Analysis
-
max time kernel
138s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 01:01
Static task
static1
Behavioral task
behavioral1
Sample
683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe
-
Size
12KB
-
MD5
683e551837bbd87011342a6cc5265a30
-
SHA1
360bf01eefbb719f67495e4ffbceb251157921ff
-
SHA256
965f283fd8b82e737109499811f5735781a10fb423ced4c387578c6d336f7dc9
-
SHA512
46ba045fec254862c6f459229c14b2df9a10ca6eca3afb040fc58376c0567b7e6a1e9435fdcab6b69c3781b6e34405dc13b5a9e7a4ab895b0b86aadffb82bc6d
-
SSDEEP
384:DL7li/2zDq2DcEQvdhcJKLTp/NK9xa4b:H/M/Q9c4b
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe -
Deletes itself 1 IoCs
Processes:
tmp2E64.tmp.exepid process 1684 tmp2E64.tmp.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp2E64.tmp.exepid process 1684 tmp2E64.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exedescription pid process Token: SeDebugPrivilege 4160 683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exevbc.exedescription pid process target process PID 4160 wrote to memory of 3656 4160 683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe vbc.exe PID 4160 wrote to memory of 3656 4160 683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe vbc.exe PID 4160 wrote to memory of 3656 4160 683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe vbc.exe PID 3656 wrote to memory of 1612 3656 vbc.exe cvtres.exe PID 3656 wrote to memory of 1612 3656 vbc.exe cvtres.exe PID 3656 wrote to memory of 1612 3656 vbc.exe cvtres.exe PID 4160 wrote to memory of 1684 4160 683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe tmp2E64.tmp.exe PID 4160 wrote to memory of 1684 4160 683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe tmp2E64.tmp.exe PID 4160 wrote to memory of 1684 4160 683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe tmp2E64.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r2dprnmi\r2dprnmi.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2FAB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC692E705D0DB494DB9B132C1ACE3ED8.TMP"3⤵PID:1612
-
C:\Users\Admin\AppData\Local\Temp\tmp2E64.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2E64.tmp.exe" C:\Users\Admin\AppData\Local\Temp\683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:1684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD54e3c888040d9e4938adf4b5c73768a83
SHA156b50e053c1527f5cb0d13046582c13522147afa
SHA2567b6e0a57d006e04d3f044e5932f6d8301f6ca39a92e4d05e941dca89aca8eb8e
SHA512ae3d3c7cca3c7fc014eaa454c351f2ef340272d0a7b888cb7c18cd1a549033a54cd83fb38ed54cd0e2db9dabf561bb49e3642774d4e3ff16723d168dd89f90ef
-
Filesize
1KB
MD5ef9db4e87c730fdea3cbe0b7dff780ba
SHA18e6848b228ab481a1a3301b733c1c1dd6f7e821a
SHA256dd9ad0cb00751040f1902328d032eb9ac258414bb67d668efa21b177f843bb27
SHA512e1098cebac6a999ff1b3b79eb7b427afc30a58f9cc616a2790251510cdab06122ed8bcb503cde468c92df7c0b66edba873541c4a11e204363a4bb9a68ed1ee97
-
Filesize
2KB
MD537d46eb47345d4a552f60a135585fc8b
SHA11634ef5d3c0199abd71a6664b325e622f56b124b
SHA256be816d9639966acd8cbd8f6c3a751bfa5386a4117abd4feb626408506f653ba4
SHA512dfeea68ef5697f6523581216b832299a2c3d555c00c138564c323f1369f4c518e06f9d427729d49e581d02fbbfd728775a51c97722b48572f1c1f6c3205b50e6
-
Filesize
273B
MD50f3cb068d2a9054e041f17a8aa67e6c3
SHA104a78c8079804762d718259ee61d8a7d58b3c1f3
SHA2567814d9fc6ab4d8013f6040076699357d6bc79a6ced2495ce056906f219d02a2a
SHA512c58a0bee65775fd40c30d5e1f49ec3764f09fd131949384dcea4544de02b612b9bd02f1738533ef62e6f3adad97bf1485e927038e2b65a1d420ddfef1133e3e0
-
Filesize
12KB
MD59d70fdfd414092471d4a0a5686ea2899
SHA151f448f74ff0fa6253298ef83965d69448a7577b
SHA2567668f2a96261e2d8f806fc4ee2168d3a8ae9132ebba64d11962dc8c6d27598a9
SHA512aaf3ece1c4794dc10471f4af2d73e83da378471cc0f7d3b286030cb818408390c565cf2077b60d702f4e5075f2c3bb7195d058cc3034de210d0e1d609552d9d0
-
Filesize
1KB
MD51a2df86e30d4e30d564a07166c6cbb53
SHA16e46e29f3d9015b24ff480d064bc0737f7ea8ad1
SHA2562aa3d04392c2426973b8b9da2b5232dca7f49363ae72a6c6025d963b49ffde70
SHA51203b90ce27dbc538ea9b85ebd171360ce5811a3c76cf856c36eb683e6a16b01c809331d5295030fb08a932e60dc5c0039d0977d58cee9cefc764ce6a75b7bb18c