93e5a119dc68e8f939198a6204773d6ae53c131aabc3fe5fdc5aa4976187b760

General

Target

6bd7d845dad11b129610cecb95363420_NeikiAnalytics.exe
Size

12KB
MD5

6bd7d845dad11b129610cecb95363420
SHA1

c55817f8e4e0829a069b39e34e4be53f4bfc7867
SHA256

93e5a119dc68e8f939198a6204773d6ae53c131aabc3fe5fdc5aa4976187b760
SHA512

e3753e45aa6e1b53b60f4156b358e7e60b7ce96ffb847a856ce24e783d053f03928391cdbb7bbc8d0f64c4b0982b3043b813767401fbadbb1f2fb249b56c24e9
SSDEEP

384:AL7li/2z1q2DcEQvdhcJKLTp/NK9xaC/:eNM/Q9cC/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6bd7d845dad11b129610cecb95363420_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	6bd7d845dad11b129610cecb95363420_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp54D8.tmp.exe

pid process

3104 tmp54D8.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp54D8.tmp.exe

pid process

3104 tmp54D8.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6bd7d845dad11b129610cecb95363420_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 228 6bd7d845dad11b129610cecb95363420_NeikiAnalytics.exe

pid	process
3104	tmp54D8.tmp.exe

pid	process
3104	tmp54D8.tmp.exe

description	pid	process
Token: SeDebugPrivilege	228	6bd7d845dad11b129610cecb95363420_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6bd7d845dad11b129610cecb95363420_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 228 wrote to memory of 2616	228	6bd7d845dad11b129610cecb95363420_NeikiAnalytics.exe	vbc.exe
PID 228 wrote to memory of 2616	228	6bd7d845dad11b129610cecb95363420_NeikiAnalytics.exe	vbc.exe
PID 228 wrote to memory of 2616	228	6bd7d845dad11b129610cecb95363420_NeikiAnalytics.exe	vbc.exe
PID 2616 wrote to memory of 4484	2616	vbc.exe	cvtres.exe
PID 2616 wrote to memory of 4484	2616	vbc.exe	cvtres.exe
PID 2616 wrote to memory of 4484	2616	vbc.exe	cvtres.exe
PID 228 wrote to memory of 3104	228	6bd7d845dad11b129610cecb95363420_NeikiAnalytics.exe	tmp54D8.tmp.exe
PID 228 wrote to memory of 3104	228	6bd7d845dad11b129610cecb95363420_NeikiAnalytics.exe	tmp54D8.tmp.exe
PID 228 wrote to memory of 3104	228	6bd7d845dad11b129610cecb95363420_NeikiAnalytics.exe	tmp54D8.tmp.exe

C:\Users\Admin\AppData\Local\Temp\6bd7d845dad11b129610cecb95363420_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6bd7d845dad11b129610cecb95363420_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p40mzjop\p40mzjop.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56AB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A92A53F7D154D499CB764311BBC5E4C.TMP"
3⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\tmp54D8.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp54D8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6bd7d845dad11b129610cecb95363420_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:3104

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
60b42b520a2c05a0c0940edb4780e587

SHA1
b091652a3b2a5bc43c4db1011f88b7b6a2084d3f

SHA256
bf0ec6cf168db8a507176694efbc91da31cf8b07b0171fa0e0dc9fda8b43f163

SHA512
53f94c6a878be9b0d617adb74e0de52278bf8f396b319f38aee28606ac532ffced155a37fffa6fe4c256e354a4bdfc333f46d0f744e1d6b4e66d9aea721141f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES56AB.tmp
Filesize
1KB

MD5
fb89b5797158139c9c6a5b40c6205cff

SHA1
4fc4083620e89710ceb0b51df08b9da60f2b32a3

SHA256
ba2ce8307cc841a852d8dfe32d7f29022601d346397597887ba60f24ed9d5a8d

SHA512
9b6b5e95617234d2d04094f4e8c0215d1a4c93c4b6e5751dbbf04f2e8b08d914a76e6e145df4307672ecbe7755581afe646a9433991289c6371fd48e1c5f6904

Download Submit
C:\Users\Admin\AppData\Local\Temp\p40mzjop\p40mzjop.0.vb
Filesize
2KB

MD5
f6fe35b0a2db4b05d15cac4836117eae

SHA1
02a712472d8dcbe24cb3cc97b68150449fefec89

SHA256
16f2f4c14e82a19208389061dd711985b72c9133dba5231cce5cda0191946e74

SHA512
fbf327ce55e07cc197bf249c23fd60ef5d17c8b9793489b2c70d652caec726c11cb2e2b7967e7394a26107898e0ad8d305761c372f1bb24e5bdbe9c84bb8a1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\p40mzjop\p40mzjop.cmdline
Filesize
273B

MD5
ec510a9acac83c961897c3336716bd93

SHA1
c28bb5199ec7f64da5ee82c26253169c09de1d36

SHA256
8b52a0e246edbf0e31167aa286d03339a62e73d2ff02a3d9b44e8d0b835dabd0

SHA512
9197d996621884fc271091b26045e0f37d4c9c4ac8b5a00253313ba3a00f96b117d829a01304a0a46be5102acecf4c53e1d092411371719f661d5b75c555bb30

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp54D8.tmp.exe
Filesize
12KB

MD5
2509483e3c4daee4d677e517fe462e2b

SHA1
f0b509c56b7e31dc75f5da249a7c70964fdbb6d2

SHA256
d48f5d0af690f15f397a716fd2223921888e0fcda0a9d79f0a23d2bb62244466

SHA512
c70514f95bac9b16aecda5883faadc8b6b9d8d76a555ecda8ce98c917ba92f4fa771bff10d803aaa09746af26f8d4814b69f9786dae302e9103e7c8e2cd2c8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2A92A53F7D154D499CB764311BBC5E4C.TMP
Filesize
1KB

MD5
a42a4a08f123e00cf8cfecd9bba2d6e4

SHA1
e231aca1cef9ef72ffbdd52ad4c33b63e282af1b

SHA256
053252e4a052756cad23dadbc3600cd7b82de64419f726931a228d49f2892a72

SHA512
5ac906a26ecbf1d6bf6a1e544b9c9efe346425e2d95fee35cccde30e5e78de925ed26434ee65758b0760eba34c0fa61322b68435ccde2753208895f0856b9302

Download Submit
memory/228-0-0x000000007488E000-0x000000007488F000-memory.dmp

Filesize
4KB

Download
memory/228-8-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/228-2-0x0000000005270000-0x000000000530C000-memory.dmp

Filesize
624KB

Download
memory/228-1-0x00000000008C0000-0x00000000008CA000-memory.dmp

Filesize
40KB

Download
memory/228-24-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/3104-26-0x0000000000410000-0x000000000041A000-memory.dmp

Filesize
40KB

Download
memory/3104-25-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/3104-27-0x0000000005300000-0x00000000058A4000-memory.dmp

Filesize
5.6MB

Download
memory/3104-28-0x0000000004DF0000-0x0000000004E82000-memory.dmp

Filesize
584KB

Download
memory/3104-30-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing