d4d4a937354eabc147fe88e8c7b27280363dc1935cd69b2bab2e9f128c2de391

General

Target

6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe
Size

12KB
MD5

6e8f4759faf934b3cc85b1e1517369e0
SHA1

031296e8c3b1968e9e55740390068e66eacf7c48
SHA256

d4d4a937354eabc147fe88e8c7b27280363dc1935cd69b2bab2e9f128c2de391
SHA512

15a4af2c0f0699cc6c32a6428128524f28d0d1e8c346bb7090c19685beb58b12f9b5563125e96321904255a6886cd50358e47fc1ae20926dc08dc94bb9fba865
SSDEEP

384:dL7li/2zzq2DcEQvdQcJKLTp/NK9xajM:NXMCQ9cjM

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp349E.tmp.exe

pid process

2768 tmp349E.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp349E.tmp.exe

pid process

2768 tmp349E.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 4692 6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe

pid	process
2768	tmp349E.tmp.exe

pid	process
2768	tmp349E.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4692	6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 4692 wrote to memory of 5420	4692	6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe	vbc.exe
PID 4692 wrote to memory of 5420	4692	6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe	vbc.exe
PID 4692 wrote to memory of 5420	4692	6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe	vbc.exe
PID 5420 wrote to memory of 5776	5420	vbc.exe	cvtres.exe
PID 5420 wrote to memory of 5776	5420	vbc.exe	cvtres.exe
PID 5420 wrote to memory of 5776	5420	vbc.exe	cvtres.exe
PID 4692 wrote to memory of 2768	4692	6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe	tmp349E.tmp.exe
PID 4692 wrote to memory of 2768	4692	6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe	tmp349E.tmp.exe
PID 4692 wrote to memory of 2768	4692	6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe	tmp349E.tmp.exe

C:\Users\Admin\AppData\Local\Temp\6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lyxagsca\lyxagsca.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:5420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3671.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE9F43B50DF77446EB285E6D5E079A44A.TMP"
3⤵
PID:5776

C:\Users\Admin\AppData\Local\Temp\tmp349E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp349E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
931d63bfa648786e564d5f6069808543

SHA1
f05ef281cf407c8c378e2ee449103c7427581c0b

SHA256
f37f4f32b97989428bd29d8eb7db7f915a6127acf3b0855c2a685067d2edc927

SHA512
8d777ea0df1be72190835baf3bcba744a2f71e8c7ab390c0ae62767c5e0b2a5f80d30662943f0680b72f3e527173431c9435d5b5ecd77208bcf7c360c75bd404

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3671.tmp

Filesize
1KB

MD5
1c7195decdb02209f860a9d9b1ba29ad

SHA1
127d5a14aed58c7c508d009ab0688d58c34c7dbb

SHA256
04cf5dceb24b12323cc002075106fafe40482fe05a7e6441a506945be4872ee8

SHA512
1159de2cde796bdd563ed8ff20cc561586013dde1bc728c8db932b391751e5f4543d1761b568d035bb9d59ce90d1d9536b964f8618150705ec63ff16d5f956a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\lyxagsca\lyxagsca.0.vb

Filesize
2KB

MD5
45589f826c36a43eddaa7a0ef3a3cc1f

SHA1
7a10bc2891017a0cdcf346d9347843dede2b4293

SHA256
62e5011e12329aa98b884557ede74810243c6e44f078c23f99bff7510ed9b2e5

SHA512
65a540453a1c86cd0808c4326cfbbc0d2993c51a90bd7f695c9e936c13102afc49d292e6095f695ad75c41202557012cb159a8ac3a934376b5310c5d6edb71e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lyxagsca\lyxagsca.cmdline

Filesize
273B

MD5
fbaa9566f6633d31853297729d609db1

SHA1
1c9a379f0ede0dd609e805deffb53dd8235d2b3b

SHA256
8c3836719afde59e99c03590e5c1c1369cfee7023a755db78b9523e6b14c9c64

SHA512
e326749a836ba127efae5a733bf762145711632f8a7c4abd02a94f553dcf55e2939732ec7a9cfd50f03230c00334b79feac9f379baacc456ba16de36e4469d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp349E.tmp.exe

Filesize
12KB

MD5
3f671bcb5bd10c516ba8db23ccf332c0

SHA1
28bd72d535328e4b2f565963f77796aa7f9fc2fb

SHA256
e3918e842e87ef34c82bce22eacd13135e7bbb8083a21fedd698d2c3f1497181

SHA512
d8931dc413b900b247d0531f125cae44ddcc1891870da52e9dafbcc27f6c084a622c47b16ef0d31a9c8e35491054ac7d344ee80db2befac81372a9f43eb3528b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE9F43B50DF77446EB285E6D5E079A44A.TMP

Filesize
1KB

MD5
b46e8b060a26d288c7f1a4a0ca62b47d

SHA1
4863020542fa3b361c167eeab085d43a39e9ff18

SHA256
5244d5f6a101038b8bcdad9a04de653cbe27542fe6864af66da8d55c647471e5

SHA512
237dd1334d5348d43b088eea025b123c71d532fe37e494b9752644559c7e041e046f03c026a9703d482a3516f51669b4dd3729b965058d9782a820878bc993a9

Download Submit
memory/2768-26-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/2768-25-0x0000000000770000-0x000000000077A000-memory.dmp

Filesize
40KB

Download
memory/2768-27-0x0000000005670000-0x0000000005C14000-memory.dmp

Filesize
5.6MB

Download
memory/2768-28-0x0000000005160000-0x00000000051F2000-memory.dmp

Filesize
584KB

Download
memory/2768-30-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/4692-0-0x000000007502E000-0x000000007502F000-memory.dmp

Filesize
4KB

Download
memory/4692-8-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/4692-2-0x0000000004950000-0x00000000049EC000-memory.dmp

Filesize
624KB

Download
memory/4692-1-0x00000000000A0000-0x00000000000AA000-memory.dmp

Filesize
40KB

Download
memory/4692-24-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing