID 3152 wrote to memory of 2084	3152	5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe	tmp7F14.tmp.exe

C:\Users\Admin\AppData\Local\Temp\5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jslm41m5\jslm41m5.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES804C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc27D14FF5B9E64D20BCD71894E6CB7E72.TMP"
3⤵
PID:384

C:\Users\Admin\AppData\Local\Temp\tmp7F14.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7F14.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
e6bc049747fb66deea8e8fab2b305d2b

SHA1
81fc43bea311521a2216925d54b94ab04919fb73

SHA256
1b290eb81983bec3d6dabaf55262f6d0b400d44a3ce0de449f9a3255bf3598ba

SHA512
08f0e342ca6a3a24d31eadf540e4a5742a0381079f26b20a7e8322079200cdca049648c4328623d07f5142ce780606a544119cd915453f0cd4befd8c3a5e2fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES804C.tmp

Filesize
1KB

MD5
b569ec69c8aea3018b4dcb5a003f589a

SHA1
f6d69f0dac2b4fb532895fd256b74739ca396f6d

SHA256
7122988d78ccf53fb5430d6227d07bd8344cf420379171721028fd6d39944a26

SHA512
753a28a3e8fc4c0935744a73d802c70ad3cdf505052fe99fb87cbe9bc4bdbd1e5fb4cc002f926c2316db444c3d7cb10415a3df9c6ff26cea0598efe257ff2834

Download Submit
C:\Users\Admin\AppData\Local\Temp\jslm41m5\jslm41m5.0.vb

Filesize
2KB

MD5
c8177c4d3995ad239c1c0e018f57733f

SHA1
2d14b2deef7afaa84c65b6540db99d1cd9a4503d

SHA256
06e9696821401b208f02b9746d8ee8da10f072674a59b520dfdcb9ff555d8ba0

SHA512
8a1c4d41a0f722b06ab35c121f07c329feb83a41c04a26ca5703ce662d57eb09fd24cd38466c3dea9d3eeadd40fa51d34ec85b35a63fb789af4724eefc3e9543

Download Submit
C:\Users\Admin\AppData\Local\Temp\jslm41m5\jslm41m5.cmdline

Filesize
273B

MD5
30cb075bc2390c59c1e9525bf92597d9

SHA1
d8189f6e0933cb7e9453e2fb0eda9089810999ee

SHA256
6b8b5bb60c1cb245fcf9aa6adad34cfb98fe6551989c4807b6a7e2cf57342e53

SHA512
e03c6f11dad79c8331f4b1e3921f20e0038cb9c7e638101e05d5f03b815ed80236fb2af0041698d43b88de0a11dcdb2aeb8c6eaa3bdef4715aed3f8e51e36a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7F14.tmp.exe

Filesize
12KB

MD5
6af8f477abe16a85a20084c5305c7844

SHA1
3e1e128e9bd9cbb3bb0acd4fc25fe64909a8fc9c

SHA256
c14e1a404cc679a5eb89663c913ee3729c77256ec39fe28ba03392ea04caae77

SHA512
b2f319336c1e861348b9dc2ff2bf34caa8eb09e042173c31ca41233fbce13290872a6b4511c410bdc7e156960a77367f99988532ee653d6b98ca43f563de2312

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc27D14FF5B9E64D20BCD71894E6CB7E72.TMP

Filesize
1KB

MD5
dda1df7a5b9b3e74cc41817257b927b4

SHA1
1706443255f2fe201e5407964326ef0e7ac6f5cd

SHA256
b9bd517647649c76b2fe2e32ecd695c113abc5d3764771877ca41ff5c94da234

SHA512
0b29caa4db8f39556a4392567dcb9d0c5ae9afa833a801ef74d67dbb0e7e27a7fdef3f4aa407307207e84d6df6f52dbcf73e6108f5b9b091cd8179c903cdf353

Download Submit
memory/2084-25-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/2084-26-0x0000000000050000-0x000000000005A000-memory.dmp

Filesize
40KB

Download
memory/2084-27-0x0000000004F50000-0x00000000054F4000-memory.dmp

Filesize
5.6MB

Download
memory/2084-28-0x0000000004A40000-0x0000000004AD2000-memory.dmp

Filesize
584KB

Download
memory/2084-30-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/3152-0-0x0000000074E2E000-0x0000000074E2F000-memory.dmp

Filesize
4KB

Download
memory/3152-8-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/3152-2-0x0000000005030000-0x00000000050CC000-memory.dmp

Filesize
624KB

Download
memory/3152-1-0x0000000000630000-0x000000000063A000-memory.dmp

Filesize
40KB

Download
memory/3152-24-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing