5e141b740cf20bd0c59ba1eb4e60e1c6e2158ad5a733f234fb725910854535b9

General

Target

76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe
Size

12KB
MD5

76038c3520272b84b6146eb5079ad240
SHA1

24346cda359af03ae6073c5990a892d57e1c815c
SHA256

5e141b740cf20bd0c59ba1eb4e60e1c6e2158ad5a733f234fb725910854535b9
SHA512

9a31a689abcc77a75feab573e5b6a9b2dd7801ba83ce8d756dbe03632dd142cb71ca64a80f0a0f2400e88a88822c1dd338a889e705640ee5cad5e3d1860d6d6e
SSDEEP

384:PL7li/2zZq2DcEQvdQcJKLTp/NK9xa6+:jxMCQ9c6+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp7291.tmp.exe

pid process

4028 tmp7291.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp7291.tmp.exe

pid process

4028 tmp7291.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 4012 76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe

pid	process
4028	tmp7291.tmp.exe

pid	process
4028	tmp7291.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4012	76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 4012 wrote to memory of 4956	4012	76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe	vbc.exe
PID 4012 wrote to memory of 4956	4012	76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe	vbc.exe
PID 4012 wrote to memory of 4956	4012	76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe	vbc.exe
PID 4956 wrote to memory of 1472	4956	vbc.exe	cvtres.exe
PID 4956 wrote to memory of 1472	4956	vbc.exe	cvtres.exe
PID 4956 wrote to memory of 1472	4956	vbc.exe	cvtres.exe
PID 4012 wrote to memory of 4028	4012	76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe	tmp7291.tmp.exe
PID 4012 wrote to memory of 4028	4012	76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe	tmp7291.tmp.exe
PID 4012 wrote to memory of 4028	4012	76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe	tmp7291.tmp.exe

C:\Users\Admin\AppData\Local\Temp\76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cjr0swbt\cjr0swbt.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7474.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc28D9F482F39D46D881D690B1CB45A440.TMP"
    3⤵
    PID:1472
- C:\Users\Admin\AppData\Local\Temp\tmp7291.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7291.tmp.exe" C:\Users\Admin\AppData\Local\Temp\76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
f08acae78665b711dcdc50b2da7a3305

SHA1
3e30481009eb6539501bdfbcb5d416372d7d1eb3

SHA256
7d959bc099219fb79563b10e2dc49336552c4cc2c67fb09c4eb1d32158d79d08

SHA512
151081387a0e496494390712f863bed0c12a8afd921f2ec72be1ade3bd7e6c10f3c0ba376cde952ca52c5f3f81cbd019ef00ea0e45e26166fad78968a0350dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7474.tmp

Filesize
1KB

MD5
a2828b7c318d096622a51049b05287a5

SHA1
dd4b9042b9b8d223a0110f6dbf3154eaa184a4e7

SHA256
e87e8bd99b84f2205916145ceaa7892e27e4ce737be276d05bbc2e88a036aa92

SHA512
d1cdb54f1066a45f21b5594b3017356034d2d5f0c6ada44103a1b2bd805f4bdd641e0377033ad9fead0cbd2c906335d4c1f7ea9d67fdbfa1a31c328bc5689673

Download Submit
C:\Users\Admin\AppData\Local\Temp\cjr0swbt\cjr0swbt.0.vb

Filesize
2KB

MD5
9b52f47c3913178bf247b1d2f35cb902

SHA1
ac3ba6e6a78acf8496d2a769c7a0dc8fef90b0b0

SHA256
6cd208a9cf880969cb1914ab44891882ce14ca901cccbe8ce24fca2a9ea3c4ea

SHA512
92804c018b45e9cfad05ce3493cc058c72ef022cc16105bef7d95d5748c6c45f72e181465de96ecdf326a247f1766189de4307a1250ae060377fc98293180846

Download Submit
C:\Users\Admin\AppData\Local\Temp\cjr0swbt\cjr0swbt.cmdline

Filesize
273B

MD5
cf28476106ae9654bb2973924f2db8ee

SHA1
007c8d4c17d422b76be3a7f63c473f84814e09f7

SHA256
af87557ff84dff343edc8624e415458d8a74f83602c565e5b0b5ee07b0228c93

SHA512
ffef885206bd194b502525b1a3ab5b1ddcac27a5a3378a339009e126fb6ca4e4986e1a3585001c4bab410ccf50c75b51b83629cc62feae6b160458b493846607

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7291.tmp.exe

Filesize
12KB

MD5
504162ace2e47c99ce387ba123ab0cb0

SHA1
42c18c446a3ac1f9b01b7b7b17fdb81ecedfadb9

SHA256
82922f55f756c1727500c3cdd05f96bc4abc2bb2443ff46462175ea49ad2b4fa

SHA512
2689e60c89e7be80cb68e0fb1a2cb537e0d90acd47effbb8786d9141309581f460afcab0e62f9b32deee009e6912a2bdc0b8ae65a69752de7538fbd5a38a280f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc28D9F482F39D46D881D690B1CB45A440.TMP

Filesize
1KB

MD5
1bcf1a6613b901cd0b5421ac58502ace

SHA1
ef7545210cf4c24392e259f1399fac1d05bc466a

SHA256
32e8e0e0d83855b1ed08cfeb05ce9e87cf59411b5065d7d027c2707785ac3c42

SHA512
7e6b90744920157a47ac85d80894ae8c3c35b867e687aa7def823fe4b0f960ac6039f6dfcbe151e8ee160518f19150c5a8924ff687db28458e2ef947d3dfea70

Download Submit
memory/4012-0-0x000000007476E000-0x000000007476F000-memory.dmp

Filesize
4KB

Download
memory/4012-8-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4012-2-0x00000000051B0000-0x000000000524C000-memory.dmp

Filesize
624KB

Download
memory/4012-1-0x00000000007D0000-0x00000000007DA000-memory.dmp

Filesize
40KB

Download
memory/4012-24-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4028-25-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4028-26-0x0000000000E60000-0x0000000000E6A000-memory.dmp

Filesize
40KB

Download
memory/4028-27-0x0000000005D50000-0x00000000062F4000-memory.dmp

Filesize
5.6MB

Download
memory/4028-28-0x0000000005840000-0x00000000058D2000-memory.dmp

Filesize
584KB

Download
memory/4028-30-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing