c5d939da596ded4aedfd409e42906d056f472b6edf91ca6e4914221db77dacef

General

Target

6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe
Size

12KB
MD5

6fb6d38918f7505534eb9c6b8b725ec0
SHA1

c9bc0eaa7856c4cd232eb6a97f195daf9abab393
SHA256

c5d939da596ded4aedfd409e42906d056f472b6edf91ca6e4914221db77dacef
SHA512

7ef5daa15e6dc49169dec60186283cb71a6079b1e13aa530b81da74b1e3cea2bd71ef64ddfae760d9caa90ef0bfdeacd65855b2f04364aa8b9a596456ef044b2
SSDEEP

384:8L7li/2z9q2DcEQvd2cJKLTp/NK9xaoU:alM8Q9coU

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp6696.tmp.exe

pid process

1268 tmp6696.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp6696.tmp.exe

pid process

1268 tmp6696.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2384 6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe

pid	process
1268	tmp6696.tmp.exe

pid	process
1268	tmp6696.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2384	6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 2384 wrote to memory of 1140	2384	6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe	vbc.exe
PID 2384 wrote to memory of 1140	2384	6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe	vbc.exe
PID 2384 wrote to memory of 1140	2384	6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe	vbc.exe
PID 1140 wrote to memory of 1116	1140	vbc.exe	cvtres.exe
PID 1140 wrote to memory of 1116	1140	vbc.exe	cvtres.exe
PID 1140 wrote to memory of 1116	1140	vbc.exe	cvtres.exe
PID 2384 wrote to memory of 1268	2384	6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe	tmp6696.tmp.exe
PID 2384 wrote to memory of 1268	2384	6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe	tmp6696.tmp.exe
PID 2384 wrote to memory of 1268	2384	6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe	tmp6696.tmp.exe

C:\Users\Admin\AppData\Local\Temp\6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rf3msjov\rf3msjov.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75B8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFE70C868331C46E0BB80A73C11943C35.TMP"
3⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\tmp6696.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6696.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:1268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4168 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
5c3c8a38e07813c8ef8e1f950ac72b6b

SHA1
846bce1904687e3ff17bac8bd039bc481fb1fe3d

SHA256
56352ac9cd01799aa8f3c2ccf73c5a394cbaf855ab234e07d96b6f28af80ee85

SHA512
bc59465bed5a10d215ae77d4850dd0b5b3fd247101bcc4c19a6ce5a4639fc1df2512227dc2092461ae15aee89e5d5996c2856bdf68db6f40c27c7873770c668f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES75B8.tmp

Filesize
1KB

MD5
4334aa35b1151500024c650afda8c7bf

SHA1
47104131d1d97a244701f163cc5f5b5b4198e80d

SHA256
2957adf5e68b6b47d683130e422d8ca430bda8858ff4387ba1950efdb7e36c13

SHA512
7b99206f9962f51f59f0b8c3f3e744ee7f3a46fec10653d7805e8744d089f2de4f8199667f3c415fe5421f89ea7ead424d2418b82fe0cd775776cb4e5510087b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rf3msjov\rf3msjov.0.vb

Filesize
2KB

MD5
6f980dc9385c88e89adbd935086ea7e6

SHA1
21006d743a41887cb7ef4a45b1866c66a85c72a4

SHA256
0a31b45ef52df4f9cfd8519c9958df12448218fb45f82c0a8d489eaab59743b0

SHA512
12e76d4cfc10bc66dc3161910c4dee48c8c324bd8bf0002fc6d43a339c699c947a18637635efd59b729a0f625f79b0a6452515bd6cdbaa38fe340330231b6fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\rf3msjov\rf3msjov.cmdline

Filesize
273B

MD5
1df68d65356399a78301aed21bb4c400

SHA1
f2b6ef16b1a0d5b64fa5757c4c38f3e4400f62e9

SHA256
e3c0d3acf8675c4b218fc07fc1f85b76bc7123c78e211813431697dd243ca9cd

SHA512
88830744757b2fc8a76a9ff40caac5b7ad156f3ad2284d3c66e4e617d1c2fa57cd9d053e3436d5b934fdff6b796266d3e0e92cbe7165ad08a2220c7dd873df31

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6696.tmp.exe

Filesize
12KB

MD5
bd96a87baf78ab6bf7cb4a55076f3ff2

SHA1
c00538efe47c1b6fb866ea986c902c3c378be899

SHA256
3ccb37ddd9f99cddc10d8f3caa9b3c1c281f92c2d29a0e0b78a65028eb92bd4f

SHA512
df62881aa2274ebe36d23df116b32f7865d036074ff75fda7443ab8c4593f8d6c7f3fc6220a92e757a4c4b548268f9965d0fc478cd7dd1fb3325ea9cc15cdc29

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFE70C868331C46E0BB80A73C11943C35.TMP

Filesize
1KB

MD5
3612c795797786451fb7167516daafc5

SHA1
599a2fed277c9329e789d0686763a7b6113660fb

SHA256
a293ba610850240ec92cb2612452ba98d07e4c4e9a0e5b27119246efa81e57ef

SHA512
1be767a1c972bfd9607edbeef52559c9bc007d7ccb273d59910271763e2e22498094c1a316fa9f024857a32bb654043c680b50906873e4035e29140ea5a1ec44

Download Submit
memory/1268-24-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/1268-25-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/1268-27-0x0000000005AC0000-0x0000000006064000-memory.dmp

Filesize
5.6MB

Download
memory/1268-28-0x00000000055B0000-0x0000000005642000-memory.dmp

Filesize
584KB

Download
memory/1268-30-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/2384-0-0x00000000744BE000-0x00000000744BF000-memory.dmp

Filesize
4KB

Download
memory/2384-7-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/2384-2-0x0000000004A70000-0x0000000004B0C000-memory.dmp

Filesize
624KB

Download
memory/2384-1-0x00000000000B0000-0x00000000000BA000-memory.dmp

Filesize
40KB

Download
memory/2384-26-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing