445c757029444573228919e4480e0a2cf34f4186e5bb748b317be60649071919

General

Target

6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe
Size

12KB
MD5

6d6545af57f5f07a2686b9b0f254e9a0
SHA1

7e0fb59eaecfb2038bfec2cc3d306ed093a35f5d
SHA256

445c757029444573228919e4480e0a2cf34f4186e5bb748b317be60649071919
SHA512

595a15a5889ce4e461df6f5162612b808f65fdcb0db9a3d871150863bf8d80e9721b3065942bdae0b9697f5b48bdbeba2d301f9e06d9fd7148043c524c43db10
SSDEEP

384:jL7li/2zbq2DcEQvdhcJKLTp/NK9xa4K:nfM/Q9c4K

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmpE83E.tmp.exe

pid process

3848 tmpE83E.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmpE83E.tmp.exe

pid process

3848 tmpE83E.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2512 6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe

pid	process
3848	tmpE83E.tmp.exe

pid	process
3848	tmpE83E.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2512	6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 2512 wrote to memory of 5024	2512	6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe	vbc.exe
PID 2512 wrote to memory of 5024	2512	6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe	vbc.exe
PID 2512 wrote to memory of 5024	2512	6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe	vbc.exe
PID 5024 wrote to memory of 3652	5024	vbc.exe	cvtres.exe
PID 5024 wrote to memory of 3652	5024	vbc.exe	cvtres.exe
PID 5024 wrote to memory of 3652	5024	vbc.exe	cvtres.exe
PID 2512 wrote to memory of 3848	2512	6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe	tmpE83E.tmp.exe
PID 2512 wrote to memory of 3848	2512	6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe	tmpE83E.tmp.exe
PID 2512 wrote to memory of 3848	2512	6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe	tmpE83E.tmp.exe

C:\Users\Admin\AppData\Local\Temp\6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\roxg3hv2\roxg3hv2.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0E8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBD741DE36384D7C8CB9C1864B97B413.TMP"
3⤵
PID:3652

C:\Users\Admin\AppData\Local\Temp\tmpE83E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpE83E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1400 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
6700082d85f536450fc24a216f995998

SHA1
1901974a2fc61c6ae410f7577edd4ad1e7a27504

SHA256
a8ae2f356604bfbaa549c52c2610a9face88eca8bce3a9ca384a324a5355e08f

SHA512
943867aae0ea84dd0dc1613004eb79dd9f8c77d07c76518984f729510b6ea24d59692cafed3b67f02384e08c2f77789fcfe010dfdd56501f59e0e3933358954a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF0E8.tmp

Filesize
1KB

MD5
358ec5200dc5ac77ba423d9e52ef9ba6

SHA1
19fb94534bdaaba1a32b72c2d3068b1d81219d03

SHA256
29b9527a889ad99a6d4a26f6d1fb3cd2f3324db821c10da1be2e9192fef40165

SHA512
24390fd0ad47cf9c6c5212662962162be20bedbb34c24a71e908793f551f1ffadca00668b4cffbc57d3673bd1544d53d2f23d4d53c7f14bfe9089233e5a1313e

Download Submit
C:\Users\Admin\AppData\Local\Temp\roxg3hv2\roxg3hv2.0.vb

Filesize
2KB

MD5
56d5203b9e505bf013d679a84a0da1bb

SHA1
470ba2c2318f5a444e9ba442448c446ff77cecff

SHA256
508b69f22250633d649ffcb7295cb69f64ddf2ba1e10fddfc4bad1308ca0e0a6

SHA512
0a1565e919562d90331606a12736f003bd738c1dba5108a98ef14e870585573d8d196457625ab6c688183b7439648fbf692addc566cfdabbd49c4202b2bce46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\roxg3hv2\roxg3hv2.cmdline

Filesize
273B

MD5
5f5739ff42adce386a94b32d35c8ca60

SHA1
dc2b14beda21c410919f67fd948f7f56d9b5ef9c

SHA256
cce74f5c151e55751aa00ea5eaf7a7bed03ce226357d89821530b18021829a85

SHA512
e522d846444febd5831e537579cfb8d610d7104601f29e46b8df18c6c6b1cfb7ffdbd4fa8ee49affd85b7b592f2acf3d31f3d70cadd5af63e0ccd8c906b77e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE83E.tmp.exe

Filesize
12KB

MD5
e399671cab276f58b22378d6c61a7d52

SHA1
ff4851fdfc89f33b1e160c80a001afbad3d851ec

SHA256
e9c61ea5516597b12861151afa3a2d2391e41aff5d4af89dfe13d5e7dffe9892

SHA512
bf12ec068152c1b9661af23815b565a6ede0927e71e88467c7a27f93aac320e639234653f714a15377dc970a65a44ad67ef645914afdd88c369bc28aad9c126f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBD741DE36384D7C8CB9C1864B97B413.TMP

Filesize
1KB

MD5
c9a1f67c4066a2a73c6e607fbca6aabc

SHA1
87239692b9577626946e7046e80e6d5020088ebb

SHA256
cb7e20d87b1258479986da4b00987ed07ab89fa8b20b9e4e328c9cca93682d4d

SHA512
44027f321063a32197522a30658726d171153302f80d77bf599732c683686c76c4dfdc4513c717fcae3ed2df51939e195fa76343ce03dc9ee1e2209e432fcc5c

Download Submit
memory/2512-0-0x000000007451E000-0x000000007451F000-memory.dmp

Filesize
4KB

Download
memory/2512-7-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/2512-2-0x0000000005270000-0x000000000530C000-memory.dmp

Filesize
624KB

Download
memory/2512-1-0x00000000008D0000-0x00000000008DA000-memory.dmp

Filesize
40KB

Download
memory/2512-24-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/3848-26-0x00000000008A0000-0x00000000008AA000-memory.dmp

Filesize
40KB

Download
memory/3848-25-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/3848-27-0x00000000057C0000-0x0000000005D64000-memory.dmp

Filesize
5.6MB

Download
memory/3848-28-0x0000000005210000-0x00000000052A2000-memory.dmp

Filesize
584KB

Download
memory/3848-30-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing