3761a58958c12df556f96abc57016938f2029440986a402399318055fd1ea970

General

Target

a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe
Size

12KB
MD5

a7bf23f906f6ea2116393fd2cbb66da0
SHA1

835af6df2b99fa6f5f548ea1a0d62f00cf4728d4
SHA256

3761a58958c12df556f96abc57016938f2029440986a402399318055fd1ea970
SHA512

bffe4b9060f88c9da2e322ee5c3a7fc300346118db2eb9eff49bacfaad6664d52124bfa8f12554f65b52e0f15f5974c13b46a8a5209dd4eab0340c3e43bd6197
SSDEEP

384:nL7li/2zZq2DcEQvdhcJKLTp/NK9xaJw:LxM/Q9cJw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
368	tmp6F84.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
368	tmp6F84.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3688	a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 2160	3688	a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe	88
PID 3688 wrote to memory of 2160	3688	a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe	88
PID 3688 wrote to memory of 2160	3688	a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe	88
PID 2160 wrote to memory of 1332	2160	vbc.exe	91
PID 2160 wrote to memory of 1332	2160	vbc.exe	91
PID 2160 wrote to memory of 1332	2160	vbc.exe	91
PID 3688 wrote to memory of 368	3688	a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe	92
PID 3688 wrote to memory of 368	3688	a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe	92
PID 3688 wrote to memory of 368	3688	a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe	92

C:\Users\Admin\AppData\Local\Temp\a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oqaldz0d\oqaldz0d.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7129.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc697B8A2AE20D413093C1AEE3F8D27548.TMP"
    3⤵
    PID:1332
- C:\Users\Admin\AppData\Local\Temp\tmp6F84.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6F84.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
2434bf0e8e4349e1e1b34a3347d81953

SHA1
85e021f0f6771c308c9a05bd9879d376155ec51b

SHA256
06f04e8fee749c0336b532a00efec2d1e2caa164561d2c021163b0fd503f9000

SHA512
c740a4e0473d0c207a7bcac3bea27171faf24c234781df437ce1c3fc67b71c1f64ee79287d223280fff01a1636e73997d7c8556c3d0cd3727fb5d6cd973010a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7129.tmp

Filesize
1KB

MD5
798b274a044d9aefd211558f1f46db01

SHA1
d6eae5055f6d0e5549ef09520c00a5a7684a6257

SHA256
7c2e6dac0f48d355fd09b9c548e0ad95d0f897da8722f8c2cb2ffc8559d2050e

SHA512
ea1ea6ee6223fb2f9abbb8243b8ec2aa4711314c2eee916d1f70d4da9c4f3e18b261b33a8977291861af7521abf0be15336ccc88daf30031ff9e6324cef795ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqaldz0d\oqaldz0d.0.vb

Filesize
2KB

MD5
3fcd6330b09cc3c6062163bc1c77ecf9

SHA1
34d65a4de93918bb3e7944f5c71f94c0dc9a380d

SHA256
696d9d4df2aa013c7d91d593323fd1a8880e06a1c8782c553982e4747dcb8b54

SHA512
3b268dba8400234cdb205e03568c4962b8b7b7f33c6d356492ff03fb6d5ec034ccedd24761da213afce5b11752a810355c1594a51a9a01648555824abfcb448b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqaldz0d\oqaldz0d.cmdline

Filesize
273B

MD5
86132f54e1fbac75b3380c1c8e36733e

SHA1
e797928fd1e95212613475520a5dfdba05a93b29

SHA256
f7692d8d7492b6f1eb39327406be121f0db5220b17c53bdfb9f546cc4a4b01da

SHA512
6c6e27c05e28dcbb3e13efef8762bed7dcb0d5da95def93a4743fdec36ba0ea2eff5d848771c07268d5f57907900380b372a8ca680258591ab05bb8b851e9e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6F84.tmp.exe

Filesize
12KB

MD5
2cebf61421bfdff32769ce5bfac774af

SHA1
22f1a860034b8578caed63d75a8a163abe70c874

SHA256
f50117b46f9a0a885eb859bfa4f56511a1af4cc82854ef45eb9606304a0c0f6c

SHA512
7b16a014b22e8bd30c30ba25bc7f7600b73a612f885011260482dc484416fbc259628b468f6243d55f0b4a930dc98f0eeaae4d1f95d62755cac32c1d488a9cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc697B8A2AE20D413093C1AEE3F8D27548.TMP

Filesize
1KB

MD5
f0331810765ffa0c696fae284b54df08

SHA1
8e378b6506cbba8a1dec643b306ae0e17c5b6c66

SHA256
3c5d8abcebb93e88042801b07ae00ccbfde93f3f5fa80abe7069d541277c3eef

SHA512
1a53b671c6c45d903629eb43dfaba322ef86fdbafca1b2de2859189389aeffe7f9e93d87d3bcc435808740efd33d08b78d17088be771169eae6105b6e425b139

Download Submit
memory/368-24-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/368-26-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/368-27-0x0000000005470000-0x0000000005A14000-memory.dmp

Filesize
5.6MB

Download
memory/368-28-0x0000000004F60000-0x0000000004FF2000-memory.dmp

Filesize
584KB

Download
memory/368-30-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/3688-0-0x000000007531E000-0x000000007531F000-memory.dmp

Filesize
4KB

Download
memory/3688-8-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/3688-2-0x0000000005340000-0x00000000053DC000-memory.dmp

Filesize
624KB

Download
memory/3688-1-0x00000000009D0000-0x00000000009DA000-memory.dmp

Filesize
40KB

Download
memory/3688-25-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing