965f283fd8b82e737109499811f5735781a10fb423ced4c387578c6d336f7dc9

General

Target

683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe
Size

12KB
MD5

683e551837bbd87011342a6cc5265a30
SHA1

360bf01eefbb719f67495e4ffbceb251157921ff
SHA256

965f283fd8b82e737109499811f5735781a10fb423ced4c387578c6d336f7dc9
SHA512

46ba045fec254862c6f459229c14b2df9a10ca6eca3afb040fc58376c0567b7e6a1e9435fdcab6b69c3781b6e34405dc13b5a9e7a4ab895b0b86aadffb82bc6d
SSDEEP

384:DL7li/2zDq2DcEQvdhcJKLTp/NK9xa4b:H/M/Q9c4b

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp2E64.tmp.exe

pid process

1684 tmp2E64.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp2E64.tmp.exe

pid process

1684 tmp2E64.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 4160 683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe

pid	process
1684	tmp2E64.tmp.exe

pid	process
1684	tmp2E64.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4160	683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 4160 wrote to memory of 3656	4160	683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe	vbc.exe
PID 4160 wrote to memory of 3656	4160	683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe	vbc.exe
PID 4160 wrote to memory of 3656	4160	683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe	vbc.exe
PID 3656 wrote to memory of 1612	3656	vbc.exe	cvtres.exe
PID 3656 wrote to memory of 1612	3656	vbc.exe	cvtres.exe
PID 3656 wrote to memory of 1612	3656	vbc.exe	cvtres.exe
PID 4160 wrote to memory of 1684	4160	683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe	tmp2E64.tmp.exe
PID 4160 wrote to memory of 1684	4160	683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe	tmp2E64.tmp.exe
PID 4160 wrote to memory of 1684	4160	683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe	tmp2E64.tmp.exe

C:\Users\Admin\AppData\Local\Temp\683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r2dprnmi\r2dprnmi.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2FAB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC692E705D0DB494DB9B132C1ACE3ED8.TMP"
3⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\tmp2E64.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2E64.tmp.exe" C:\Users\Admin\AppData\Local\Temp\683e551837bbd87011342a6cc5265a30_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
4e3c888040d9e4938adf4b5c73768a83

SHA1
56b50e053c1527f5cb0d13046582c13522147afa

SHA256
7b6e0a57d006e04d3f044e5932f6d8301f6ca39a92e4d05e941dca89aca8eb8e

SHA512
ae3d3c7cca3c7fc014eaa454c351f2ef340272d0a7b888cb7c18cd1a549033a54cd83fb38ed54cd0e2db9dabf561bb49e3642774d4e3ff16723d168dd89f90ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2FAB.tmp

Filesize
1KB

MD5
ef9db4e87c730fdea3cbe0b7dff780ba

SHA1
8e6848b228ab481a1a3301b733c1c1dd6f7e821a

SHA256
dd9ad0cb00751040f1902328d032eb9ac258414bb67d668efa21b177f843bb27

SHA512
e1098cebac6a999ff1b3b79eb7b427afc30a58f9cc616a2790251510cdab06122ed8bcb503cde468c92df7c0b66edba873541c4a11e204363a4bb9a68ed1ee97

Download Submit
C:\Users\Admin\AppData\Local\Temp\r2dprnmi\r2dprnmi.0.vb

Filesize
2KB

MD5
37d46eb47345d4a552f60a135585fc8b

SHA1
1634ef5d3c0199abd71a6664b325e622f56b124b

SHA256
be816d9639966acd8cbd8f6c3a751bfa5386a4117abd4feb626408506f653ba4

SHA512
dfeea68ef5697f6523581216b832299a2c3d555c00c138564c323f1369f4c518e06f9d427729d49e581d02fbbfd728775a51c97722b48572f1c1f6c3205b50e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\r2dprnmi\r2dprnmi.cmdline

Filesize
273B

MD5
0f3cb068d2a9054e041f17a8aa67e6c3

SHA1
04a78c8079804762d718259ee61d8a7d58b3c1f3

SHA256
7814d9fc6ab4d8013f6040076699357d6bc79a6ced2495ce056906f219d02a2a

SHA512
c58a0bee65775fd40c30d5e1f49ec3764f09fd131949384dcea4544de02b612b9bd02f1738533ef62e6f3adad97bf1485e927038e2b65a1d420ddfef1133e3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2E64.tmp.exe

Filesize
12KB

MD5
9d70fdfd414092471d4a0a5686ea2899

SHA1
51f448f74ff0fa6253298ef83965d69448a7577b

SHA256
7668f2a96261e2d8f806fc4ee2168d3a8ae9132ebba64d11962dc8c6d27598a9

SHA512
aaf3ece1c4794dc10471f4af2d73e83da378471cc0f7d3b286030cb818408390c565cf2077b60d702f4e5075f2c3bb7195d058cc3034de210d0e1d609552d9d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC692E705D0DB494DB9B132C1ACE3ED8.TMP

Filesize
1KB

MD5
1a2df86e30d4e30d564a07166c6cbb53

SHA1
6e46e29f3d9015b24ff480d064bc0737f7ea8ad1

SHA256
2aa3d04392c2426973b8b9da2b5232dca7f49363ae72a6c6025d963b49ffde70

SHA512
03b90ce27dbc538ea9b85ebd171360ce5811a3c76cf856c36eb683e6a16b01c809331d5295030fb08a932e60dc5c0039d0977d58cee9cefc764ce6a75b7bb18c

Download Submit
memory/1684-24-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/1684-25-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/1684-27-0x0000000005A80000-0x0000000006024000-memory.dmp

Filesize
5.6MB

Download
memory/1684-28-0x00000000054D0000-0x0000000005562000-memory.dmp

Filesize
584KB

Download
memory/1684-30-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/4160-0-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

Filesize
4KB

Download
memory/4160-8-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/4160-2-0x0000000005750000-0x00000000057EC000-memory.dmp

Filesize
624KB

Download
memory/4160-1-0x0000000000D70000-0x0000000000D7A000-memory.dmp

Filesize
40KB

Download
memory/4160-26-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing