0ed0f4e4094589992d4b21500c14fbdf5af02a8b0ba9e8cd133b028eebab56d3

General

Target

a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe
Size

12KB
MD5

a183764d0d4dc59eb970008125ae27c0
SHA1

8e84d2f9ae19bd1a141f5e5d5ec82fb79868f4a2
SHA256

0ed0f4e4094589992d4b21500c14fbdf5af02a8b0ba9e8cd133b028eebab56d3
SHA512

30aa47ed5896b072a106ed5a7bba7523cffaf3f497efa3aa326d47b5a73cfc439d4146e04d087f6733f4e6f88915747f4e41eb804772aad2a831b61b35136325
SSDEEP

384:1L7li/2zIq2DcEQvdQcJKLTp/NK9xan0:VcMCQ9cn0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
972	tmp5015.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
972	tmp5015.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3596	a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 2676	3596	a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe	87
PID 3596 wrote to memory of 2676	3596	a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe	87
PID 3596 wrote to memory of 2676	3596	a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe	87
PID 2676 wrote to memory of 1640	2676	vbc.exe	89
PID 2676 wrote to memory of 1640	2676	vbc.exe	89
PID 2676 wrote to memory of 1640	2676	vbc.exe	89
PID 3596 wrote to memory of 972	3596	a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe	90
PID 3596 wrote to memory of 972	3596	a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe	90
PID 3596 wrote to memory of 972	3596	a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kchsd1j1\kchsd1j1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5227.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9EB97F39505449AC936B598858959B.TMP"
    3⤵
    PID:1640
- C:\Users\Admin\AppData\Local\Temp\tmp5015.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5015.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
c0640d1ae9d92b07a7f0b1f7a584fb42

SHA1
a42c2fcee58368e7364bf79f0014759185b13bf2

SHA256
0915f01032a42bb1559c18cc6427b3bf4e548497d176d42346d147df9f40a136

SHA512
5e3ddc49fb0b896c91624292956f6f803ba6239d8416bda69e5603dbbf4e78595db5394711c17da1bf5b7f2f3319a1c5d999f2103b28bbaaf6af9b0b28899b9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5227.tmp

Filesize
1KB

MD5
4c15430986231ac7a546881ac66d066a

SHA1
34979d078e566b8226bf561e74417746f5059d4a

SHA256
52bc7990f94153131186a717e387edd1a050e98a446d70e4d84f2034ac775699

SHA512
c0326e14e564cb809aeed62cec26808650206901c231fb71fa51657d9e421892c2c4ea26f7d2317246ec9b122ea8ac1aa5038523c7b8498b8cafc9ce28e010c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kchsd1j1\kchsd1j1.0.vb

Filesize
2KB

MD5
8a42308190de0b08c7af589ec705103a

SHA1
9823f7d719ac3c1c739540e23a020b1f3b4636c4

SHA256
f7609016095da795c421009eea40ba10e014b8c9de1896715e1be1b68ba7e709

SHA512
d43e2bd1fd273dc2653d979bf9e145649d764101bbe4817879fe4dd51d6a9920c1f42ff1d76b11f54503cb730dd298ee8c9f57201d7fbf243bd757edc0020b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kchsd1j1\kchsd1j1.cmdline

Filesize
273B

MD5
fb0d20eada04985baf4ae03e91bd1fee

SHA1
06ccbb99cebe4bcc1b022ecead5573c9495e5e95

SHA256
8fd602aaa171b2596d4e8517ef4cf4fc8cba42ecb135e546881961711672a6c8

SHA512
89f91987c6bd3e06d5922a000e052cf20bd6a6858c064ac107d9fac543300b78978df0ea9110a418d888584799e2ee6464e5bd5899002520ae15c6ce9ea264c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5015.tmp.exe

Filesize
12KB

MD5
6ef545763f3178fbc0bfad7bd3133eb3

SHA1
96886a4103ed119bca433fb0f7f3e3d4e527994b

SHA256
e05fedcea50ad743f8668443a5005629c40cad692c3917960fd94d330d822e4d

SHA512
bbb7946c08f9fd897b5f8b3aceccb9983bc9f302dc62faa50c6f2c395766ed6356666c6b9267cf48190517c45806fe88b7976edb32777667cdc08877dfb8f2e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9EB97F39505449AC936B598858959B.TMP

Filesize
1KB

MD5
5e2df4091c08de069ed7e726717bfacf

SHA1
2fd07c1396840f3166d58f012c8c8af1f2a64103

SHA256
b9cf8f5f56e10434f8ce3f5b2395576655447bc49fb174e8b8563cbcb7ed2c88

SHA512
2bc4de5143e09a75a07cd3a5a495b2b3b00c60bca1f8342df0c54da007495337680c7244d7ab13070bf0eaa971718eede482515cdd4204fe968437f90c638aca

Download Submit
memory/972-24-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/972-26-0x0000000000E20000-0x0000000000E2A000-memory.dmp

Filesize
40KB

Download
memory/972-27-0x0000000005D70000-0x0000000006314000-memory.dmp

Filesize
5.6MB

Download
memory/972-28-0x0000000005860000-0x00000000058F2000-memory.dmp

Filesize
584KB

Download
memory/972-30-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/3596-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

Filesize
4KB

Download
memory/3596-8-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/3596-2-0x0000000004DE0000-0x0000000004E7C000-memory.dmp

Filesize
624KB

Download
memory/3596-1-0x0000000000410000-0x000000000041A000-memory.dmp

Filesize
40KB

Download
memory/3596-25-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing