515e74d6c6b193fa66c8bbe77ac25b725b758397e1d852846c27989642085492

General

Target

77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe
Size

12KB
MD5

77b02a3b4192134447c9655803408f90
SHA1

340de3862ecd98bfd4a91d4c355639c03fc647d0
SHA256

515e74d6c6b193fa66c8bbe77ac25b725b758397e1d852846c27989642085492
SHA512

57530af9b4b327af8360452d43b307c2b702e4ebb747563407fcfdc4df260e7de08dc527833ca297dbcc1c17ce02e2b2a8dbf2758d08b36a4526922a956931aa
SSDEEP

384:rL7li/2zXq2DcEQvdQcJKLTp/NK9xa+r:/zMCQ9c+r

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

tmpAAA.tmp.exe

pid process

4396 tmpAAA.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmpAAA.tmp.exe

pid process

4396 tmpAAA.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 3108 77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe

pid	process
4396	tmpAAA.tmp.exe

pid	process
4396	tmpAAA.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3108	77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

77b02a3b4192134447c9655803408f90_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 3108 wrote to memory of 4132	3108	77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe	vbc.exe
PID 3108 wrote to memory of 4132	3108	77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe	vbc.exe
PID 3108 wrote to memory of 4132	3108	77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe	vbc.exe
PID 4132 wrote to memory of 4548	4132	vbc.exe	cvtres.exe
PID 4132 wrote to memory of 4548	4132	vbc.exe	cvtres.exe
PID 4132 wrote to memory of 4548	4132	vbc.exe	cvtres.exe
PID 3108 wrote to memory of 4396	3108	77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe	tmpAAA.tmp.exe
PID 3108 wrote to memory of 4396	3108	77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe	tmpAAA.tmp.exe
PID 3108 wrote to memory of 4396	3108	77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe	tmpAAA.tmp.exe

C:\Users\Admin\AppData\Local\Temp\77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bpqo0vdf\bpqo0vdf.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES16B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC124DA815BA4E4C8BF2364290E6D88A.TMP"
3⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\tmpAAA.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpAAA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:4396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
981ef94c84117125af9d91c3a9504e37

SHA1
09521b9713b9a285500ed6c53ea76db0356cf5fc

SHA256
ff084b54fc23f94182ea354405fb67e38340815dc3d7e630c7346a08a89a02f4

SHA512
72fceeff7afbb7f53b45d141720a6c03494eda60aa5750f7aed09fd4a17703a3392e01a481a075f944d0e911c71123c8389ddce6b593596194615092037a828b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES16B0.tmp
Filesize
1KB

MD5
f8e94fd076ccd5854b3c259a3445c743

SHA1
d3dd74b44c63e49417f121591c2cea288ea98ef8

SHA256
f102d14d09434a12b62df1175078e5e5423f60da57b3f3903e073019f933c0dd

SHA512
cdca11b3718250d5452e031fd3766c52d5cfcdee14ad26b57350033823dd8adcac2a03573ae82082ac8d503404cbb76a73aeb0a9f230a23dca68d0ebba541b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bpqo0vdf\bpqo0vdf.0.vb
Filesize
2KB

MD5
080beac3dcaefc3813f50f9784852636

SHA1
49fc7d3c92eb4dfa1120e75691813268fbfada6f

SHA256
edaedbaebcabbfb34abad2e329c7f552f0d8ad4f2529a0fce5e7b760709bf009

SHA512
ea53a2f98d07a4f7568e44e7a213121ca4b6d541f2b5c5e994d6607ef0be838f8cb5b41c8125d68f4dcda8c8668226679e6f7da9051b4be0ef6b17fc8cc1611f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bpqo0vdf\bpqo0vdf.cmdline
Filesize
272B

MD5
987a0f77c9709d4139c507388a472825

SHA1
7f00969c559235eb2f06ba27e10d63e4835dc872

SHA256
f57b74b0d436fbb688e6d9c92b278788b13af78e4491aef58bd101113dc672d1

SHA512
b416f5afce6bf3858384f578f40acf10c4e01dc707c29e9faf0266efb8333d3a42682cee61090fac4db5fd6bdfd63019e2e4429f8057a524bd6439da94c7de0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAAA.tmp.exe
Filesize
12KB

MD5
6c61ec5e9b74dfc507cf3f3bdadc76f0

SHA1
399eaf63b2ee2b1c8bd0514a6fb6a0a5ee96f022

SHA256
fbf27bea2307d101c901457a9d523f8f46175d38176a3265a87c354da9df5d2b

SHA512
6aff472e5a6eaca68210e49d721e070f596cd521759c21d14a48acbddd9b933691c58bdd586523cb24ea8d8365801da496c2638f282c816c35a80dab9d166a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC124DA815BA4E4C8BF2364290E6D88A.TMP
Filesize
1KB

MD5
ee2bb7cb0f49008144340361db18a009

SHA1
de0363ea3c52fe70ef4d13f0d0a954ba1511a436

SHA256
591a2cbc4ecc8c8751468fc214541e1cf8e172ba72a2d99bbe8f9fea01479234

SHA512
8d4a98347e7ee517b8037503ba89bc343bc8c1b39e34ccb855d54d60898703a767051e6c7a2938adc30330b5e0456dd3fc0b1127669768795dc3afd81ef08aae

Download Submit
memory/3108-0-0x0000000074F3E000-0x0000000074F3F000-memory.dmp

Filesize
4KB

Download
memory/3108-7-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/3108-2-0x00000000057B0000-0x000000000584C000-memory.dmp

Filesize
624KB

Download
memory/3108-1-0x0000000000E20000-0x0000000000E2A000-memory.dmp

Filesize
40KB

Download
memory/3108-26-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/4396-24-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download
memory/4396-25-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/4396-27-0x0000000005090000-0x0000000005634000-memory.dmp

Filesize
5.6MB

Download
memory/4396-28-0x0000000004B80000-0x0000000004C12000-memory.dmp

Filesize
584KB

Download
memory/4396-30-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing