e0fefaeb970b8ff2b079e696e5d66715bf98d04ca005b1cfb0ce00c54b411a50

General

Target

01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe
Size

12KB
MD5

01f9a5120de1b2b1f94ffe742b596250
SHA1

3a132d13cd644c8197218bac49a38fd2691ac5ec
SHA256

e0fefaeb970b8ff2b079e696e5d66715bf98d04ca005b1cfb0ce00c54b411a50
SHA512

1104720a63ce25753fe7a678319f443cc29e82434950a3f8322d52ea644c641f5065c05a88f937fb078fca5544aaccfa011bdb00afd117ea35f293de4fe18532
SSDEEP

384:pL7li/2zYq2DcEQvdQcJKLTp/NK9xavar:ZkMCQ9cvar

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
364	tmp95F3.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
364	tmp95F3.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2212	1152	01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe	98
PID 1152 wrote to memory of 2212	1152	01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe	98
PID 1152 wrote to memory of 2212	1152	01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe	98
PID 2212 wrote to memory of 4248	2212	vbc.exe	100
PID 2212 wrote to memory of 4248	2212	vbc.exe	100
PID 2212 wrote to memory of 4248	2212	vbc.exe	100
PID 1152 wrote to memory of 364	1152	01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe	101
PID 1152 wrote to memory of 364	1152	01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe	101
PID 1152 wrote to memory of 364	1152	01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe	101

C:\Users\Admin\AppData\Local\Temp\01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\divgyhse\divgyhse.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB60.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1321CE9429874E169EC2679C7D679C83.TMP"
    3⤵
    PID:4248
- C:\Users\Admin\AppData\Local\Temp\tmp95F3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp95F3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2208 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
c5382c6a2135edebf620b90215cd1eec

SHA1
6cc0f9b9dcc2c6c4a6259491d07e144a08e55f16

SHA256
3b04ea30d107ec8cbb242cabce54f5a0fb20b1089b1c1e9fbe140a4c879d2f92

SHA512
ea97522a7da2be5f44d9734d3c95830614bc41b9666811a1f7e97173aaa21436b547c6a8d79ab85a8006be332fd91f878d602d3ce96fa6df771c882e79832feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB60.tmp

Filesize
1KB

MD5
e2a0da0853c86e5f45983e1cb88bfe68

SHA1
9949277ac66af8f0c72177296ecede7a9450fc33

SHA256
8f5dedfa63be6a1ddcf9876e1cfc51709863ca269ed482b8276779ffd260d848

SHA512
0c9b2ef83bebf94fb9c0c3ae00822151e1f4390e7f798984f951cc76f0487d2e5ddc4e12173dc552d5b5b28678c3cff2729a6752408ae49fb040750272055697

Download Submit
C:\Users\Admin\AppData\Local\Temp\divgyhse\divgyhse.0.vb

Filesize
2KB

MD5
dfa74ca2fabab677582b5f11df7fffa7

SHA1
8faa2df0d36c617e91a081f10950a80f7d0d6ea8

SHA256
1f03ed4b444d288f019c20dd450ab86cb3c5e86bb3cea9741374f68f4fe79f46

SHA512
f244fbb046edb73ca5ff0a7dd44332b1c486359bbab1e7ff9744cf1de4e8843133af83f2e3b51ee60570725d902dc494a3f3e0f097c8c24219333b9b641a335e

Download Submit
C:\Users\Admin\AppData\Local\Temp\divgyhse\divgyhse.cmdline

Filesize
273B

MD5
ab82cd8d6447ca6554d99dd7ee6b61f5

SHA1
97fa1392d12e8b2fb75c124255383aeeaba0dc88

SHA256
325fa83546ea0058d8c6724a337abfb846df18981e902706628f22d68c843dbc

SHA512
d1b4829de6a1388da89b7d5244ec31b53edf633904db857863b8e9d4c42109f5ce98670d05fb1dc74ed94eccb036a4f07f3478a39631798c9c8c3a844b841cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp95F3.tmp.exe

Filesize
12KB

MD5
6e182084cd3b14e5bc6dc940eb86a0d9

SHA1
931d70791e81ae92f1a5d977c873ed8ad205c8ae

SHA256
658effdb6d92851804ac8e9341ccecd6e4ca13d8aa51a73a9b8fc6e678bea91a

SHA512
e850efe854d9123c285728adc3e715087ba96cf531fc477daa9d63c46667d4c8a6138b0583538b387fa7f97adb460f6829114a20b3d6a92b2aa642ff9b91a9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1321CE9429874E169EC2679C7D679C83.TMP

Filesize
1KB

MD5
43597a79152f595e2496e416a1d01728

SHA1
1ecdf3122579f5dfb0deb692f180e0586552efe9

SHA256
889a2f289d7a3a6be729dc33a760e1642bd1e604b49059a559826fb4eba7470c

SHA512
d33250e366a20f35c8fc9a57479729779fc57b62ea4bfdb8f2e3d65b5d31975e32768733a87f806bdc0cf679247632167347217ade3b34f768a994e13427b533

Download Submit
memory/364-25-0x0000000000E70000-0x0000000000E7A000-memory.dmp

Filesize
40KB

Download
memory/364-26-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/364-29-0x0000000005D40000-0x00000000062E4000-memory.dmp

Filesize
5.6MB

Download
memory/364-30-0x0000000005830000-0x00000000058C2000-memory.dmp

Filesize
584KB

Download
memory/364-32-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/1152-8-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/1152-3-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

Filesize
4KB

Download
memory/1152-2-0x0000000005350000-0x00000000053EC000-memory.dmp

Filesize
624KB

Download
memory/1152-22-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/1152-1-0x0000000000960000-0x000000000096A000-memory.dmp

Filesize
40KB

Download
memory/1152-0-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

Filesize
4KB

Download
memory/1152-28-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing