Analysis
-
max time kernel
135s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 03:48
Static task
static1
Behavioral task
behavioral1
Sample
5e92d32561d04e88c358e03ce38940e0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5e92d32561d04e88c358e03ce38940e0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
5e92d32561d04e88c358e03ce38940e0_NeikiAnalytics.exe
-
Size
12KB
-
MD5
5e92d32561d04e88c358e03ce38940e0
-
SHA1
d8ea34cc55d9ba45e5769c799e916be73b229647
-
SHA256
864902e6be9eaa59c7d50bd55e65c1dafd641b49ad9777306238cda2934cc84f
-
SHA512
9d6719f2571c9eae9802186cea97ed3b8bd6e08b14205b371ec0d128a9432ed2240b58b0f0ec323d87571c427940da8389f657d1f03862a3c8152bb91df55132
-
SSDEEP
384:CL7li/2zFq2DcEQvd2cJKLTp/NK9xaC8m:c1M8Q9cdm
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 5e92d32561d04e88c358e03ce38940e0_NeikiAnalytics.exe -
Deletes itself 1 IoCs
pid Process 4432 tmp4FD6.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 4432 tmp4FD6.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 212 5e92d32561d04e88c358e03ce38940e0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 212 wrote to memory of 4152 212 5e92d32561d04e88c358e03ce38940e0_NeikiAnalytics.exe 87 PID 212 wrote to memory of 4152 212 5e92d32561d04e88c358e03ce38940e0_NeikiAnalytics.exe 87 PID 212 wrote to memory of 4152 212 5e92d32561d04e88c358e03ce38940e0_NeikiAnalytics.exe 87 PID 4152 wrote to memory of 2396 4152 vbc.exe 90 PID 4152 wrote to memory of 2396 4152 vbc.exe 90 PID 4152 wrote to memory of 2396 4152 vbc.exe 90 PID 212 wrote to memory of 4432 212 5e92d32561d04e88c358e03ce38940e0_NeikiAnalytics.exe 91 PID 212 wrote to memory of 4432 212 5e92d32561d04e88c358e03ce38940e0_NeikiAnalytics.exe 91 PID 212 wrote to memory of 4432 212 5e92d32561d04e88c358e03ce38940e0_NeikiAnalytics.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e92d32561d04e88c358e03ce38940e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5e92d32561d04e88c358e03ce38940e0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1jrtguti\1jrtguti.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5246.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA9D6C4F31E94079AE81221488467B3B.TMP"3⤵PID:2396
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4FD6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FD6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5e92d32561d04e88c358e03ce38940e0_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:4432
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD54382cd50ac59a470cb40ee5555592c1c
SHA1aa8f9cdd673936e67602c8067bdcfc025e9a90de
SHA2563b9eab729c36e6e54ed14e3c4e353e3c8c1523fe282c6d5ab15b8dd921c982af
SHA512e34dcc37d6f40c53d5043ffc4b7bc35a917da6c6b171b38eb8266509eadd357f48d2445b8b3280725c727f56839664da5288de10f9d27b6d3d05f2fdb65e8b60
-
Filesize
273B
MD52507fad8dd41b051b36e200c602459cf
SHA1c17e5d5ebb177fd5ef2eebb6f362ba2714706829
SHA256aaf1a8540705566af8992a0f7f908e6172d129646a92829af3b9c9da68cab285
SHA51223bc4adf35247bcd3e293208f199ee220771937792518ad3a93040c6712a986a403bef73343e62c0faaeb1052a0fbe764103990f66448c83dd32d57a1bbdcea4
-
Filesize
2KB
MD5e63e238eeddb3961fb78b4e95c1b5645
SHA1bdbf5f4b87cb9e36370996be6785f0ff46a8ccb6
SHA256a647cec5d60c4fddb413cf5071d09e4bdf444363a8feb769abe20f00a9301efe
SHA51202cbba335c8e6c66a29c21679c38e6601c1cd93e3da224166d68c356348ab78b1f28b839a37514b0874a9efbef65159a3b1333e03fa4dfd1cf10d3262ad6cfff
-
Filesize
1KB
MD511641942bdc71d4574315de80cdb8c65
SHA1a8737ef1bc19c69bea9336a06515c5df7428d1c7
SHA256c651e737acb068bfe905062fc992ae1b6b56b4d9f3f013252c667842fd416c57
SHA5126db0cf3b701f5f463093f1c70dcc9ad2088bc15d0669c2177152f839b06972c560cb69af5e799c902eb7106812c472630233fb58551e4a468391d18ae070d3da
-
Filesize
12KB
MD5aba50393f68b1def02d060beda985250
SHA1fb884a5d51fb9d7693f485a486cb92e7501741d0
SHA25693ee809adcea4754c128a71004b017a4f8567d0a93fb6249206a75921fd53c8d
SHA512c226990a31dbfb41224ea9eca8226e2f1d78c933dcb1d2707916b71ae85df94589dbfc9dc3c69ec17541380684564d9a15c2b62ad39592e67414d8317893075b
-
Filesize
1KB
MD58dcbbecc3e6f6595d9febd0e0bc7b7a7
SHA16da6318e43983337358ef1dee7be5e8f2fdf4686
SHA256bcad27e8aeee4f9e7dfda5a9d1c65150663f754b228d7e03335568250dd16e4a
SHA512492904190570eefdac16b2d12c654f30c900276ac7f94334014240e0164ac6eb5ca3057d411b249a747a3c7a43a03c4cdfb94e29eecfa7581fe348b6e50bcc5f