22834560775aa87b187213b183a3cd3ede81b6043fe112a819d443db5eeedaa1

General

Target

6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe
Size

12KB
MD5

6f3b5d0a9e4367c48c5c69880d4d27e0
SHA1

b1aec9811710b5b42f427835f863a660745efd53
SHA256

22834560775aa87b187213b183a3cd3ede81b6043fe112a819d443db5eeedaa1
SHA512

2aae1e45897f81cf2c74556372c640f9eb2bf49b81268c21249a72fa319733a1a06b59719f56e034e8ae27ededcf125a20c47c6c3a4bbec11cc43c064685dc77
SSDEEP

384:xL7li/2znq2DcEQvdQcJKLTp/NK9xa0E:xDMCQ9c0E

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp50A1.tmp.exe

pid process

4016 tmp50A1.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp50A1.tmp.exe

pid process

4016 tmp50A1.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 5044 6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe

pid	process
4016	tmp50A1.tmp.exe

pid	process
4016	tmp50A1.tmp.exe

description	pid	process
Token: SeDebugPrivilege	5044	6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 5044 wrote to memory of 3972	5044	6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe	vbc.exe
PID 5044 wrote to memory of 3972	5044	6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe	vbc.exe
PID 5044 wrote to memory of 3972	5044	6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe	vbc.exe
PID 3972 wrote to memory of 2504	3972	vbc.exe	cvtres.exe
PID 3972 wrote to memory of 2504	3972	vbc.exe	cvtres.exe
PID 3972 wrote to memory of 2504	3972	vbc.exe	cvtres.exe
PID 5044 wrote to memory of 4016	5044	6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe	tmp50A1.tmp.exe
PID 5044 wrote to memory of 4016	5044	6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe	tmp50A1.tmp.exe
PID 5044 wrote to memory of 4016	5044	6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe	tmp50A1.tmp.exe

C:\Users\Admin\AppData\Local\Temp\6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bs2j1pah\bs2j1pah.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5285.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc280D75D669BA47E193A386FACEB47A9.TMP"
3⤵
PID:2504

C:\Users\Admin\AppData\Local\Temp\tmp50A1.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp50A1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
e358cce51112cded9ca862519874ac9f

SHA1
9bf3b210e5e9a866e3088a6d0b0854a231d40a98

SHA256
cc7223df1cf61d990cf269f0ff602ff54cfdee72c49ebe1a4482e04a782becf4

SHA512
dbb06aec2c25a40783f648322ab44af2c867f129d7502897d4e71aa28a3d493fe9ac27a7333d924a2e0b1776976286d80210ff2b23e4f4be739a76b082a43b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5285.tmp

Filesize
1KB

MD5
4598293ec54cbb51f3c693b8e7d0299a

SHA1
fc059c2e1ef673a0bc95ff08b9794e0a5031884f

SHA256
b6a7a9e01fd3025126f224acc80bbaa45d9412eabd3a5f3a3217989bb2d375fb

SHA512
819106ff010142ef8f4b0ec9b8bd0556597de042498fa9bcff1139600bca54a0532497e3e16f81a3beb6808f1f63aea305d47f174f56772a43f6c81eece107eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\bs2j1pah\bs2j1pah.0.vb

Filesize
2KB

MD5
05df6affd6480dd16113624408509d97

SHA1
36b3b67782376b702b78fbddb805b8e9874bfded

SHA256
c975f7febd0840868da219f5965aa72753725aa389e7d27636fdb7f4556e92e0

SHA512
9a6b66672ba04dc295ae5cf01579c7715500c36208d4f466efc89cc1f6a721b7dbed9e2f497510781695206d6d8b8e48d21722d656100acd7fcd49ac0c193fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\bs2j1pah\bs2j1pah.cmdline

Filesize
273B

MD5
da9bd02a9857f89bc478cef8b7714828

SHA1
89ad087f5e5373690170227e73e4df16cd4edfc8

SHA256
32539d68ddbe2761bbdad015a4bae58dc0ee023794a055ccd8c9e401c3987d2e

SHA512
50e75b2e5158851bf06d06d62d5f4ce06d54083d52eb80e6f600bd3514214640d8f583bd4a3fea4930d0893427139641a455eddcda8f29dae95369555aa50d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp50A1.tmp.exe

Filesize
12KB

MD5
59bb92db39e58ff462e391f8e71f81e1

SHA1
c4d4abd8086d4a56d0da92b3794d27bf02566e2a

SHA256
8b2332071c6291b7820998285147b26066347f4b34921866ce4e59af0ebb6f92

SHA512
39c75abf1440d48c90dd5a329c764d9dbcf7a28668bc2787f5ba08412f476470e825ff898fe8b0430a728d9cf04e48ec08abd560d8018e23956847e4200143ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc280D75D669BA47E193A386FACEB47A9.TMP

Filesize
1KB

MD5
dbb56ddabd504722a82970f2993cd528

SHA1
5f5743776a10e74a41bbf315c682c4ed011f5640

SHA256
838c2320b43fd8a8717ca5ea7c2e20def78435e2f7d17f67356b8010136194c5

SHA512
581f590cad4d0160e72cf4c35ab1a8e77e0f75398aa77712ee206987e1c945dfa09647812632b3c21ac34d63982fd1e7b55774ef1dc99d0e9caeef6df87be016

Download Submit
memory/4016-25-0x0000000000970000-0x000000000097A000-memory.dmp

Filesize
40KB

Download
memory/4016-26-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/4016-27-0x00000000058C0000-0x0000000005E64000-memory.dmp

Filesize
5.6MB

Download
memory/4016-28-0x0000000005310000-0x00000000053A2000-memory.dmp

Filesize
584KB

Download
memory/4016-30-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/5044-0-0x000000007532E000-0x000000007532F000-memory.dmp

Filesize
4KB

Download
memory/5044-8-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/5044-2-0x00000000053D0000-0x000000000546C000-memory.dmp

Filesize
624KB

Download
memory/5044-1-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/5044-24-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing