735a47d1309ba80f1a55ff77f0069925f009323eef977104351c60d76bc5fc50

General

Target

7995552ec5d9ca6284c9c94c7de66710_NeikiAnalytics.exe
Size

12KB
MD5

7995552ec5d9ca6284c9c94c7de66710
SHA1

2620702821bb798f7f5624408238643c5640dc6e
SHA256

735a47d1309ba80f1a55ff77f0069925f009323eef977104351c60d76bc5fc50
SHA512

dffabef87785754800bf053301eaca83ab7b545a8c4f0616df2b324d9eef9407c62d28a42ca2df9ce026e27a36000a5d17e3d75623ca3624e71d68f4ad9cca97
SSDEEP

384:YL7li/2zsKq2DcEQvdhcJKLTp/NK9xaHk9:mgOM/Q9cE9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	7995552ec5d9ca6284c9c94c7de66710_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
3916	tmp374D.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3916	tmp374D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4052	7995552ec5d9ca6284c9c94c7de66710_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 5076	4052	7995552ec5d9ca6284c9c94c7de66710_NeikiAnalytics.exe	90
PID 4052 wrote to memory of 5076	4052	7995552ec5d9ca6284c9c94c7de66710_NeikiAnalytics.exe	90
PID 4052 wrote to memory of 5076	4052	7995552ec5d9ca6284c9c94c7de66710_NeikiAnalytics.exe	90
PID 5076 wrote to memory of 1004	5076	vbc.exe	92
PID 5076 wrote to memory of 1004	5076	vbc.exe	92
PID 5076 wrote to memory of 1004	5076	vbc.exe	92
PID 4052 wrote to memory of 3916	4052	7995552ec5d9ca6284c9c94c7de66710_NeikiAnalytics.exe	93
PID 4052 wrote to memory of 3916	4052	7995552ec5d9ca6284c9c94c7de66710_NeikiAnalytics.exe	93
PID 4052 wrote to memory of 3916	4052	7995552ec5d9ca6284c9c94c7de66710_NeikiAnalytics.exe	93

C:\Users\Admin\AppData\Local\Temp\7995552ec5d9ca6284c9c94c7de66710_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7995552ec5d9ca6284c9c94c7de66710_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jafdl0z2\jafdl0z2.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3902.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B6BC53D7EC545A581774A7E8290F23E.TMP"
    3⤵
    PID:1004
- C:\Users\Admin\AppData\Local\Temp\tmp374D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp374D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7995552ec5d9ca6284c9c94c7de66710_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
65875ac58137a78d260074af9df73cad

SHA1
390818698fbc83423d49c75ab835c4178dbad349

SHA256
766e8009b0396e45f4868b3925db9a76b5d6d3af6240a756b1a37fbaf8030917

SHA512
221b6ced068060094ba7a32e85a57a8cc4afed73731278308c0020115eb221aedf6343e8f66b7c6aac2128530ed9c7d32a2415fbb97db55cdd4fb16315588707

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3902.tmp

Filesize
1KB

MD5
8cb648140b3784df486cd8df8e53274b

SHA1
ec61ae24d793657b673d43a99cb2d2d246dd4cc9

SHA256
3233c0d23ac41802668ff6239bc59d3bc7e81d33b03e2358b80560724682aeae

SHA512
d39e8fbe83965e46a3b967dc575998d626c316a99aad8ad9fd96b79a7942ca6589d1f52ddc67d35e66d28780fa4847fd958fbebda455bb04f728fa7c7ed8f052

Download Submit
C:\Users\Admin\AppData\Local\Temp\jafdl0z2\jafdl0z2.0.vb

Filesize
2KB

MD5
b92992a1a530e25c5fd72a251db3328e

SHA1
a6f1d10a62b8ae5579f7dfef021015eb14c3880d

SHA256
18a109f9ace3e84069c477e117215d6c2739bfc112883bbf9a1ea3a867efbd60

SHA512
d55da7092dec56ee3975ae44f976e3f3559ccd2ed713956171a59fb76dd9c450c07e39e239904a177fa8d9c5e12dfde25ea8c9681e7e00c08c3ffcb1833facab

Download Submit
C:\Users\Admin\AppData\Local\Temp\jafdl0z2\jafdl0z2.cmdline

Filesize
273B

MD5
1e47a1494de0b828dfef253a8964cc4f

SHA1
141096595adb00f27caf2d34b6394c33114242a2

SHA256
947a6fd9b34ff4a757d1c9d81155353f6fca290e07c775e6cd8fadaaf3b7a50f

SHA512
23be068a474d0e0e755b77377e5bdeb535c0f4d4850c32879cae0e46ee6c808eac3c6061d37a27b2880bad37c05d263f8afe03fb1f0539c0ee051d47ca077f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp374D.tmp.exe

Filesize
12KB

MD5
ba076868aab821e6f8b3e800427c3a34

SHA1
e5c8e938f1382984487d20781db52d58b68ca850

SHA256
fec04e48a96c8beeb70343766445bbe8a524badcad417d524e9d7cae52c128ed

SHA512
6cb6468ad3e3927a3dd1644d384ec5f5292d03e7661d59fcc558282c23bc253227d1f5fe9d7cb709beeb34ab6b4f17359cb222cc370c9be6bb8063746c4e1d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4B6BC53D7EC545A581774A7E8290F23E.TMP

Filesize
1KB

MD5
0ac4c3989fde071852ce796f8444788d

SHA1
cf3a4b1fb9cf59edc1d331a5f6aa9944cddcf5a9

SHA256
fd7045ea7910f2d8cbbfe557862be24c526b8dd6f1485708b814ce429ca6c1da

SHA512
2059b66afd40b5e3514ee1fda3ec79a7bc4c28953ba4e2bae38e0f397e2a0b5118229af8a11823c5dc8a15ebb138f9ae426340c041e8a90e7611ef13ab17098b

Download Submit
memory/3916-25-0x00000000752E0000-0x0000000075A90000-memory.dmp

Filesize
7.7MB

Download
memory/3916-26-0x00000000009F0000-0x00000000009FA000-memory.dmp

Filesize
40KB

Download
memory/3916-27-0x0000000005900000-0x0000000005EA4000-memory.dmp

Filesize
5.6MB

Download
memory/3916-28-0x0000000005350000-0x00000000053E2000-memory.dmp

Filesize
584KB

Download
memory/3916-30-0x00000000752E0000-0x0000000075A90000-memory.dmp

Filesize
7.7MB

Download
memory/4052-0-0x00000000752EE000-0x00000000752EF000-memory.dmp

Filesize
4KB

Download
memory/4052-8-0x00000000752E0000-0x0000000075A90000-memory.dmp

Filesize
7.7MB

Download
memory/4052-2-0x00000000057E0000-0x000000000587C000-memory.dmp

Filesize
624KB

Download
memory/4052-1-0x0000000000E50000-0x0000000000E5A000-memory.dmp

Filesize
40KB

Download
memory/4052-24-0x00000000752E0000-0x0000000075A90000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing