Analysis
-
max time kernel
140s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 11:39
Static task
static1
Behavioral task
behavioral1
Sample
eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe
-
Size
12KB
-
MD5
eced8197efc825de9bdf0766df90e9b0
-
SHA1
008bad968d2f89d9db06f35f39f17b26811aa5ee
-
SHA256
fdecb80962839579c9fa64d60261750101dd87424b003f09a7a82a76515f7307
-
SHA512
86427bd75f8f68c3cbc04580ab583b96786bd5a5e39fe9d59726f39e36fde11bd515f647e3157e5f5f40a4c6da5809e024a05d56c5863f2007fb7835b4adb86e
-
SSDEEP
384:YL7li/2zpq2DcEQvdhcJKLTp/NK9xaBO:mhM/Q9cBO
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe -
Deletes itself 1 IoCs
pid Process 1096 tmp564F.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 1096 tmp564F.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3204 eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3204 wrote to memory of 4484 3204 eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe 87 PID 3204 wrote to memory of 4484 3204 eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe 87 PID 3204 wrote to memory of 4484 3204 eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe 87 PID 4484 wrote to memory of 4568 4484 vbc.exe 89 PID 4484 wrote to memory of 4568 4484 vbc.exe 89 PID 4484 wrote to memory of 4568 4484 vbc.exe 89 PID 3204 wrote to memory of 1096 3204 eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe 90 PID 3204 wrote to memory of 1096 3204 eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe 90 PID 3204 wrote to memory of 1096 3204 eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cm200l1t\cm200l1t.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5880.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF0EC029CAAC74CC78D1584A9BFE927A.TMP"3⤵PID:4568
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp564F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp564F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:1096
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58817843f33de873b351ca888d467c440
SHA152907f2f6dc148cadebd27ba0be94d802bc23637
SHA2563a442b613fc0177ec90462213582e033ab639e7af6eab73ec6431d3f44ccfc96
SHA51257b2f39cc6c38d62bb1b4e464fba7815d582c2c3944ae147f56a113912281e593f4ff11c30864b31986b80816922d36b0616c3b771b8543a895c57a3fc17bea3
-
Filesize
1KB
MD56d1685827c16dfb6460d22b04026b92e
SHA1594eae888630b2d5361283f29ffa2dc4c5d60006
SHA256fcf4729bd483f8890db74ec2cbf0999e34adf0f977c7f4fccc69abdd6ddf8a4c
SHA512fa48c1f5e8732c00904ef1da6e8f10f9d42c85d26f90239eec5167a23ca0fb36443088cb71bf1f36f4159643bf756e5ce33356235afc7b976658b33a11dc759c
-
Filesize
2KB
MD53e8c9aeb86bdc4cc7db6fc3e1c78c118
SHA1f3b2343229cb33168a758dbb2317a9ffe2caeb9c
SHA2564b3126448d4a328ce2f9bda4c3f145c5ff37bdb8135fa06cfd42aeb7537308e5
SHA512b4fcf0b81bc0a933228f88920fb2a5e34550317b961f8739383dc18077ca018db67e6ae7b0552627dd986043f858061470ab98e40ec0bc20311d5671f75b7a78
-
Filesize
273B
MD53a0552ca833fd5198762e37509af629d
SHA1a782b0b5633b50707838897e8f5d651664746ce6
SHA256c44e0868c738b9da3e8e0bac701a3613f1e1d382a4c0005bffe83911e5a70812
SHA5126b5328506b27461e3102bc785fc8ebc915ef1506c2978cb2419ee0c1ba8e0d6f2319ada9b1961b6e638b1fc5a6726d27dd98adad6bd1bc691231661842ca0d3a
-
Filesize
12KB
MD535ee58845e17e86b91b383e0a3e934f9
SHA10b1dfb86005e1179a15b05df14e70ff30b5490a1
SHA256c4d2984598ee7ad8429c81887cccfe13302ddb3340f99f908ccc536e38560066
SHA512e87f7d6ba9c21a2f1d98fbc8871482be4a3ede2e93a1db1ca970945e33e7f5081a544957e168ad7fed306d1157b963801d0bfcd10b7fd1b038ba09a7bdb19a61
-
Filesize
1KB
MD5a8f96969610fba30e82ba16ae7217d44
SHA1cb8709d5fcef2b797e755b7364287d8a2673bfb0
SHA25648167fd1730beb0e51d97cd7fafe56520e1a078fde0e42fd22ac4b819d14651a
SHA512c9b22c670b0f4605e0e59cb08c7b6b098e243a2b332560a165caba306e22794d7a35ed051713f6d9225d63fb12f505aeb0a3e6871055e4b47ca3b2f68e6b6e55