39105ad2446708de77c70e0823494914a0810a9e6646e024c675deb08dcc49bb

General

Target

1fe64eb58d4a7e6fe25bfbdb1909f690_NeikiAnalytics.exe
Size

12KB
MD5

1fe64eb58d4a7e6fe25bfbdb1909f690
SHA1

14d29e7150172c2b15fc2fe46671d5074d29eee0
SHA256

39105ad2446708de77c70e0823494914a0810a9e6646e024c675deb08dcc49bb
SHA512

96bd8c8827af7a9f819bcc98ead281889f2abf949938c4569fbc2dbd762467d2dd8d5c8bd4a46ac7172b3f310a84a2b06410b674462a00eb7a12939b7e13d61a
SSDEEP

384:DL7li/2zkq2DcEQvdhcJKLTp/NK9xat7:HQM/Q9ct7

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	1fe64eb58d4a7e6fe25bfbdb1909f690_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
4052	tmp2BFE.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4052	tmp2BFE.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4752	1fe64eb58d4a7e6fe25bfbdb1909f690_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 3996	4752	1fe64eb58d4a7e6fe25bfbdb1909f690_NeikiAnalytics.exe	90
PID 4752 wrote to memory of 3996	4752	1fe64eb58d4a7e6fe25bfbdb1909f690_NeikiAnalytics.exe	90
PID 4752 wrote to memory of 3996	4752	1fe64eb58d4a7e6fe25bfbdb1909f690_NeikiAnalytics.exe	90
PID 3996 wrote to memory of 4444	3996	vbc.exe	92
PID 3996 wrote to memory of 4444	3996	vbc.exe	92
PID 3996 wrote to memory of 4444	3996	vbc.exe	92
PID 4752 wrote to memory of 4052	4752	1fe64eb58d4a7e6fe25bfbdb1909f690_NeikiAnalytics.exe	93
PID 4752 wrote to memory of 4052	4752	1fe64eb58d4a7e6fe25bfbdb1909f690_NeikiAnalytics.exe	93
PID 4752 wrote to memory of 4052	4752	1fe64eb58d4a7e6fe25bfbdb1909f690_NeikiAnalytics.exe	93

C:\Users\Admin\AppData\Local\Temp\1fe64eb58d4a7e6fe25bfbdb1909f690_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1fe64eb58d4a7e6fe25bfbdb1909f690_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\52zgiyn0\52zgiyn0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES395B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE99B669AB03342F2BCA2302814F680D7.TMP"
    3⤵
    PID:4444
- C:\Users\Admin\AppData\Local\Temp\tmp2BFE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2BFE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1fe64eb58d4a7e6fe25bfbdb1909f690_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\52zgiyn0\52zgiyn0.0.vb

Filesize
2KB

MD5
155576673b3c00e5e87096b315526f3c

SHA1
e6e2986c9f6459b7ed423471d851f3317df523b0

SHA256
32ad73f2b5d0ffa25bc5f26b267277df732461c09b17c0d4086ecef4cdb27ab5

SHA512
1f008fa69dcd9a9283417a2447294e3c56f2175c89d967f73e89876ff654730db27e77fd0df6aad722dec6f08e24cadaee364c9933858bfdb7e2f57ceef5cdb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\52zgiyn0\52zgiyn0.cmdline

Filesize
273B

MD5
b20d6c8ab5789837ed39cb73c3fda3c9

SHA1
dd9d6b5db489dc211ae9d2dec4b263b711a58838

SHA256
1620cfe5b1c5dcc94fb43e045b4c3cccccfe6d7c76c4758ea0fb1f392071c0c8

SHA512
d8bf1300c9078d95ad451b5753d684ae9a7e3f0657c9953f557c1cd21f3dfbb7642cbe582a63114783334bde8cc03426ef5cf2ab0c28693f2d2e7e76d4e58421

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
bdc76b0b80669eb23337be3d72c4818f

SHA1
c2368993ba4d2f73bd305ff5ed0a4cb769669935

SHA256
561e27f09715ba4247fe4a06b76bbf7567a628884d2eb92c8cc2c05d46f473c2

SHA512
654b740c8eb10894fdc49bb7751318c743884ac6e30485147fbf30b410d9eee8e0bfed4b9ba32fbc95179d3bc4d8bf517a8ab832f770d943574edea3aeaa0fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES395B.tmp

Filesize
1KB

MD5
ec72e0f09f67fdfb051e7abb2d8e9ab9

SHA1
0ef4b7946f5b368fb583d97fa34a272fae3d8958

SHA256
e801f3a246e102fe25edc1b58f18731c5b84f1329245d7ad3eb7a1600a4a91e7

SHA512
b0596ea024ae97ee691e5af194a5282e235c41e5f17251680c35f9663c03a979034f54feefe9e57a787381722a4d446b094ec9999db44de4aead26fabc1e8470

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2BFE.tmp.exe

Filesize
12KB

MD5
ae72adf2903bb090deca2779f7eafab3

SHA1
670f7901dc015a3634732d70ae09e3b7da0605fd

SHA256
7bbab249bf1747c5e25bfdb1fae8c0117da9a17b57f41e46ded788459bfd1645

SHA512
d6c36acf7e9fd5d6e203b30736e00133cbd08001625ec9f5e70fd8cff821bb6f678ed37cca5cda692b7244f835f2b1eda84629e991fc190b9daa3efcdd0cfafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE99B669AB03342F2BCA2302814F680D7.TMP

Filesize
1KB

MD5
15a27117e4858c26f36a66796a6bfd0c

SHA1
c4d6ccf76a9d876c0cc683abec77e2a4bf004cfa

SHA256
d842b900e4585884260acf9c68250cd42fa4c830654700dbec43a451687573a5

SHA512
822bc59211dbd80c7179824bea24a0605fa8bdb0653cef59045703c9bc3911e82dbee66c1a9d4a05e77c717c248c2332279d785a8c05e3f86fd8275ee8dadf9c

Download Submit
memory/4052-25-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/4052-24-0x00000000009E0000-0x00000000009EA000-memory.dmp

Filesize
40KB

Download
memory/4052-27-0x0000000005900000-0x0000000005EA4000-memory.dmp

Filesize
5.6MB

Download
memory/4052-28-0x0000000005350000-0x00000000053E2000-memory.dmp

Filesize
584KB

Download
memory/4052-30-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/4752-7-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/4752-2-0x00000000051E0000-0x000000000527C000-memory.dmp

Filesize
624KB

Download
memory/4752-1-0x0000000000860000-0x000000000086A000-memory.dmp

Filesize
40KB

Download
memory/4752-0-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

Filesize
4KB

Download
memory/4752-26-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing