035e7ac3415ccaa74b6e96764c1d0e56a24e29da4b92e0b8ba94a065be066d0b

General

Target

06bc72d9ef565b06e4498a6268e833a0_NeikiAnalytics.exe
Size

12KB
MD5

06bc72d9ef565b06e4498a6268e833a0
SHA1

c8ecccd08e945c073aae75995a0f9f223c858a8a
SHA256

035e7ac3415ccaa74b6e96764c1d0e56a24e29da4b92e0b8ba94a065be066d0b
SHA512

7ddf67fe6eb29aaec05bf82b90f147c9690ef28b195d0562188f7ee07f76481896a27959a9a81c424f62934dcafef82df5e73410b42ac6264fe2aca5f40d621b
SSDEEP

384:XL7li/2zjq2DcEQvdhcJKLTp/NK9xaOcF:b/M/Q9cXF

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	06bc72d9ef565b06e4498a6268e833a0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
3672	tmp43B1.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3672	tmp43B1.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1892	06bc72d9ef565b06e4498a6268e833a0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 2820	1892	06bc72d9ef565b06e4498a6268e833a0_NeikiAnalytics.exe	86
PID 1892 wrote to memory of 2820	1892	06bc72d9ef565b06e4498a6268e833a0_NeikiAnalytics.exe	86
PID 1892 wrote to memory of 2820	1892	06bc72d9ef565b06e4498a6268e833a0_NeikiAnalytics.exe	86
PID 2820 wrote to memory of 3660	2820	vbc.exe	88
PID 2820 wrote to memory of 3660	2820	vbc.exe	88
PID 2820 wrote to memory of 3660	2820	vbc.exe	88
PID 1892 wrote to memory of 3672	1892	06bc72d9ef565b06e4498a6268e833a0_NeikiAnalytics.exe	89
PID 1892 wrote to memory of 3672	1892	06bc72d9ef565b06e4498a6268e833a0_NeikiAnalytics.exe	89
PID 1892 wrote to memory of 3672	1892	06bc72d9ef565b06e4498a6268e833a0_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\06bc72d9ef565b06e4498a6268e833a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\06bc72d9ef565b06e4498a6268e833a0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ec3rhlwg\ec3rhlwg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4508.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA56D3713C22E463493B11B547656EE96.TMP"
    3⤵
    PID:3660
- C:\Users\Admin\AppData\Local\Temp\tmp43B1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp43B1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\06bc72d9ef565b06e4498a6268e833a0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
f1aa5c432a8d836774b188d7f56dfaa3

SHA1
bebd99db499cba57c71d2b7690e283e0d373712f

SHA256
d8eaaaec34a31027c2a815b890fee4492ac3ce1d7996917abe272aef0f459e37

SHA512
4b841e3bd3d2767d1d5df51bbcb81a2f57c7135e4fb1d279d55677c681d4ecef9f6b49b922bb02fa479c7a118bfb0b24fd3bb97e3feb659da62f12d4e88e2356

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4508.tmp

Filesize
1KB

MD5
f6352f3df5f7beafe988137d8014d503

SHA1
9569615c13bb7e3a86e2a41e6643eed1e222fe49

SHA256
7b3fbcc101a93bf978de25b449069a827c98f050a5feef981c0648fcf58285d6

SHA512
3afbfc77f92182119f4d15e00507a3c00a99a3780013affd92cdcbd8c7650429b062ce6e4b45332f34f5d7874145e0fb9c47877939b9ab5ba1be0645714ae3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec3rhlwg\ec3rhlwg.0.vb

Filesize
2KB

MD5
e1c8e59ac67a6094745876efb2b804c0

SHA1
9d8b17fda940ba9c87734890d165f23f21bb2f54

SHA256
72453b5e3b5e0530714f5961fa4fb304f91b10c5428fc0dca2255cf3ea0db570

SHA512
11ea5a32991f7aff02295dac215a7acd17d6b63d1e708575a8784e3638d235a9e9cb574bdfe038961d992d248222a35e51b625fc606fa61735de1116f8d9ea12

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec3rhlwg\ec3rhlwg.cmdline

Filesize
273B

MD5
51a8b2865aa087909cc61b6816b66a5c

SHA1
6790824a5de98f9efa6b2b231a74f8b7076cec99

SHA256
08ca6501d8659be11eaffad45bcba3899109044955b107ea5e6bf8b60b6bcee7

SHA512
d2a3e1d85397d40184c68e21e53319353c2fef32dee494e84181045f4a24efb594abf0138859913a039a3e460285add3fd4fac0dc9f019fdb899c44e01407164

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp43B1.tmp.exe

Filesize
12KB

MD5
09184b547550a30028605e4a74b5b6a7

SHA1
fc23e7b165207c9e1009dc218f07485f60ccdf05

SHA256
bc70262da76938b4660fe0a2235cb9d6721ae373027ee0e2e8c1e8e836d06113

SHA512
274bc639372db7aaba11dd3447aed275e21e3ff50adc9a42cb0ab7a377dfc611c9e51ff0af4f0bc57a4239c8e9db70c91d45adcb3f22d0726c6937db79d1b95e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA56D3713C22E463493B11B547656EE96.TMP

Filesize
1KB

MD5
d7405c6b55555ad506d338b21c87d8af

SHA1
ea0c849fd1df731e66f51f1050371c5a8f8972e0

SHA256
a771073ab3a5503058c6509b8f28264b4d20be01a5b0ec4a5c2bc25caa9bb8a3

SHA512
944b752f5394cd43458e23bb647c3dd335d1cf6aa34279ca8b7523e65ab3dd38d0d9b16956701f3f6774f8e5eeae7fa405675cf4d4da17140a3b6dc2e6f3f29e

Download Submit
memory/1892-0-0x0000000074EAE000-0x0000000074EAF000-memory.dmp

Filesize
4KB

Download
memory/1892-8-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/1892-2-0x0000000004DB0000-0x0000000004E4C000-memory.dmp

Filesize
624KB

Download
memory/1892-1-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/1892-24-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/3672-25-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/3672-26-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/3672-27-0x0000000005130000-0x00000000056D4000-memory.dmp

Filesize
5.6MB

Download
memory/3672-28-0x0000000004B80000-0x0000000004C12000-memory.dmp

Filesize
584KB

Download
memory/3672-30-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing