Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 01:34
Static task
static1
Behavioral task
behavioral1
Sample
6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe
-
Size
12KB
-
MD5
6e8f4759faf934b3cc85b1e1517369e0
-
SHA1
031296e8c3b1968e9e55740390068e66eacf7c48
-
SHA256
d4d4a937354eabc147fe88e8c7b27280363dc1935cd69b2bab2e9f128c2de391
-
SHA512
15a4af2c0f0699cc6c32a6428128524f28d0d1e8c346bb7090c19685beb58b12f9b5563125e96321904255a6886cd50358e47fc1ae20926dc08dc94bb9fba865
-
SSDEEP
384:dL7li/2zzq2DcEQvdQcJKLTp/NK9xajM:NXMCQ9cjM
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe -
Deletes itself 1 IoCs
Processes:
tmp349E.tmp.exepid process 2768 tmp349E.tmp.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp349E.tmp.exepid process 2768 tmp349E.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exedescription pid process Token: SeDebugPrivilege 4692 6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exevbc.exedescription pid process target process PID 4692 wrote to memory of 5420 4692 6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe vbc.exe PID 4692 wrote to memory of 5420 4692 6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe vbc.exe PID 4692 wrote to memory of 5420 4692 6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe vbc.exe PID 5420 wrote to memory of 5776 5420 vbc.exe cvtres.exe PID 5420 wrote to memory of 5776 5420 vbc.exe cvtres.exe PID 5420 wrote to memory of 5776 5420 vbc.exe cvtres.exe PID 4692 wrote to memory of 2768 4692 6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe tmp349E.tmp.exe PID 4692 wrote to memory of 2768 4692 6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe tmp349E.tmp.exe PID 4692 wrote to memory of 2768 4692 6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe tmp349E.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lyxagsca\lyxagsca.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:5420 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3671.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE9F43B50DF77446EB285E6D5E079A44A.TMP"3⤵PID:5776
-
C:\Users\Admin\AppData\Local\Temp\tmp349E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp349E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5931d63bfa648786e564d5f6069808543
SHA1f05ef281cf407c8c378e2ee449103c7427581c0b
SHA256f37f4f32b97989428bd29d8eb7db7f915a6127acf3b0855c2a685067d2edc927
SHA5128d777ea0df1be72190835baf3bcba744a2f71e8c7ab390c0ae62767c5e0b2a5f80d30662943f0680b72f3e527173431c9435d5b5ecd77208bcf7c360c75bd404
-
Filesize
1KB
MD51c7195decdb02209f860a9d9b1ba29ad
SHA1127d5a14aed58c7c508d009ab0688d58c34c7dbb
SHA25604cf5dceb24b12323cc002075106fafe40482fe05a7e6441a506945be4872ee8
SHA5121159de2cde796bdd563ed8ff20cc561586013dde1bc728c8db932b391751e5f4543d1761b568d035bb9d59ce90d1d9536b964f8618150705ec63ff16d5f956a1
-
Filesize
2KB
MD545589f826c36a43eddaa7a0ef3a3cc1f
SHA17a10bc2891017a0cdcf346d9347843dede2b4293
SHA25662e5011e12329aa98b884557ede74810243c6e44f078c23f99bff7510ed9b2e5
SHA51265a540453a1c86cd0808c4326cfbbc0d2993c51a90bd7f695c9e936c13102afc49d292e6095f695ad75c41202557012cb159a8ac3a934376b5310c5d6edb71e2
-
Filesize
273B
MD5fbaa9566f6633d31853297729d609db1
SHA11c9a379f0ede0dd609e805deffb53dd8235d2b3b
SHA2568c3836719afde59e99c03590e5c1c1369cfee7023a755db78b9523e6b14c9c64
SHA512e326749a836ba127efae5a733bf762145711632f8a7c4abd02a94f553dcf55e2939732ec7a9cfd50f03230c00334b79feac9f379baacc456ba16de36e4469d65
-
Filesize
12KB
MD53f671bcb5bd10c516ba8db23ccf332c0
SHA128bd72d535328e4b2f565963f77796aa7f9fc2fb
SHA256e3918e842e87ef34c82bce22eacd13135e7bbb8083a21fedd698d2c3f1497181
SHA512d8931dc413b900b247d0531f125cae44ddcc1891870da52e9dafbcc27f6c084a622c47b16ef0d31a9c8e35491054ac7d344ee80db2befac81372a9f43eb3528b
-
Filesize
1KB
MD5b46e8b060a26d288c7f1a4a0ca62b47d
SHA14863020542fa3b361c167eeab085d43a39e9ff18
SHA2565244d5f6a101038b8bcdad9a04de653cbe27542fe6864af66da8d55c647471e5
SHA512237dd1334d5348d43b088eea025b123c71d532fe37e494b9752644559c7e041e046f03c026a9703d482a3516f51669b4dd3729b965058d9782a820878bc993a9