50468708d2bf0a3e3d3594671c1c851d3f752d3a35a5561754f07d1a5a56771a

General

Target

6fff3292c3b7c09842ff0c470a0eb7c0_NeikiAnalytics.exe
Size

12KB
MD5

6fff3292c3b7c09842ff0c470a0eb7c0
SHA1

95526d7ee40a92620ebc6e4223b80eab3f52e4b8
SHA256

50468708d2bf0a3e3d3594671c1c851d3f752d3a35a5561754f07d1a5a56771a
SHA512

0605bceed678a1d35ec4c0540aa9615fb3d720d5b4b25dccddb50e07a920919aeb45992273546cc77c7aef0f0b0107496b526c8441f510b79cfb0864a69c12be
SSDEEP

384:OL7li/2zXq2DcEQvdhcJKLTp/NK9xaDjI:YbM/Q9cDjI

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6fff3292c3b7c09842ff0c470a0eb7c0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	6fff3292c3b7c09842ff0c470a0eb7c0_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp2B28.tmp.exe

pid process

2044 tmp2B28.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp2B28.tmp.exe

pid process

2044 tmp2B28.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6fff3292c3b7c09842ff0c470a0eb7c0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 1812 6fff3292c3b7c09842ff0c470a0eb7c0_NeikiAnalytics.exe

pid	process
2044	tmp2B28.tmp.exe

pid	process
2044	tmp2B28.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1812	6fff3292c3b7c09842ff0c470a0eb7c0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6fff3292c3b7c09842ff0c470a0eb7c0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 1812 wrote to memory of 3832	1812	6fff3292c3b7c09842ff0c470a0eb7c0_NeikiAnalytics.exe	vbc.exe
PID 1812 wrote to memory of 3832	1812	6fff3292c3b7c09842ff0c470a0eb7c0_NeikiAnalytics.exe	vbc.exe
PID 1812 wrote to memory of 3832	1812	6fff3292c3b7c09842ff0c470a0eb7c0_NeikiAnalytics.exe	vbc.exe
PID 3832 wrote to memory of 3524	3832	vbc.exe	cvtres.exe
PID 3832 wrote to memory of 3524	3832	vbc.exe	cvtres.exe
PID 3832 wrote to memory of 3524	3832	vbc.exe	cvtres.exe
PID 1812 wrote to memory of 2044	1812	6fff3292c3b7c09842ff0c470a0eb7c0_NeikiAnalytics.exe	tmp2B28.tmp.exe
PID 1812 wrote to memory of 2044	1812	6fff3292c3b7c09842ff0c470a0eb7c0_NeikiAnalytics.exe	tmp2B28.tmp.exe
PID 1812 wrote to memory of 2044	1812	6fff3292c3b7c09842ff0c470a0eb7c0_NeikiAnalytics.exe	tmp2B28.tmp.exe

C:\Users\Admin\AppData\Local\Temp\6fff3292c3b7c09842ff0c470a0eb7c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6fff3292c3b7c09842ff0c470a0eb7c0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tqnafpqd\tqnafpqd.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C30.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAE701AC987C1451FAEE4186ABF809749.TMP"
3⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\tmp2B28.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2B28.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6fff3292c3b7c09842ff0c470a0eb7c0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
490151d402f270a5ba00993f35ccd485

SHA1
d437957f7214a0f00d3d6c1c6adcc0df72ac39b8

SHA256
25e4c8a621aae78164e5c76857a927efd09056b0ab4347f465752c982b7a6956

SHA512
4f5bfe16ac2741edbd6ab84f613f38d69e11f01b9181536c7630a63e08fa6af6470a104590614a7de21912ffcbeb630b7aff5489940f05cf5e6881bd82d282fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2C30.tmp

Filesize
1KB

MD5
9976e32698f20ba1f61348d3c70749b4

SHA1
a19b90e6efec766bae9e6a262225aa6eae788c07

SHA256
0f4f0b5fe53545fe5b672209c7890431a40a277a1252bff64d545765b59c493c

SHA512
5536c56c2975dd2378d006ca818b62513333400c2987b95fbab1d44329c86ad6d99bf1d7b075f51341ed7ce07628ed61ff460a667f11fee4d4241c236f314184

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2B28.tmp.exe

Filesize
12KB

MD5
e5ada3a8d3126559411d2b20a1718632

SHA1
d20b8d67a688740f9558d922d0c9505011ca7cb4

SHA256
4564460f0d65ee71c39d1fb2e13462dce5d6b196b70c04cc08f94bec72ed9196

SHA512
44fc575bd3bcb85386cfe930aff98c12dddccbd31a88a8d62cab3f666933d314491ff0521493470991c93ced314276e3ac7aa662fd821c886f7a59294649d0e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tqnafpqd\tqnafpqd.0.vb

Filesize
2KB

MD5
9e600091157be03ade8a0cbbab88c99d

SHA1
4884222fad2762c81b73f23a6294b510c362264e

SHA256
4ceeb0ea1346732839af7c614e42a1385c4f998a1ff89cbd40725c595a740733

SHA512
ffa543b0d7c629111749f208a0720cd3224966765d14efdd450e75f25af2928f63d1033f49a3e8b2b35aacbdb5f9e7dea39e87c9b4240045b3cbcb1e4719ab8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tqnafpqd\tqnafpqd.cmdline

Filesize
273B

MD5
b9c720dce686a213eaff4c55584c90b1

SHA1
b1c2f118bda7a7e0131221435750becae91637e4

SHA256
2d8ac1c74228fe8e732492be08319b3f20344904d6f3a69ac613738e0c29b89e

SHA512
0fd3db4da69d97740eb32e59871314752362961509e454e0cf80a13ca4760106d9f2072b8e77f7d978a7e19b6183f02b1aa07d62839245753d6eae3952b4e367

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAE701AC987C1451FAEE4186ABF809749.TMP

Filesize
1KB

MD5
cbdda31973170695e3d6e7b722c08235

SHA1
5a9b537e4cac442258186203921cbff264caedf9

SHA256
c91d6ef48ca01e014005168d89e64ca362d9d909bdc4d346575050949b406763

SHA512
e6d9b7e424db4946fa9c95c3968001eee299f406012e979efcca8137c3037ed47ee0d2d01b2eb8572eeb5d66da1b39b4c7a2ba32a62935e921636f446cdfca49

Download Submit
memory/1812-2-0x0000000005590000-0x000000000562C000-memory.dmp

Filesize
624KB

Download
memory/1812-8-0x0000000075170000-0x0000000075920000-memory.dmp

Filesize
7.7MB

Download
memory/1812-0-0x000000007517E000-0x000000007517F000-memory.dmp

Filesize
4KB

Download
memory/1812-24-0x0000000075170000-0x0000000075920000-memory.dmp

Filesize
7.7MB

Download
memory/1812-1-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download
memory/2044-25-0x0000000000EB0000-0x0000000000EBA000-memory.dmp

Filesize
40KB

Download
memory/2044-26-0x0000000075170000-0x0000000075920000-memory.dmp

Filesize
7.7MB

Download
memory/2044-28-0x00000000058D0000-0x0000000005962000-memory.dmp

Filesize
584KB

Download
memory/2044-27-0x0000000005E80000-0x0000000006424000-memory.dmp

Filesize
5.6MB

Download
memory/2044-30-0x0000000075170000-0x0000000075920000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing