1a33ed5ee50b86dea6ac282a8ceea48ac6b92a9d573e56c944bb449ee8741e58

General

Target

db9d44868f38f3b02be940cf7300c1d0_NeikiAnalytics.exe
Size

12KB
MD5

db9d44868f38f3b02be940cf7300c1d0
SHA1

3ae2233685f26a6997e986bdf1728962a01364e9
SHA256

1a33ed5ee50b86dea6ac282a8ceea48ac6b92a9d573e56c944bb449ee8741e58
SHA512

3f766eac26841590ca410a9c9a97b7badd0c4a7b7bb621b5393585bd5f67545cd194ca6a8d9d12c18ecf299230aeb5d8cad7dddbafecdaac91eef8ec5fba3336
SSDEEP

384:5L7li/2zSq2DcEQvdhcJKLTp/NK9xarX:J6M/Q9crX

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	db9d44868f38f3b02be940cf7300c1d0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
2796	tmp53BE.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2796	tmp53BE.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4524	db9d44868f38f3b02be940cf7300c1d0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 4164	4524	db9d44868f38f3b02be940cf7300c1d0_NeikiAnalytics.exe	87
PID 4524 wrote to memory of 4164	4524	db9d44868f38f3b02be940cf7300c1d0_NeikiAnalytics.exe	87
PID 4524 wrote to memory of 4164	4524	db9d44868f38f3b02be940cf7300c1d0_NeikiAnalytics.exe	87
PID 4164 wrote to memory of 2244	4164	vbc.exe	90
PID 4164 wrote to memory of 2244	4164	vbc.exe	90
PID 4164 wrote to memory of 2244	4164	vbc.exe	90
PID 4524 wrote to memory of 2796	4524	db9d44868f38f3b02be940cf7300c1d0_NeikiAnalytics.exe	91
PID 4524 wrote to memory of 2796	4524	db9d44868f38f3b02be940cf7300c1d0_NeikiAnalytics.exe	91
PID 4524 wrote to memory of 2796	4524	db9d44868f38f3b02be940cf7300c1d0_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\db9d44868f38f3b02be940cf7300c1d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\db9d44868f38f3b02be940cf7300c1d0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fdq2qxnk\fdq2qxnk.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5573.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCF5A305A61645AFB91D77F85DB8CDA5.TMP"
    3⤵
    PID:2244
- C:\Users\Admin\AppData\Local\Temp\tmp53BE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp53BE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\db9d44868f38f3b02be940cf7300c1d0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
1175978d3091e9bee5db76440b9bdaa4

SHA1
a6198a5d9d75b7e8ba076d97d5b88f59356cdcb6

SHA256
e523f5fa0a51cd9a6b171ce0f9628359431c8bafb36ee8dd840907a5a613ab33

SHA512
a2937b4a42ad7df2b83ddad1c3817432ac23214594ec1d08e2e3d1718f29c78ecd29c01bc072ec999b0d444bc0e2e029ff36ad70304c413a036d02169e23801b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5573.tmp

Filesize
1KB

MD5
a7bf6d26a646e4505b8f00bd1b22e313

SHA1
f0dbda83622dc1fe46dba94ff14b44cc26233c82

SHA256
9b11500d21491042d70030adb4f4748e482078152327e2dd20abfc0a7dd7898d

SHA512
99df867da48cfd047a20187263d4a552dae96bec2ff93af7112ab3bd1984610e2e2d2ddf8cdbf8e2ce520059e98b34af62466fd7e4ca25ae54b3ce79f48d5367

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdq2qxnk\fdq2qxnk.0.vb

Filesize
2KB

MD5
76dd5118cae0ee6772bce2852ee9a49a

SHA1
3067f5badbf12320a3d6def782680f0eba5bbe0a

SHA256
0c071bef990d32964d3f8560bc83593c76697aebd0bae2ffadbd7135808cb973

SHA512
7e4d5c4b17033712685c79e432780d1841e91fc44c011755a57d2ec8c4d9317c46b749b3a38d6dd4cadcea99d74f2f2d4a9ea8e8638e441961866f1c75696540

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdq2qxnk\fdq2qxnk.cmdline

Filesize
273B

MD5
fc74e026c83f039992f99c45bd1c225b

SHA1
e95982290121e5f939f67b3d04fa846e9655f535

SHA256
65406c6bea4a2f30a7e9e869e1d181125d944568d4c4bdfcbfaf6425f3f82f30

SHA512
4b4d79e0b0e22b428c919a060f28e1e362034e958cb6eeb9faa437a5dd4e54bed3f010ec04954b679c2b3bfac7d5c7ad6b3259a44faa9dd756955d90885e8041

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp53BE.tmp.exe

Filesize
12KB

MD5
b63310a1c5b8ac172a4b949f53d26c94

SHA1
74db87a04e454079051225cbbe2a70b470c1d116

SHA256
9600b303805b88b56b98c2d27931459dae47db219a6a1598ebd9aaeeed484671

SHA512
239d47489d6245b348dc7d36953476539362b778562765d54490dc0f362ab5f83dd31445555dd416dae785e375668beedaa96e9ff5ec20e60041b9fe75818bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCF5A305A61645AFB91D77F85DB8CDA5.TMP

Filesize
1KB

MD5
63869a028e6aa8c53a07e59b5b3355f7

SHA1
acaae3a88370966300c98506faee33df7e516d8b

SHA256
a19182fd5e798bdaaf80b026b35b79bb1f9d47aa2b43127c52fa71532beac271

SHA512
a002e24e4d60e4f24cd8bc84e77c811f99f83f3492d84a59f7af49aec2123d8787014325cc709015d29cdb9ee23d117efc2ac031299f6871cc59351716ae9449

Download Submit
memory/2796-25-0x0000000000FC0000-0x0000000000FCA000-memory.dmp

Filesize
40KB

Download
memory/2796-26-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/2796-27-0x0000000005ED0000-0x0000000006474000-memory.dmp

Filesize
5.6MB

Download
memory/2796-28-0x00000000059C0000-0x0000000005A52000-memory.dmp

Filesize
584KB

Download
memory/2796-30-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/4524-0-0x00000000746CE000-0x00000000746CF000-memory.dmp

Filesize
4KB

Download
memory/4524-8-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/4524-2-0x0000000005670000-0x000000000570C000-memory.dmp

Filesize
624KB

Download
memory/4524-1-0x0000000000E50000-0x0000000000E5A000-memory.dmp

Filesize
40KB

Download
memory/4524-24-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing