5e14a9250351a9c93df1f7f80f305a029cbabafaaf0a119f4a7bcd2e75fcd2b6

General

Target

6cf708817892612db26859889051aba0_NeikiAnalytics.exe
Size

12KB
MD5

6cf708817892612db26859889051aba0
SHA1

632409296ca72b721ce1a3aa3c50a5846262f88c
SHA256

5e14a9250351a9c93df1f7f80f305a029cbabafaaf0a119f4a7bcd2e75fcd2b6
SHA512

77932f931cd8f377ab8d52287d8db5427e48d2240f8232c4f27967599208337eac8548a4cb761a449577e5213177183caeb33ec24e2b505a318ded185758e0a8
SSDEEP

384:eL7li/2zhq2DcEQvd2cJKLTp/NK9xa1M:IxM8Q9c1M

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6cf708817892612db26859889051aba0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	6cf708817892612db26859889051aba0_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp3FE8.tmp.exe

pid process

3792 tmp3FE8.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp3FE8.tmp.exe

pid process

3792 tmp3FE8.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6cf708817892612db26859889051aba0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 716 6cf708817892612db26859889051aba0_NeikiAnalytics.exe

pid	process
3792	tmp3FE8.tmp.exe

pid	process
3792	tmp3FE8.tmp.exe

description	pid	process
Token: SeDebugPrivilege	716	6cf708817892612db26859889051aba0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6cf708817892612db26859889051aba0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 716 wrote to memory of 980	716	6cf708817892612db26859889051aba0_NeikiAnalytics.exe	vbc.exe
PID 716 wrote to memory of 980	716	6cf708817892612db26859889051aba0_NeikiAnalytics.exe	vbc.exe
PID 716 wrote to memory of 980	716	6cf708817892612db26859889051aba0_NeikiAnalytics.exe	vbc.exe
PID 980 wrote to memory of 4760	980	vbc.exe	cvtres.exe
PID 980 wrote to memory of 4760	980	vbc.exe	cvtres.exe
PID 980 wrote to memory of 4760	980	vbc.exe	cvtres.exe
PID 716 wrote to memory of 3792	716	6cf708817892612db26859889051aba0_NeikiAnalytics.exe	tmp3FE8.tmp.exe
PID 716 wrote to memory of 3792	716	6cf708817892612db26859889051aba0_NeikiAnalytics.exe	tmp3FE8.tmp.exe
PID 716 wrote to memory of 3792	716	6cf708817892612db26859889051aba0_NeikiAnalytics.exe	tmp3FE8.tmp.exe

C:\Users\Admin\AppData\Local\Temp\6cf708817892612db26859889051aba0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6cf708817892612db26859889051aba0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y5qjw32n\y5qjw32n.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES415E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc98051EF93F3F46FE9380A7805CAADC49.TMP"
3⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\tmp3FE8.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3FE8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6cf708817892612db26859889051aba0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:3792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
ae366dc840608dc87ce5276129a7a937

SHA1
fcbe5eab7c7bf3aa203902697ad45b7d20671c9d

SHA256
44267fe97b4ad2190018f8cff90d21eedabf9eb8a2d1101f56c5d60781e02877

SHA512
20d6d0beec03ff85d4fad8704ee27fa1f880c853edfc75c99a126bda6c0cde6e5cbb4c3bfa850c4194fbb0946be04617f5694547e4ea9a883649b00a5940b4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES415E.tmp

Filesize
1KB

MD5
ae07972fd1bac8ba2b650959a0f12516

SHA1
bc2007e34dd8a0e5ff0bcc85fec3cfc63be92eac

SHA256
175a5a607f1e06091727debc3ec0067ef230767a8a3ff26fdf6069687f1674f9

SHA512
6d6485184aa44fac0dd5c38a1ee6b68a80f3ae0902bd1e95ce5484f3f7fe98e83a7f56921004e8e8b7eb29f666c0d171816d3f265ebdd88bd0d4d0e8e10012b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3FE8.tmp.exe

Filesize
12KB

MD5
114991a7e524cbd94bee009443a561c9

SHA1
42caeef045dc3ac3f2204315204ada21eb890510

SHA256
f639eb7ca006358824c0c0c8761962438e2fd17f66de02d2e15bef9394e269fc

SHA512
84e7b83722958ae6cf0ec813a26128f7360cdcfd0ac0db90bad717570913fe588bc68e9ac6ff324b53c5cd9b717d071578fa0bd24936c3b275a7e724e10d62c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc98051EF93F3F46FE9380A7805CAADC49.TMP

Filesize
1KB

MD5
d94a7d1c46c3b89459b36f15fec7cca8

SHA1
45949e083119d5cfd22e745aa02cbde1fff4a593

SHA256
5ebbc449835e1cc014d9fe0b8a2d39de9a05f2b6c8be8453cc5bd12f890d4e76

SHA512
e7f44966f079a2a5a29d7a517f564be2a809f86422be5639fa39ff1deaa299e0d74844d9e8c3f13c5c5e263c2a141e2ae3479cefbe8a1f028eca8e4f79191a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\y5qjw32n\y5qjw32n.0.vb

Filesize
2KB

MD5
f687b4a2c6ff909be059bcb5c8479aaa

SHA1
94e2e52abd23b975d9aac8aa08e5ee2ddf455543

SHA256
041cdf972e05bf4d0c382ddd9e1ecbf2ef16089a1799459d10547e738e73af98

SHA512
0267e421c0e91cf1d27c30c4039a13906295fd4f335a4984eba1fd892e384819e74511c0adbcc30382ef1d11c162ae5fd867b9b6e3f7c2dea549c2c2459e882b

Download Submit
C:\Users\Admin\AppData\Local\Temp\y5qjw32n\y5qjw32n.cmdline

Filesize
273B

MD5
72e959aa1404aa4b9d3700e4d6194e6c

SHA1
3553263a1c1e222cfaa61fa24c157dab3936a4f8

SHA256
8fd66fb7305c991d23bf7df43e8f66ffdc27bc26f65e3306d7e593e191d26bf8

SHA512
11355078b61b2860bd1cd6a7c5a6b9ade13eb5d59abc9168ee8fdb898acc89ae0644bd33b62d5063c18a7e1b37bf58ceee3a00646411542a038a1a84ff3b7c53

Download Submit
memory/716-0-0x0000000074D6E000-0x0000000074D6F000-memory.dmp

Filesize
4KB

Download
memory/716-8-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/716-2-0x0000000005360000-0x00000000053FC000-memory.dmp

Filesize
624KB

Download
memory/716-1-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/716-24-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/3792-25-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/3792-26-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/3792-27-0x00000000053C0000-0x0000000005964000-memory.dmp

Filesize
5.6MB

Download
memory/3792-28-0x0000000004E10000-0x0000000004EA2000-memory.dmp

Filesize
584KB

Download
memory/3792-30-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing