3bff2b09b0b2a02cadebb840a8bb7435c5eab5fe85cfbc6c500185f2645e354e

General

Target

6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe
Size

12KB
MD5

6ffb0ebe5e7db285cbc0a55c0a77d9b0
SHA1

2092ca285c99f6274196cf3cacf9b3fdb42c17df
SHA256

3bff2b09b0b2a02cadebb840a8bb7435c5eab5fe85cfbc6c500185f2645e354e
SHA512

7b82b35331644d7981d98e220f2d5e306b49b1b387103784a91237e42fd72a70e1c4607dbdb31856d4df659fe011d511711133dc7b2843cb7e44bc9d664778d0
SSDEEP

384:tL7li/2zjq2DcEQvdQcJKLTp/NK9xazK:93MCQ9czK

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp5833.tmp.exe

pid process

1176 tmp5833.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp5833.tmp.exe

pid process

1176 tmp5833.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 764 6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe

pid	process
1176	tmp5833.tmp.exe

pid	process
1176	tmp5833.tmp.exe

description	pid	process
Token: SeDebugPrivilege	764	6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 764 wrote to memory of 2284	764	6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe	vbc.exe
PID 764 wrote to memory of 2284	764	6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe	vbc.exe
PID 764 wrote to memory of 2284	764	6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe	vbc.exe
PID 2284 wrote to memory of 2860	2284	vbc.exe	cvtres.exe
PID 2284 wrote to memory of 2860	2284	vbc.exe	cvtres.exe
PID 2284 wrote to memory of 2860	2284	vbc.exe	cvtres.exe
PID 764 wrote to memory of 1176	764	6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe	tmp5833.tmp.exe
PID 764 wrote to memory of 1176	764	6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe	tmp5833.tmp.exe
PID 764 wrote to memory of 1176	764	6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe	tmp5833.tmp.exe

C:\Users\Admin\AppData\Local\Temp\6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\stdhpt5l\stdhpt5l.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59E7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcED47307745AD4A2B8C3D824AB43EA891.TMP"
3⤵
PID:2860

C:\Users\Admin\AppData\Local\Temp\tmp5833.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp5833.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:1176

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
77e40d01e6325fa186e4554c4b70754b

SHA1
93a4913c64629e7cf2ad4630583c7f19a20183af

SHA256
c8b4824593a680eca2ea006779b6a6f9953ac52fd2a6421e277f34fba35c0fa3

SHA512
a54ea03d97cabccce1094ec6ed153b33341b8a01ae08d9295934ffaf5f718b21f79e7d5880af9170ef3890e04c5d4abb892942e9ca1f13928833ad90975a7e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES59E7.tmp
Filesize
1KB

MD5
e2d0f93c912c4e13dd420537a14f754b

SHA1
b4d5c1ee227b892d1b9a37b9594d1e2793da0b98

SHA256
a81eba7fc3e25604125b2223ba0cc78169ef71fa8c9a618f67cf19739f91f5b4

SHA512
d1234ec48d6d383fed867bd27ad356f5fc2452df29a7274ef0717fec3532f3cd42ec839317cb2bcb9b1aa616685e8f5fc88e3a361b957c88ad3b6b4a1c37af8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\stdhpt5l\stdhpt5l.0.vb
Filesize
2KB

MD5
2fc51c10f490566dfbc27d48a7e6a20c

SHA1
4ce45379fc8bdb49bfc5a6e49394b6fe92e32bdd

SHA256
d651909709704be4af441267cf01c7d61a1ec35d1f149296bfdc366bd0c4e8d4

SHA512
f596f34899eed5855dc190c242fdd05098c62c66202168be51f2d61d5f155d5b11841937e47b425db97e79aa486648694b66ea1df924c5aa60c4b0e3aa06d969

Download Submit
C:\Users\Admin\AppData\Local\Temp\stdhpt5l\stdhpt5l.cmdline
Filesize
273B

MD5
ac89ff89b21794c7191aa1b5b6e1156c

SHA1
26cc683d58f11a832419d99fa5b044ac0062d2cb

SHA256
4fa7bd4949926aedb4e1155d2c7f1f91f05fb0724e3a28d78253afaa38af8f0d

SHA512
d5d03038fb7d433d598e8bbe8294ab792ca3dded3a4be5b79d870588d617cbc860c635d87ed906c5a3b8bd1d4199e0e223342da49ea0abc6b15ab24da41532f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5833.tmp.exe
Filesize
12KB

MD5
71b791ed1abf97263fac07d651da2a70

SHA1
3ade2a12c83ac0c57e59207ee657f7c7ce6c4680

SHA256
4a4a544d1daece9fc1520931ea524519440240b3fd9fb98f74b9691c6daa04af

SHA512
f579bbd949adc2437d276df0d910c4f7f99c5dbff1e831c86a7dcd8c1d66694c6a1f33120c7aa1c8a5622eff415954e50d22380d403dc4d2881264ec7ed3e79d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcED47307745AD4A2B8C3D824AB43EA891.TMP
Filesize
1KB

MD5
9fd74a98d795f9e4048d9c90dfe8e619

SHA1
21f0bbc8cac7c3576a495be01c52ee4dd318b18e

SHA256
ce4585a027d423201d9c100d5556f09942f60fd23997d69419165bdc48460471

SHA512
b4f369aa782e716d0998660c26e50ce5e54643fd912a4b15af46cec34e0eecb6e996dcba45292ed7f6eb64eac6821a7b452c70f6bc5a2da725459c580e07df22

Download Submit
memory/764-0-0x000000007461E000-0x000000007461F000-memory.dmp

Filesize
4KB

Download
memory/764-8-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/764-2-0x0000000005110000-0x00000000051AC000-memory.dmp

Filesize
624KB

Download
memory/764-1-0x0000000000780000-0x000000000078A000-memory.dmp

Filesize
40KB

Download
memory/764-24-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1176-25-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1176-26-0x0000000000C40000-0x0000000000C4A000-memory.dmp

Filesize
40KB

Download
memory/1176-27-0x0000000005B10000-0x00000000060B4000-memory.dmp

Filesize
5.6MB

Download
memory/1176-28-0x0000000005600000-0x0000000005692000-memory.dmp

Filesize
584KB

Download
memory/1176-30-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing