145f07de17b1ee2231fba06186afffdea33347b0fc4290723914ee65201cfcdc

General

Target

6bfc5a6f8a8c59072368a1c1be0300a0_NeikiAnalytics.exe
Size

12KB
MD5

6bfc5a6f8a8c59072368a1c1be0300a0
SHA1

fdfdbbc5b544235db3f3e8c87aae0b97287a59e2
SHA256

145f07de17b1ee2231fba06186afffdea33347b0fc4290723914ee65201cfcdc
SHA512

70ca291d7983ad3c4419b046896098335e325010b5bacc9881e13fc94c911dba8281e2ca39e102810294d0bfaa88de68f7b9fc5c51ad7176376b27a7e74e0dc0
SSDEEP

384:3L7li/2z0q2DcEQvdQcJKLTp/NK9xawY:7AMCQ9cwY

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6bfc5a6f8a8c59072368a1c1be0300a0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	6bfc5a6f8a8c59072368a1c1be0300a0_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp52D4.tmp.exe

pid process

4168 tmp52D4.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp52D4.tmp.exe

pid process

4168 tmp52D4.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6bfc5a6f8a8c59072368a1c1be0300a0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 4780 6bfc5a6f8a8c59072368a1c1be0300a0_NeikiAnalytics.exe

pid	process
4168	tmp52D4.tmp.exe

pid	process
4168	tmp52D4.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4780	6bfc5a6f8a8c59072368a1c1be0300a0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6bfc5a6f8a8c59072368a1c1be0300a0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 4780 wrote to memory of 3692	4780	6bfc5a6f8a8c59072368a1c1be0300a0_NeikiAnalytics.exe	vbc.exe
PID 4780 wrote to memory of 3692	4780	6bfc5a6f8a8c59072368a1c1be0300a0_NeikiAnalytics.exe	vbc.exe
PID 4780 wrote to memory of 3692	4780	6bfc5a6f8a8c59072368a1c1be0300a0_NeikiAnalytics.exe	vbc.exe
PID 3692 wrote to memory of 4812	3692	vbc.exe	cvtres.exe
PID 3692 wrote to memory of 4812	3692	vbc.exe	cvtres.exe
PID 3692 wrote to memory of 4812	3692	vbc.exe	cvtres.exe
PID 4780 wrote to memory of 4168	4780	6bfc5a6f8a8c59072368a1c1be0300a0_NeikiAnalytics.exe	tmp52D4.tmp.exe
PID 4780 wrote to memory of 4168	4780	6bfc5a6f8a8c59072368a1c1be0300a0_NeikiAnalytics.exe	tmp52D4.tmp.exe
PID 4780 wrote to memory of 4168	4780	6bfc5a6f8a8c59072368a1c1be0300a0_NeikiAnalytics.exe	tmp52D4.tmp.exe

C:\Users\Admin\AppData\Local\Temp\6bfc5a6f8a8c59072368a1c1be0300a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6bfc5a6f8a8c59072368a1c1be0300a0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k3hjwqnn\k3hjwqnn.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54F6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc45C538419F8041C79FFDCF16C5422BF.TMP"
3⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\tmp52D4.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp52D4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6bfc5a6f8a8c59072368a1c1be0300a0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
f19f5ce9c87c70da42142ed0b679042b

SHA1
e45cc034e49bad4d5ab4c224136f91bd4e7e68f9

SHA256
f52ca886b0683401e9e64c379f0a951c615ed5feedecc7f92088b7d5e08cc139

SHA512
5e87d087a4d1c8591107c58d93d47ec79d3221622ca48011204259c020f1b08d61e799014f87f7cc218d0b5fd9cb5128da93d04ddd3f3c7d04ad9c695a743a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES54F6.tmp

Filesize
1KB

MD5
b631f79a65b14f808c6f7a75a4b8313f

SHA1
6ade9b98a8f47fd8cb89a023e1f700571aee1c9e

SHA256
9f557e108c75b11c2a9f49f6ebd6fa6c11fe28aefddaedb66e4ce71ec29f3d58

SHA512
c280c94ca01827a7bd5c12bb452ce669f4795fceef656b628c849ede136e6978ce6dc95d63bef6bc4b70fe535ddaa4cfef523f7a2bdde6e4ee5726f1360a9b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\k3hjwqnn\k3hjwqnn.0.vb

Filesize
2KB

MD5
14cf0578bdd5ab16e00aa9431b9c6145

SHA1
aaf1a6a727cbece21ea6c278a76c06d9ec74a769

SHA256
2fa3f44b89dfa38717126180b73ae6a75cfd001b21dfb4b4e68caa0a366823ba

SHA512
6e639029e304ca696c5c168b8c770b1b2477b0b36f40925c01b8c2e91f6ccbd22ae0c412364f46a2c41b6f5cd9cf559732a695f188a1dfb3a6b358946dc4cc43

Download Submit
C:\Users\Admin\AppData\Local\Temp\k3hjwqnn\k3hjwqnn.cmdline

Filesize
273B

MD5
5bd2f1843c32c78392d1ae3414cf404e

SHA1
0f17acac555b49957819e388dae95b82e5537ee0

SHA256
17050b5d3645aa770ca42dbbe8bbc8a29436558c1dd361fec175248c3b3ee4d5

SHA512
50b444f0119e027a97a79eab40b6543f83f2dee62af0060cd40b05e1b274da29a0cdc2b7100a6355c054647ec0c0b676a2472627122dc19ec5911bc6e7ff0c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp52D4.tmp.exe

Filesize
12KB

MD5
218f49f846e7c04173939c7c12687572

SHA1
95e97d235f46d5b33cef1743a2e59944c2a713fe

SHA256
64dc6672d5df817bb617e49bc3e74d56f0cf01573a789118e0bf975b77b9f867

SHA512
082a43643ac511e0ce4496dde1575ad742c75d54a5889522bf52304be1ecc9522e0934865d33f58a6fefbad0da760b59bb8d20c0ade9624d73094c1ed8b43575

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc45C538419F8041C79FFDCF16C5422BF.TMP

Filesize
1KB

MD5
bcc4be4bb5351a8cfd0187248dd032ad

SHA1
87533ac3392fd18a203b863a621e4f4b97d6e966

SHA256
2d40ef81eb1b0df888603c613520ed3cff9d73f375cf02f5b8176ae1801ce8e7

SHA512
2b2974d47fffdbb8bea673a8faed9c9b12409351732ad1a753d3f015c303d0f4735d7ef9da22a7e846d4a75b0318b00d27e62f7c923206dbfefac7922dcaecc1

Download Submit
memory/4168-25-0x0000000000860000-0x000000000086A000-memory.dmp

Filesize
40KB

Download
memory/4168-26-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/4168-27-0x0000000005700000-0x0000000005CA4000-memory.dmp

Filesize
5.6MB

Download
memory/4168-28-0x00000000051F0000-0x0000000005282000-memory.dmp

Filesize
584KB

Download
memory/4168-30-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/4780-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

Filesize
4KB

Download
memory/4780-8-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/4780-2-0x0000000005680000-0x000000000571C000-memory.dmp

Filesize
624KB

Download
memory/4780-1-0x0000000000C80000-0x0000000000C8A000-memory.dmp

Filesize
40KB

Download
memory/4780-24-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing