1b2cefb9913e7c51ebaa1c3dfc9aca2e362dfc50e46d04e126e836abc6225584

General

Target

693a0508dd80a30be872f91508243a40_NeikiAnalytics.exe
Size

1.1MB
MD5

693a0508dd80a30be872f91508243a40
SHA1

35ae2793611c09bc48fefbca4c823222f6823430
SHA256

1b2cefb9913e7c51ebaa1c3dfc9aca2e362dfc50e46d04e126e836abc6225584
SHA512

4478b035bb5338c65c606b747cb8afd3c052d57068e8bb3008a3891af7b6e4f8c918c285f1358472be6f2353ee846eb53e929033af5baf24c23781df514b10b4
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QT:CcaClSFlG4ZM7QzMk

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe693a0508dd80a30be872f91508243a40_NeikiAnalytics.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	693a0508dd80a30be872f91508243a40_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

4448 svchcst.exe
Executes dropped EXE 2 IoCs

Processes:

svchcst.exesvchcst.exe

pid process

3804 svchcst.exe
4448 svchcst.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4448	svchcst.exe

pid	process
3804	svchcst.exe
4448	svchcst.exe

Modifies registry class 3 IoCs

Processes:

693a0508dd80a30be872f91508243a40_NeikiAnalytics.exeWScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	693a0508dd80a30be872f91508243a40_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

693a0508dd80a30be872f91508243a40_NeikiAnalytics.exesvchcst.exe

pid	process
3608	693a0508dd80a30be872f91508243a40_NeikiAnalytics.exe
3608	693a0508dd80a30be872f91508243a40_NeikiAnalytics.exe
3608	693a0508dd80a30be872f91508243a40_NeikiAnalytics.exe
3608	693a0508dd80a30be872f91508243a40_NeikiAnalytics.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe
4448	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

693a0508dd80a30be872f91508243a40_NeikiAnalytics.exe

pid process

3608 693a0508dd80a30be872f91508243a40_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

693a0508dd80a30be872f91508243a40_NeikiAnalytics.exesvchcst.exesvchcst.exe

pid	process
3608	693a0508dd80a30be872f91508243a40_NeikiAnalytics.exe
3608	693a0508dd80a30be872f91508243a40_NeikiAnalytics.exe
4448	svchcst.exe
4448	svchcst.exe
3804	svchcst.exe
3804	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

693a0508dd80a30be872f91508243a40_NeikiAnalytics.exeWScript.exeWScript.exe

description	pid	process	target process
PID 3608 wrote to memory of 1468	3608	693a0508dd80a30be872f91508243a40_NeikiAnalytics.exe	WScript.exe
PID 3608 wrote to memory of 1468	3608	693a0508dd80a30be872f91508243a40_NeikiAnalytics.exe	WScript.exe
PID 3608 wrote to memory of 1468	3608	693a0508dd80a30be872f91508243a40_NeikiAnalytics.exe	WScript.exe
PID 3608 wrote to memory of 880	3608	693a0508dd80a30be872f91508243a40_NeikiAnalytics.exe	WScript.exe
PID 3608 wrote to memory of 880	3608	693a0508dd80a30be872f91508243a40_NeikiAnalytics.exe	WScript.exe
PID 3608 wrote to memory of 880	3608	693a0508dd80a30be872f91508243a40_NeikiAnalytics.exe	WScript.exe
PID 1468 wrote to memory of 3804	1468	WScript.exe	svchcst.exe
PID 1468 wrote to memory of 3804	1468	WScript.exe	svchcst.exe
PID 1468 wrote to memory of 3804	1468	WScript.exe	svchcst.exe
PID 880 wrote to memory of 4448	880	WScript.exe	svchcst.exe
PID 880 wrote to memory of 4448	880	WScript.exe	svchcst.exe
PID 880 wrote to memory of 4448	880	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\693a0508dd80a30be872f91508243a40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\693a0508dd80a30be872f91508243a40_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1468

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3804

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:880

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
736B

MD5
74fd92348c3749cd7e980fac64c7ab0a

SHA1
235aed96c300072339fe6e3829e8e345655089df

SHA256
a3ce730aae9f7c512f1f42a1cabeaefac32cdc4fc8a6453a83aedae58ba4bf6f

SHA512
95cd91e887c091cb162833a34baf7999c5b9e1d4c7ef35e5d62b6dc5bb219592219f89915ea6f2c8b7a3d3da09c07c3dad59627ac12fc82873aaf5b4bd3035ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d12f897547f5baa1271a52af188f71e0

SHA1
9ee7da8e7c16e9fd2e56beffa3f286544d7d428f

SHA256
30688ff36cb11b88bd98a6d9324cb478d7b767cdcecc52ca075a6518e76b4135

SHA512
389fe6dd25b7033fc2ec6a957dce2a3e5bfbabd8f138e9260eb2b2baa708e59e8382a5417bcfd2c36d25212cf908d207ee2d7d329abdb4c4f1999f88d28b048e

Download Submit
memory/3608-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads