d2deb3e30bf128ede269a655e9ce883989997ea44df2536118e6c09462c06adb

General

Target

00c326d9bc4a64c9d6173d2840d585e0_NeikiAnalytics.exe
Size

12KB
MD5

00c326d9bc4a64c9d6173d2840d585e0
SHA1

d2d4727216f303f141a4b8a7e5c00bd8ee75ca3f
SHA256

d2deb3e30bf128ede269a655e9ce883989997ea44df2536118e6c09462c06adb
SHA512

ec96c3562cd088aaca6666ecd7117eb6e8d74b6b11aafb09e3c6c331ad3a23505f0ec744fd13052886ed9e71e8fd088114b2fbeef262891b8cbbe658827aa45e
SSDEEP

384:+L7li/2zXq2DcEQvdhcJKLTp/NK9xabl:ozM/Q9cbl

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	00c326d9bc4a64c9d6173d2840d585e0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
224	tmp3133.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
224	tmp3133.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	00c326d9bc4a64c9d6173d2840d585e0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 4512	1800	00c326d9bc4a64c9d6173d2840d585e0_NeikiAnalytics.exe	85
PID 1800 wrote to memory of 4512	1800	00c326d9bc4a64c9d6173d2840d585e0_NeikiAnalytics.exe	85
PID 1800 wrote to memory of 4512	1800	00c326d9bc4a64c9d6173d2840d585e0_NeikiAnalytics.exe	85
PID 4512 wrote to memory of 396	4512	vbc.exe	87
PID 4512 wrote to memory of 396	4512	vbc.exe	87
PID 4512 wrote to memory of 396	4512	vbc.exe	87
PID 1800 wrote to memory of 224	1800	00c326d9bc4a64c9d6173d2840d585e0_NeikiAnalytics.exe	88
PID 1800 wrote to memory of 224	1800	00c326d9bc4a64c9d6173d2840d585e0_NeikiAnalytics.exe	88
PID 1800 wrote to memory of 224	1800	00c326d9bc4a64c9d6173d2840d585e0_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\00c326d9bc4a64c9d6173d2840d585e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\00c326d9bc4a64c9d6173d2840d585e0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\td3zed5b\td3zed5b.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES322C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBF41F5E657F34A5E95C92FE5A77049B.TMP"
    3⤵
    PID:396
- C:\Users\Admin\AppData\Local\Temp\tmp3133.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3133.tmp.exe" C:\Users\Admin\AppData\Local\Temp\00c326d9bc4a64c9d6173d2840d585e0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
cb7d655bb45fa77592b1b4321597273e

SHA1
8949760aa70b18e2513429f4d0c117634220a410

SHA256
d7c242e7b0892b8616c3e163ca95cf5ae683a2ab19e726d0765dfebb56a7b71f

SHA512
2ae452d2e5f344542a2489bd6d48a81dc3578f6775aaadb33e92db5431a5f1856ca2f87de0c5689caf36483629e0f5c0fd31c3d29302101d66de850c37267c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES322C.tmp

Filesize
1KB

MD5
20454bf32c18892af462dacb0749d191

SHA1
5864fc1ce496dff9b97211d07b398277d4d3ce71

SHA256
e5c36cbf7c7d452248683d28f1ed8770c4ac4ba87b655f3b7bb071dcc38d07d7

SHA512
b2a683adfb82c6efc6a05325bded2f881be542cb2bd7967ffa6dd28d44cdd309e68ed7272c19eb06b4a38493c3425743578f92532af3643a446d04ed9cb32977

Download Submit
C:\Users\Admin\AppData\Local\Temp\td3zed5b\td3zed5b.0.vb

Filesize
2KB

MD5
6b1b38842931f6a527d75066384b3dcf

SHA1
1d341ae777b57d549976fca03d63984ffbf56d46

SHA256
ae120ba08e98525efc3276d72c706bdcb40128c776744a7198888313f4db6628

SHA512
c17000b2a85ddae65d02a7c8f7ae2a3f214fbf3d0a24fd75601881936285100609139df5b85889d94651d894f33b379ef8c0dc2b4fa387b7e2127945fa414a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\td3zed5b\td3zed5b.cmdline

Filesize
273B

MD5
33a4f21598cea4558d48514189ec8bcf

SHA1
37c7b436317d40220362ac9e91e08436180b31c9

SHA256
36bf56b1370fa01a675b2fecbd940d27d97d25bbd58f27e2ad37bc616f3c7c0a

SHA512
9eb6c15fbf02080e4ddd0bf12916a17a3c82d1bfce71517f921ef911381c3479219ea2480f1751603f64582edcc1d6b7b7588f96c0afd1436e5303d7e85e2eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3133.tmp.exe

Filesize
12KB

MD5
2dc5fb3592d947a4c6f5c7f740ad941e

SHA1
602df03ff5fd792b8499a588e1809c77db21d616

SHA256
599defb6b176578e6c1658bf6ee3ba0eeb4ff42893f6e04c14106f7733397270

SHA512
f2cd036e42e5b506283504c8ed2d0f3b1c029a015ddd4b2d8b9795a6173a3fd81291ebdcec4e72c99d52be5d9af48ad4bd1585e225f86d05708e7022a77a6566

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBF41F5E657F34A5E95C92FE5A77049B.TMP

Filesize
1KB

MD5
e3176f32d1583e56f6f31272f261221f

SHA1
ffff6855a4ab323a5a0f86b8ba4746bd39c967e1

SHA256
4747a7fe0c8e28afaf6e18995852050bbff310ca8cf74796694930f71304305a

SHA512
f01922eab66af0d2253136202b24745ff427c497561a5b080d6a74bbe7f5f6769d0332b9a244898b9bc710a6cae7abc14c24b09a3c11e2487d6314df6b105f6c

Download Submit
memory/224-25-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/224-26-0x0000000000A60000-0x0000000000A6A000-memory.dmp

Filesize
40KB

Download
memory/224-27-0x0000000005950000-0x0000000005EF4000-memory.dmp

Filesize
5.6MB

Download
memory/224-28-0x0000000005440000-0x00000000054D2000-memory.dmp

Filesize
584KB

Download
memory/224-30-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/1800-0-0x000000007532E000-0x000000007532F000-memory.dmp

Filesize
4KB

Download
memory/1800-8-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/1800-2-0x0000000004FF0000-0x000000000508C000-memory.dmp

Filesize
624KB

Download
memory/1800-1-0x0000000000670000-0x000000000067A000-memory.dmp

Filesize
40KB

Download
memory/1800-24-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing