e76f413f106f04974471460bb165d72869ed985c2a22bef23c2579dcd719dc32

General

Target

778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe
Size

12KB
MD5

778a7116161cd47a5447fc36ff0353a0
SHA1

d5be4ec2525ce1e3da54cd213be708c23c7e7c36
SHA256

e76f413f106f04974471460bb165d72869ed985c2a22bef23c2579dcd719dc32
SHA512

f9ee968d163d800529a4fecc22ec5a822082f6628fe7f5a49b75721bfd62dfd32697ef39db38110109baf6bff33342e2c1683f0a4accfa6d1adbe80ba48ea366
SSDEEP

384:tL7li/2zaq2DcEQvdQcJKLTp/NK9xaZP:9CMCQ9cZP

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmp4FA7.tmp.exe

pid process

1860 tmp4FA7.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp4FA7.tmp.exe

pid process

1860 tmp4FA7.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2612 778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe

pid	process
1860	tmp4FA7.tmp.exe

pid	process
1860	tmp4FA7.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2612	778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 2612 wrote to memory of 5064	2612	778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe	vbc.exe
PID 2612 wrote to memory of 5064	2612	778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe	vbc.exe
PID 2612 wrote to memory of 5064	2612	778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe	vbc.exe
PID 5064 wrote to memory of 2904	5064	vbc.exe	cvtres.exe
PID 5064 wrote to memory of 2904	5064	vbc.exe	cvtres.exe
PID 5064 wrote to memory of 2904	5064	vbc.exe	cvtres.exe
PID 2612 wrote to memory of 1860	2612	778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe	tmp4FA7.tmp.exe
PID 2612 wrote to memory of 1860	2612	778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe	tmp4FA7.tmp.exe
PID 2612 wrote to memory of 1860	2612	778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe	tmp4FA7.tmp.exe

C:\Users\Admin\AppData\Local\Temp\778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r3n1wwrx\r3n1wwrx.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES51BA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE539AD29DE4640E9B3E791A1DBE70D0.TMP"
3⤵
PID:2904

C:\Users\Admin\AppData\Local\Temp\tmp4FA7.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4FA7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:1860

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
d56e147e311220a26c6529be6e83aeaa

SHA1
a9a437f163425038a72fbc8bdacecf8cc3ab5862

SHA256
2b5ac8b00d54e78c697160200d99d66205e449dda3d87a6a59110796267024ed

SHA512
708ab66e6f7c85d0ca9f15d7a0e1ce57d51674175714b8d2340cd0f3094200f1230071a82a442c525510643caec1832269cf88b1cfbd9d5917340b60dc4ba630

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES51BA.tmp
Filesize
1KB

MD5
9396177b33ee2dfdfb090a9f30d7a268

SHA1
14d0e1d23af80edcd886d585fe043b82cd31a529

SHA256
6794f05a1f5a376bbe43b4af9c86c1ed5046a7e183f0b5b6283667f94758ae40

SHA512
9934b2dbfaf9e7ad7487e3a6f0a82e7fcf18efd3093586b0999a207f52f4d830871aecd3c85b79a7ffc340ceb02b678fc3b936e012d66cb5b8814d7f4a81c3f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\r3n1wwrx\r3n1wwrx.0.vb
Filesize
2KB

MD5
a415bfcba6a67c9673f8c156c133d5f9

SHA1
c26da436f6bed71b970885e3ccc5c21ffdd6a22d

SHA256
0c79f67f92a8c5572494674df3c2cd3aa24156f9fbba6462a1282c48c8ebeaf9

SHA512
5f83cd2fe410bb20e34e4304acb1b8dac94221b1b28a493ed94b74cac5287f3a69d89ef30de482ac098976ce25e9c416b9bf2510d44bde78c0fb462cb5199b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\r3n1wwrx\r3n1wwrx.cmdline
Filesize
273B

MD5
1fb697d1522cca5cdc774ba2923eeaf9

SHA1
86dfeca47fd30bbf868f37bdfcad2b75125f7772

SHA256
69e5255c74c3a243811519b6fac02dd38d7a7edeef5dbae76348d0a989e3b3ba

SHA512
9e5955fd22209a005d64e1b0e1103aabab5f9677dd99a098559948abdba8349cc2ca0f1ded7a4aa4a9bdb634587948a96b509db620807eaf065b6b340d08f802

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4FA7.tmp.exe
Filesize
12KB

MD5
256319bc982e1f7ed31e28023c36de2f

SHA1
6f7e5b48d0919508679422e48ff7e459ed255380

SHA256
d6513b0f2184cac0ed1852357c2da2b62bd8be50b94ad84be5ef1ec1d626c0dc

SHA512
8d68a7c1fa41d25a45eac0dfb2ec13d31f229e1534d4f6913a14164b6f26b061b2ed309a00d68eaff2fef5d66be87428dfd179991c0dcd5b0061d362581c356c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE539AD29DE4640E9B3E791A1DBE70D0.TMP
Filesize
1KB

MD5
09296f6d26396490ec30f2d81a3821eb

SHA1
6f856c35559473405a87ff800c483a650fefe595

SHA256
c2c87489f22a0094fe0ed4c8fca491ec274df329a635ecc7c170a326d06fb521

SHA512
cfe801c4a423ce94cce78ac169314b6dbcb57c56a6ae2ac8498e10c5a60c262a3499b4e7663579384c552bda54804f53d4b8629d02bc6c05e74e608133b2ef1a

Download Submit
memory/1860-25-0x0000000000290000-0x000000000029A000-memory.dmp

Filesize
40KB

Download
memory/1860-26-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/1860-27-0x00000000051A0000-0x0000000005744000-memory.dmp

Filesize
5.6MB

Download
memory/1860-28-0x0000000004C90000-0x0000000004D22000-memory.dmp

Filesize
584KB

Download
memory/1860-30-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/2612-0-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/2612-8-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/2612-2-0x0000000004D30000-0x0000000004DCC000-memory.dmp

Filesize
624KB

Download
memory/2612-1-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/2612-24-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing