12cb2d23ee54c7bd2395832746c30c61c67de21b168a1e44e1d70552503d0bd9

General

Target

61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe
Size

12KB
MD5

61b2172d7c2013c5f6d268a1bac4b6c0
SHA1

33bd967012981a068865e822db79f3af27647d35
SHA256

12cb2d23ee54c7bd2395832746c30c61c67de21b168a1e44e1d70552503d0bd9
SHA512

dbf4bde991084736fbfe5a533a3e1501238f824b894202853079398203b9f47f4c8cb5dbba97e6555ce25f23d480ce2ae6448bd21e46eb21f97a396d778e5b2a
SSDEEP

384:HL7li/2zYq2DcEQvdhcJKLTp/NK9xaHx:rsM/Q9cHx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp6B7C.tmp.exe

pid process

1924 tmp6B7C.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp6B7C.tmp.exe

pid process

1924 tmp6B7C.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 1380 61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe

pid	process
1924	tmp6B7C.tmp.exe

pid	process
1924	tmp6B7C.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1380	61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 1380 wrote to memory of 2656	1380	61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe	vbc.exe
PID 1380 wrote to memory of 2656	1380	61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe	vbc.exe
PID 1380 wrote to memory of 2656	1380	61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe	vbc.exe
PID 2656 wrote to memory of 3884	2656	vbc.exe	cvtres.exe
PID 2656 wrote to memory of 3884	2656	vbc.exe	cvtres.exe
PID 2656 wrote to memory of 3884	2656	vbc.exe	cvtres.exe
PID 1380 wrote to memory of 1924	1380	61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe	tmp6B7C.tmp.exe
PID 1380 wrote to memory of 1924	1380	61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe	tmp6B7C.tmp.exe
PID 1380 wrote to memory of 1924	1380	61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe	tmp6B7C.tmp.exe

C:\Users\Admin\AppData\Local\Temp\61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h4fmoew0\h4fmoew0.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E1B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc28ECC1011E3408C8BDC36135E91E47.TMP"
3⤵
PID:3884

C:\Users\Admin\AppData\Local\Temp\tmp6B7C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6B7C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:1924

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
83856de222b1d63a7d4433079231f2c8

SHA1
253025f7dd4decca613b4c068d052a6a30a45572

SHA256
9b24f9030f69b50602b80630ac3aed7dc7aaa39c5acd31cc294570e5ab62217e

SHA512
f5802894b274451750cbc1613a6ce5ddc75b6e178039b1d93e7ea5869ce3b442076d84acd91d50870939a6600b73da4e0d1c44b8567e3a16b4794cd5aa18c618

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6E1B.tmp
Filesize
1KB

MD5
ae920380e7e742724ec473a7579773e4

SHA1
4642e3062986706fa57ac9bea95abf2db296ca8d

SHA256
781d0280d4df582459b8ff0d8fe677acbfff6d1c6aba6af002682c59537c8a81

SHA512
448f45c91d07e61a95611dfa371b659624cf3abbf847e7bb6be38e4c3ec4624e480e08d1883c99bbec3c00d1e269d3b8667d48e4f9d0f6432b946420fb71577c

Download Submit
C:\Users\Admin\AppData\Local\Temp\h4fmoew0\h4fmoew0.0.vb
Filesize
2KB

MD5
ddae272cd6c9db8960f6e3f1d50041a3

SHA1
e021f9ddad4d6807413190e8cc579624c2606b9c

SHA256
fdb1920a75bc06ba08dd2faa616ff3f320d24c5901590c93b08985e528b2f5d7

SHA512
00df4fb95b89667a31b0e3bdefc2c1f94209573f1ef6677cb5033ef2b445874e949daa1bb4d86ef965159ee4f8f2aafec5875519db33c18c60d2daba798aac34

Download Submit
C:\Users\Admin\AppData\Local\Temp\h4fmoew0\h4fmoew0.cmdline
Filesize
273B

MD5
3f8dba0382001ad0ed72b13596f6221f

SHA1
bd12e8c0e9cff91fbac6ade7bb3cf89ba363ec21

SHA256
7ae5b2dec432fe4a8a66633c1eb9898a0f7321cf023324ba3f95cd2be6569098

SHA512
7f1b57b787040a5f529c54c6bb73ae8244f9d1f5a58098b1a770f7db49252e94cba4fd29607beab4639903b11ddaf8625f91286e5d66359252e4e66e3fb5031e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6B7C.tmp.exe
Filesize
12KB

MD5
827883f4374517d5844390452dc58c47

SHA1
e3d4765f0cde48236f3678ae94f50fe39f24ffac

SHA256
db205218aace5dcb59f523049189192b6d4bc9f21f955e82ae538b278c834b14

SHA512
fbab4ebedb40e0bf6e304872dcee7f1435c1f7d174d5d4bbe41fda6a1ccc2802accb4b461a80e7d38a56edfe85cd9ff2b20ab89575d00f514bd93c1880de0e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc28ECC1011E3408C8BDC36135E91E47.TMP
Filesize
1KB

MD5
aa5106a777b33c6900f5ee1199e9cd1e

SHA1
7e3a641d198707744a70dc3e63b2d3e7f4fb709f

SHA256
3355ace921bb2ad92f5e62770cd04bf8e180becb5c62485a6a6e24b6f8ce825e

SHA512
c3852962d2076424f25da4f51e509fa5ad7bdaa5705271e49a907c59d17a1afdf0670e98914bed75412462f3eeb5ad7ebc24040440d8778dc759f18e17366077

Download Submit
memory/1380-0-0x0000000074C8E000-0x0000000074C8F000-memory.dmp

Filesize
4KB

Download
memory/1380-8-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/1380-2-0x0000000004EB0000-0x0000000004F4C000-memory.dmp

Filesize
624KB

Download
memory/1380-1-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/1380-24-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/1924-25-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/1924-26-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/1924-27-0x0000000005410000-0x00000000059B4000-memory.dmp

Filesize
5.6MB

Download
memory/1924-28-0x0000000004E60000-0x0000000004EF2000-memory.dmp

Filesize
584KB

Download
memory/1924-30-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing