8a7a8c518cb2a54a30dd01a88e0ef7adb92144ec3e968bdd961895443d1c16ef

General

Target

0591e902871572f082d993695ecac470_NeikiAnalytics.exe
Size

12KB
MD5

0591e902871572f082d993695ecac470
SHA1

a10f26262c9f693994eb1acf18922464ae823b76
SHA256

8a7a8c518cb2a54a30dd01a88e0ef7adb92144ec3e968bdd961895443d1c16ef
SHA512

423fc323d851f5a615faa28afae42b976b73aba16df564e528b69b225ba6689ea557a6ed59b6f0668460afbd183e7680e1e0d4ad91b7cbf946b538672474e3a7
SSDEEP

384:hL7li/2zMq2DcEQvdhcJKLTp/NK9xaWV:BIM/Q9cWV

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	0591e902871572f082d993695ecac470_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
2176	tmpE80F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2176	tmpE80F.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	672	0591e902871572f082d993695ecac470_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 672 wrote to memory of 2620	672	0591e902871572f082d993695ecac470_NeikiAnalytics.exe	94
PID 672 wrote to memory of 2620	672	0591e902871572f082d993695ecac470_NeikiAnalytics.exe	94
PID 672 wrote to memory of 2620	672	0591e902871572f082d993695ecac470_NeikiAnalytics.exe	94
PID 2620 wrote to memory of 3912	2620	vbc.exe	96
PID 2620 wrote to memory of 3912	2620	vbc.exe	96
PID 2620 wrote to memory of 3912	2620	vbc.exe	96
PID 672 wrote to memory of 2176	672	0591e902871572f082d993695ecac470_NeikiAnalytics.exe	97
PID 672 wrote to memory of 2176	672	0591e902871572f082d993695ecac470_NeikiAnalytics.exe	97
PID 672 wrote to memory of 2176	672	0591e902871572f082d993695ecac470_NeikiAnalytics.exe	97

C:\Users\Admin\AppData\Local\Temp\0591e902871572f082d993695ecac470_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0591e902871572f082d993695ecac470_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0opbyyh1\0opbyyh1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9E3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc36B1F3A7DED946E389343B7124AFF9BB.TMP"
    3⤵
    PID:3912
- C:\Users\Admin\AppData\Local\Temp\tmpE80F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE80F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0591e902871572f082d993695ecac470_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3980,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4488 /prefetch:8
1⤵
PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0opbyyh1\0opbyyh1.0.vb

Filesize
2KB

MD5
7fe7f523c77c464f8c7bbd3ab0c40e2d

SHA1
b43cd8f65aee3c3727c271c7c3739535cd58d959

SHA256
62b8604177f456bcce6daea8504a51be3ea6385c31c4816eb27eb039345de7db

SHA512
fc80f02aa307f9fe1e9ce62cdb21d712cdf72a7d0870b140af2ddfb8d3b08703b5eaeeabfccb0bd0bac0d35e873c9381ed327f84357110d0c07cd185cdbf17f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0opbyyh1\0opbyyh1.cmdline

Filesize
273B

MD5
a8607b6e18213a20deec636381dc7e5c

SHA1
17e7b6aa07f6c9789b0e924594619b5321866af9

SHA256
10b4a8ce67c417fc9a9e4faa36f23e66df99963441acf65bc636334e80c86de6

SHA512
c7bb655f1952ca1f8d450fca5b19840b763c8bd3d8da2ac4232a18d5b107746fe9cd3bf16e5159cab341d0169e2048caa7a0ca6530a8c7320ee28a31dbac8cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
53df126a8aa63055767552c1e6ccd0a3

SHA1
2d6c608c9d4f0f3c2497e8a52cf21f9c821f18d5

SHA256
10dd73474b1a43fe2abf1529954132c0c3260852f5af0c3c6313d5ef059d791c

SHA512
11c0264dd8e83973a05e07e255915dd1a24d65baa27d73f865bfd7dd4f2a820f91be6495fd5010770762134096fb657ec34d92d9b9f6738ec5e01bc90e563e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE9E3.tmp

Filesize
1KB

MD5
4e68e8cf54d2eefe26e8335e1fa0649c

SHA1
0a40e7289fffa6cff5f1bfd58b5dbfdd273ed808

SHA256
33c17b8c941d7df780bb35907434647b0e6464720bc6b93b3ff51c9eadd7483b

SHA512
21685bde6700bd0b6d707013f12c9bc41f5f32173aed9912641a7158f383d240be4ff0f422daab58b4286e3fc419219d0c162698e930bc382f4012f376152bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE80F.tmp.exe

Filesize
12KB

MD5
7227596065bf34e9a5d0364842a304ab

SHA1
0e7f828812cfc5b407fec23af2f483e46a55e127

SHA256
c1f47cfb9885823ac43484b44a485a6ee789dbc5b279fbc2fe9308bbff669b10

SHA512
902e2754bf8b563cbad69cea89e78feea189b41b25f3254c9a4b3f73b14f03d28b2c90d674e3f1005084ca252d39a9da8c8edd16f2aa762c684f0aeb7f089ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc36B1F3A7DED946E389343B7124AFF9BB.TMP

Filesize
1KB

MD5
e861f021538750d9c4484036a8a7573b

SHA1
4ba354068e47096673f7f8c00952476f7bb0add5

SHA256
603521fb3a4b9bbf54080ad6183f7f3227cc70e6fb215f060129caf69271db56

SHA512
46661526958340b85b6fdfc4914d2e27b05582b7eba0378603e2549234ca4ea3c27fff473444989fa3a3f9af687d8584266fb0acb3991f3b4baad35440432a58

Download Submit
memory/672-8-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/672-2-0x0000000005770000-0x000000000580C000-memory.dmp

Filesize
624KB

Download
memory/672-1-0x0000000000F30000-0x0000000000F3A000-memory.dmp

Filesize
40KB

Download
memory/672-0-0x000000007507E000-0x000000007507F000-memory.dmp

Filesize
4KB

Download
memory/672-24-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/2176-25-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/2176-26-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/2176-27-0x0000000005A60000-0x0000000006004000-memory.dmp

Filesize
5.6MB

Download
memory/2176-28-0x0000000005550000-0x00000000055E2000-memory.dmp

Filesize
584KB

Download
memory/2176-30-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing