0690c2d1b7625037c93f183b3de5d7998c0c8c0126ed65b19a2a3fcc98818dc1

General

Target

7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe
Size

12KB
MD5

7731c5cf8ffdeac783af3e5b6fb57550
SHA1

a6a8b55558c278b985c6c1f322d65c942bbdf592
SHA256

0690c2d1b7625037c93f183b3de5d7998c0c8c0126ed65b19a2a3fcc98818dc1
SHA512

b23acab15b7e62bde8b0fec3286a8f92602aec60f1833810e5e75b33adae7b5d4dbbd0ea5b8315b2e51420464a547108ab753ae2dc82759fc9de45b558666a64
SSDEEP

384:SL7li/2zAq2DcEQvdQcJKLTp/NK9xaN9:MMMCQ9cN9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp3F6B.tmp.exe

pid process

4572 tmp3F6B.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp3F6B.tmp.exe

pid process

4572 tmp3F6B.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 3108 7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe

pid	process
4572	tmp3F6B.tmp.exe

pid	process
4572	tmp3F6B.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3108	7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 3108 wrote to memory of 4016	3108	7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe	vbc.exe
PID 3108 wrote to memory of 4016	3108	7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe	vbc.exe
PID 3108 wrote to memory of 4016	3108	7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe	vbc.exe
PID 4016 wrote to memory of 1196	4016	vbc.exe	cvtres.exe
PID 4016 wrote to memory of 1196	4016	vbc.exe	cvtres.exe
PID 4016 wrote to memory of 1196	4016	vbc.exe	cvtres.exe
PID 3108 wrote to memory of 4572	3108	7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe	tmp3F6B.tmp.exe
PID 3108 wrote to memory of 4572	3108	7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe	tmp3F6B.tmp.exe
PID 3108 wrote to memory of 4572	3108	7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe	tmp3F6B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2es3v00u\2es3v00u.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES413F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8723ECC5F9E647F0883D85859498B69B.TMP"
    3⤵
    PID:1196
- C:\Users\Admin\AppData\Local\Temp\tmp3F6B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3F6B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2es3v00u\2es3v00u.0.vb

Filesize
2KB

MD5
d43f08979e35db5ec6255feed85e3ea3

SHA1
b71bde1ee11c654b60fa90a984746cae92f74939

SHA256
01c7347da593deba5be35d8afe9d2e7332706597333616c25ebe8e8d9353c1e7

SHA512
aa8bf7b5ff7617c8dac46337e5e466e40cce3ccfd4f13db89830ce9c16ee57af1cee8f71c6ad6b0629d09346aa7f495cc4511c09b8b3d243212330d285c66d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\2es3v00u\2es3v00u.cmdline

Filesize
273B

MD5
7c35ec9ac192ae03b90e97d1fcda4627

SHA1
85dad68b95e614579f7e261abd49de4578519f36

SHA256
3102457d54d33f2a55ccff5cff9dda12af47fc5d572273ae9e517de5d034826f

SHA512
36ce2eb11f4e938b8a04134be6651b4dad6bf28a372ffa4ff4da733594f047b66c56552963ee0f3d8058ef3c4c449bb2b766815b0ad4d0c01a509f280ec6c961

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
05cacf5a84bf834dd8b23ade1f1e431c

SHA1
0bba732a1fb75b2b8ed812cd3b01ff0989936a20

SHA256
0af0cb296315e137683b1650690c7d950ce1be4507206c230c7233d49b17b555

SHA512
2e3f796b9521fe12885f3040a8a5385847f351f3320e3077563389a2a8c206a1128aefb0d6a57b63c183a7d27c0602d01d3f0aa1534b6c0ca23edc78dcbb1a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES413F.tmp

Filesize
1KB

MD5
d05f7c2606304ae56765b47e59ef19fd

SHA1
479787c4ce3c3a1f4f10354386a10b302446d320

SHA256
88d25bea6a1cc8b6af63d866385f0320462dce10f3d7974826304570f2030ec6

SHA512
2c4ab871c150cae3790c1a8fbd267bb8c4cd8cae1d17fe75c0dc62f0eb3daf087fb0674e12f1b4dc8310901cbd98802c89da9d2a9da4a411aa437ec6c6b999e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3F6B.tmp.exe

Filesize
12KB

MD5
df69f14850ee9c856f6277d987662457

SHA1
22357ee6e06e187ff1898bf0b1bde5e5b6be80f5

SHA256
3db625665caf300c128402f388ac3778908e3554eb4316eadb4d5ad1adc20900

SHA512
a6884fba61ba634611ee0ddede04e64039d110990ffa5cfc2ed8d987c45607ce83e53cf569ed5d77b32f754be41e02e1fb4b1075dd50ce3fc0537a9edf75704a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8723ECC5F9E647F0883D85859498B69B.TMP

Filesize
1KB

MD5
fa92d299159886a836d5c7eab1fb1188

SHA1
931925b2c446e0eb2e0b2e63298257fb47ed2b95

SHA256
78b4397948a869fae0c793b21c7c1781776cea213882302b0fc88be2a5676fc7

SHA512
27468c9363ffeb4f5af2e98da29e787919af2fe6f4022981f75ba12c9ea86bb554190c0be4e40fce85aac7391ce56db8d33a1f4f5909db8faa43e03be80a448a

Download Submit
memory/3108-8-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/3108-2-0x0000000004A90000-0x0000000004B2C000-memory.dmp

Filesize
624KB

Download
memory/3108-1-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/3108-0-0x000000007487E000-0x000000007487F000-memory.dmp

Filesize
4KB

Download
memory/3108-26-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/4572-24-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/4572-25-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/4572-27-0x0000000005440000-0x00000000059E4000-memory.dmp

Filesize
5.6MB

Download
memory/4572-28-0x0000000004F30000-0x0000000004FC2000-memory.dmp

Filesize
584KB

Download
memory/4572-30-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing