11f9c68f973977c9c197e5d22433f5983e71b9404eedca98482fbfb8c3b89e5a

General

Target

719a872d79d838ccf021ed92e352bf20_NeikiAnalytics.exe
Size

12KB
MD5

719a872d79d838ccf021ed92e352bf20
SHA1

db7a49c3ab8bc578eaa7401c65b37fdf2b490449
SHA256

11f9c68f973977c9c197e5d22433f5983e71b9404eedca98482fbfb8c3b89e5a
SHA512

3a789d25a0a20e50cbb51784a197714f3d5018e4d3c7faa7988f6b468710975558869ae19ff12d4f0b7df4d9e3c5fe0e04c3c85ea7d8dadf9231c4809b61969b
SSDEEP

384:4L7li/2zpq2DcEQvdhcJKLTp/NK9xaYi:GhM/Q9cYi

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

719a872d79d838ccf021ed92e352bf20_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	719a872d79d838ccf021ed92e352bf20_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp47C8.tmp.exe

pid process

1432 tmp47C8.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp47C8.tmp.exe

pid process

1432 tmp47C8.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

719a872d79d838ccf021ed92e352bf20_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 4196 719a872d79d838ccf021ed92e352bf20_NeikiAnalytics.exe

pid	process
1432	tmp47C8.tmp.exe

pid	process
1432	tmp47C8.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4196	719a872d79d838ccf021ed92e352bf20_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

719a872d79d838ccf021ed92e352bf20_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 4196 wrote to memory of 1016	4196	719a872d79d838ccf021ed92e352bf20_NeikiAnalytics.exe	vbc.exe
PID 4196 wrote to memory of 1016	4196	719a872d79d838ccf021ed92e352bf20_NeikiAnalytics.exe	vbc.exe
PID 4196 wrote to memory of 1016	4196	719a872d79d838ccf021ed92e352bf20_NeikiAnalytics.exe	vbc.exe
PID 1016 wrote to memory of 2132	1016	vbc.exe	cvtres.exe
PID 1016 wrote to memory of 2132	1016	vbc.exe	cvtres.exe
PID 1016 wrote to memory of 2132	1016	vbc.exe	cvtres.exe
PID 4196 wrote to memory of 1432	4196	719a872d79d838ccf021ed92e352bf20_NeikiAnalytics.exe	tmp47C8.tmp.exe
PID 4196 wrote to memory of 1432	4196	719a872d79d838ccf021ed92e352bf20_NeikiAnalytics.exe	tmp47C8.tmp.exe
PID 4196 wrote to memory of 1432	4196	719a872d79d838ccf021ed92e352bf20_NeikiAnalytics.exe	tmp47C8.tmp.exe

C:\Users\Admin\AppData\Local\Temp\719a872d79d838ccf021ed92e352bf20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\719a872d79d838ccf021ed92e352bf20_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cdlqll4j\cdlqll4j.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A86.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC4DC495AE6954B3089EFAC4B36C098A2.TMP"
3⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\tmp47C8.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp47C8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\719a872d79d838ccf021ed92e352bf20_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
31f6f829cd3d50ee791905af0f887a39

SHA1
c2ed7df3e808e54303dc70d54b76996eeb50a26a

SHA256
78c30fad48bf53fc6950c318f65559334b8878a5f7fc188c60d289bbc5c7cb92

SHA512
3b5dbf2bb262743c3cc319ed8f3a092c412842e67b8af1ec0389db1f8745293ff4e42d9d93df7feaf37aa19c59aed95222f1a7145fec11a5f0aed00828596a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4A86.tmp

Filesize
1KB

MD5
96c49c0ebf4c3d9498a66770219a91a8

SHA1
c1db8baf3634965882888f389e27b1a9775465f1

SHA256
ee64c32b0db296d0d1c736c6f98703a3988710e86961d8255daa72b00887cbab

SHA512
7ad72490ebe14a59c529d91f674d61f5b2c06b4026b01bdfd3da1e6b40ec63818188e16bd5cec964acf6f79a3c228ced38ec16ca3214e21193f3b6e2c00cf1f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdlqll4j\cdlqll4j.0.vb

Filesize
2KB

MD5
0f5d19c58d0f289f177e5158bf90f412

SHA1
4c60e7ad42b9e5b3679424d0d81cf5a85e424779

SHA256
a532ea3c53f78ee2f34a8bfe45efe3a5fd851780f604d6da0214aee87d06e24f

SHA512
1008e1aad6730933acc1965c242d46cb5c7e64ba84c9b8f4dd47fa9d7a37a638544b841b712bc1d52f1c82e7055ad18e31df8f2b1651fa8f6664c927bdfcba0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdlqll4j\cdlqll4j.cmdline

Filesize
273B

MD5
6a43320e1031ed4c88deaa95fe54b256

SHA1
4410fa967d31d18e99f40ea3a3c1be5956b4fbf0

SHA256
881ee6734beaa240c5c69fa9e067b01b6a3cb567558268fbae4ce59966a3a498

SHA512
fc3133ee4490270fda16b8bf2674a72ddaae1159c72339cf668c9a5e9babecdc90287a0306b081fe7ccd482b16c02996387b520fe4048a328fd54ae1ef9d166c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp47C8.tmp.exe

Filesize
12KB

MD5
b6b2e73ad1fb6b223c9a11a16b18880c

SHA1
88b6694dfcc964982dc25ec9104b40224f4978d6

SHA256
bab212989aa092729ed17e6c8f07654c1aa8ff9a3e71a98d8d21dc68ad4bd0f8

SHA512
1337debeeefc8927729b410dc586c5e58b7261c7054418979acf9cac7994fbe338eb24bb19410ed85d23a2e4c0ecf11347a161558bc737743d82edfdd9da0d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC4DC495AE6954B3089EFAC4B36C098A2.TMP

Filesize
1KB

MD5
7160630ac5322431101cfebe2db3307c

SHA1
c91b1a6295e594c84bb890d0f81c906d95c00b42

SHA256
3b5e363ad0d9d0faf1e560ec0cb90f212ab62ac72d0776fbd4acff6aa16718d5

SHA512
f2b818db2379f1cdddfe04a0516dffd520ab05f4246465ee0d69538546f8e24a6281a294af0061785c3bbd69c45ebe1094507240817e6f2442d527d745b712ae

Download Submit
memory/1432-25-0x0000000000BA0000-0x0000000000BAA000-memory.dmp

Filesize
40KB

Download
memory/1432-26-0x0000000075270000-0x0000000075A20000-memory.dmp

Filesize
7.7MB

Download
memory/1432-27-0x0000000005A90000-0x0000000006034000-memory.dmp

Filesize
5.6MB

Download
memory/1432-28-0x0000000005580000-0x0000000005612000-memory.dmp

Filesize
584KB

Download
memory/1432-30-0x0000000075270000-0x0000000075A20000-memory.dmp

Filesize
7.7MB

Download
memory/4196-0-0x000000007527E000-0x000000007527F000-memory.dmp

Filesize
4KB

Download
memory/4196-8-0x0000000075270000-0x0000000075A20000-memory.dmp

Filesize
7.7MB

Download
memory/4196-2-0x0000000005960000-0x00000000059FC000-memory.dmp

Filesize
624KB

Download
memory/4196-1-0x0000000000F50000-0x0000000000F5A000-memory.dmp

Filesize
40KB

Download
memory/4196-24-0x0000000075270000-0x0000000075A20000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing