206c41107f4a1eaed6184b192f211a05b16cb1968825e2a0917792af1eba24e9

General

Target

930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe
Size

12KB
MD5

930c5ed38490afea5f8e625ae27b76b0
SHA1

efd4d953b1316cb804fb5b483c544e3575010062
SHA256

206c41107f4a1eaed6184b192f211a05b16cb1968825e2a0917792af1eba24e9
SHA512

82a3adef52dad16914ad0350982d4f2f83c2a5389dfa60a15268572ca03fbd580c778ea522a423a6ca8564c28ed56819e34597fe246d98ca28880c47c3927dfd
SSDEEP

384:lL7li/2zWq2DcEQvdhcJKLTp/NK9xa5K:l2M/Q9c5K

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
5064	tmp48C2.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
5064	tmp48C2.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2520	1984	930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe	87
PID 1984 wrote to memory of 2520	1984	930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe	87
PID 1984 wrote to memory of 2520	1984	930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe	87
PID 2520 wrote to memory of 3216	2520	vbc.exe	89
PID 2520 wrote to memory of 3216	2520	vbc.exe	89
PID 2520 wrote to memory of 3216	2520	vbc.exe	89
PID 1984 wrote to memory of 5064	1984	930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe	90
PID 1984 wrote to memory of 5064	1984	930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe	90
PID 1984 wrote to memory of 5064	1984	930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\inc1ahgj\inc1ahgj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A86.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD1C8879233C24EDAADD6515BB0FA64E4.TMP"
    3⤵
    PID:3216
- C:\Users\Admin\AppData\Local\Temp\tmp48C2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp48C2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
96fd06b9b6c7b11c6ecd7adf52a2fe01

SHA1
230d315e6213d2402fb9c4214c00a734944b8a3b

SHA256
eaac7b61f41c3e1fab0ba680b3a71f6ff4868cac226973421b1f5cad29a12435

SHA512
683a7ced27d5244ae221d03ec852465e0fef65cc4cb9445aaa0aacade24f2fe033ee07fd349d9a0c9151831bbe73c9b448826050845d1b505a2b757151965dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4A86.tmp

Filesize
1KB

MD5
2c6055780e449efa922d371df713fb8f

SHA1
c9519be875ec6a9cf9d4ad390bac32eecf444274

SHA256
527d1b381354b26ff414abee9c8607e02907c5ca5cc6575eb9cdc404b96e2801

SHA512
ad9133b74afc799f1c0e353048d8c053ce9060841b887741dd93d97c07a11083deb7a79e86e23ff5adbf2fb7a77aa901d3bd85455704bae2e3470189354d3a4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\inc1ahgj\inc1ahgj.0.vb

Filesize
2KB

MD5
4b9ffd6785633ea0984c2efabef43286

SHA1
dbf863843f570d08fd329a33835e43b41ef46a47

SHA256
f851ba253e52fd2467158da9bf5b0188d6f5e8db616542a252b6ed8447a79f9b

SHA512
2fb82476edde1d0bf65fcef99660fc6c7cef227f1c9b2d8875805e4e0e351921a18fd600dc8e020a0337fd373429fa3ba3e21b37cf1bbcd7497edc5bd5f0c9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\inc1ahgj\inc1ahgj.cmdline

Filesize
273B

MD5
719c47ccd387d7d07bca6be144a0bc9e

SHA1
0db3c742f7ac250824ba8500a8d45e9240004d72

SHA256
aec44fd3ee0e68819ac69aad50f1f2ad598005d080f3c6fbb53b992a8481d569

SHA512
4ec72b47c91c40e7f7eb109c0569681298eccb651d82b07754bd801555e8b0603b1bdcb87b476042622c2fe549dfb66db0c18aa55437ef1e6cd41074950fa9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp48C2.tmp.exe

Filesize
12KB

MD5
98ba37145fcc937bcafcbfa26da3d3c4

SHA1
d93acaca97b300d97f569fb040d5c52d3762e38f

SHA256
a48f8e29c6cf1b92901590fcaad5e92e3a1276f87ffb9abf8f04e981cc22a472

SHA512
9c30437c9e03fb00115d8e8681a622809794c73a811145e9d6ceb4d7175125fc67c911f9dce9a66f6fa7a824c3102a3a5f9e9836cf00789f6b274220d1fb988a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD1C8879233C24EDAADD6515BB0FA64E4.TMP

Filesize
1KB

MD5
a8b34d4ec3b4ae02636a839ece98be34

SHA1
c547413203449a9b38bddbcdd0bbc35d1b392474

SHA256
087f877406ee4e53914cf3836d6e3a28b487b43afa5963e34429e696f0387198

SHA512
78941cc7eb55aab9b5957067be71cf2ef92f3bb51a7065283869b1192f65cc90c06308f19321eb2e1c7d04ee20349511f85c9b0094e830844bdeab9899962624

Download Submit
memory/1984-0-0x000000007522E000-0x000000007522F000-memory.dmp

Filesize
4KB

Download
memory/1984-8-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/1984-2-0x0000000005120000-0x00000000051BC000-memory.dmp

Filesize
624KB

Download
memory/1984-1-0x0000000000790000-0x000000000079A000-memory.dmp

Filesize
40KB

Download
memory/1984-25-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/5064-24-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/5064-26-0x0000000000110000-0x000000000011A000-memory.dmp

Filesize
40KB

Download
memory/5064-27-0x0000000005040000-0x00000000055E4000-memory.dmp

Filesize
5.6MB

Download
memory/5064-28-0x0000000004A90000-0x0000000004B22000-memory.dmp

Filesize
584KB

Download
memory/5064-30-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing