f94f70706d0a74197a56d2f6274d5e7ef1cfc0e365606a7a3cba7ef186f619e4

General

Target

6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe
Size

12KB
MD5

6d60c74944bdfc379f5a8fe0f3ce3230
SHA1

b3219bdf82b9f009e6918e233b19e4a5572f605b
SHA256

f94f70706d0a74197a56d2f6274d5e7ef1cfc0e365606a7a3cba7ef186f619e4
SHA512

2da448412c0338f521fba1cb8a6d333f0c4691b52cd65f66ae843a9916b5ff615e4ada9646cd7d12f40b90add6e286ad2bacf491746760216aa81127b13c7b78
SSDEEP

384:2L7li/2zeq2DcEQvdfcJKLTp/NK9xaQM:wmMZQ9cQM

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
1232	tmp398F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1232	tmp398F.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4612	6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 1356	4612	6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe	87
PID 4612 wrote to memory of 1356	4612	6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe	87
PID 4612 wrote to memory of 1356	4612	6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe	87
PID 1356 wrote to memory of 4172	1356	vbc.exe	90
PID 1356 wrote to memory of 4172	1356	vbc.exe	90
PID 1356 wrote to memory of 4172	1356	vbc.exe	90
PID 4612 wrote to memory of 1232	4612	6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe	91
PID 4612 wrote to memory of 1232	4612	6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe	91
PID 4612 wrote to memory of 1232	4612	6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bjgg3ffx\bjgg3ffx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AF6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF2C2AAB0507143B6B8ED4EDAFF52D4.TMP"
    3⤵
    PID:4172
- C:\Users\Admin\AppData\Local\Temp\tmp398F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp398F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
16ff3ef6ff9020e570f42b94ef6ef59c

SHA1
78e1667064c3ed8a785af24fd196f982b152d19a

SHA256
6cf02b097ed3365b52fcb21506872030f97f6091741a4b0aa639e6168c31c1b0

SHA512
d519f85d8b82dbedac27607777226a528de1a14de7f624eeddf95ae22424a5021a33fd3ca02f1edfcf53f4f7783f52e1a5e394bc855240b1da96fd8dafda817b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3AF6.tmp

Filesize
1KB

MD5
5596a22a46705d419b93be99001b5230

SHA1
74e935b19a21cf1c62fcffcdcda148ed428d4e43

SHA256
23c721bf02e2f3a981f8fca644013dbedad9b5ed0184e9e534e96696c1ccd816

SHA512
78ed647b6d8217bc824b356ba630fd2a23318789ea45181adc58fac2c14ba13b9d9bc678abf12de0ed295afc5842a434808d3e961e1eab7c5fd85412dae58b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\bjgg3ffx\bjgg3ffx.0.vb

Filesize
2KB

MD5
18c89170270aacd60db1f787b316f45a

SHA1
5b98b6ce3cf6767285fc54c6dde61f1170946e5f

SHA256
71552cf5f196e9162833e78a6ef53ce86e947143acfc972090644e240846f88c

SHA512
cdc4a923d39e6cd24d831d22723ced222615dee308e2593497a8a1ccba1f4fa44660dcf09a3e112d589a38362e9f2b63c1408333e54df5c3d4f522994f72895a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bjgg3ffx\bjgg3ffx.cmdline

Filesize
273B

MD5
7a0e2f8dc0e4714d2cc21be4c1fc7f0b

SHA1
0b52a0a8a3924226f40f5176322ae6faa319000b

SHA256
4127b7487dac366ad1287e453b12cc73ffe9167def289f4f55663783be7c7b93

SHA512
f081798cb3cc5901b6412781877dd9992b70f08dcf31eaf66542d627dc40f03999688096bf992a85c966a1b1b1e7953306c2c68c2bbdcfb66ef43f7759ba32f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp398F.tmp.exe

Filesize
12KB

MD5
a8501422f107bab20b89f5cc44d48609

SHA1
12be8872cb172d8f836417b9ee785162fc869c7d

SHA256
f92ca251520a6882e447030395d47ffa830784e8cf299c8924ff27a4ab61dc23

SHA512
56386db01fc49ac707aa425c8e612b42da2155d640d479c4e5b81f9a6aed5bd7b45d2a8b8d35a5603550e9b01f10f07eab1fc466f6f4b413fd36e08d013d0e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF2C2AAB0507143B6B8ED4EDAFF52D4.TMP

Filesize
1KB

MD5
5c11b1df71de3ff358cbfcb3625223f9

SHA1
b11b72082a3503c683422f55ce3b546f1eda8caa

SHA256
bb26335f79a9a3bc129f7905d506dbb3e4244a0fcc9f41627190fc15409faa9d

SHA512
01748288c425cc40d066363d086209865c416aa143cc2cf51a20b7907893c0ab540211c35b0f8c58e5f5de1d0297bdd86615e7e6b620e8d44117f6dd2d6fdaf0

Download Submit
memory/1232-24-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/1232-25-0x0000000000130000-0x000000000013A000-memory.dmp

Filesize
40KB

Download
memory/1232-27-0x0000000005040000-0x00000000055E4000-memory.dmp

Filesize
5.6MB

Download
memory/1232-28-0x0000000004A90000-0x0000000004B22000-memory.dmp

Filesize
584KB

Download
memory/1232-30-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/4612-0-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

Filesize
4KB

Download
memory/4612-8-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/4612-2-0x0000000005910000-0x00000000059AC000-memory.dmp

Filesize
624KB

Download
memory/4612-1-0x0000000000FA0000-0x0000000000FAA000-memory.dmp

Filesize
40KB

Download
memory/4612-26-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing