37d1c491f7218be7b012f3887996c404ebe72a2fce5a2b2b682d12e5d2a6678e

General

Target

2078789126d0f957c30220478428b920_NeikiAnalytics.exe
Size

12KB
MD5

2078789126d0f957c30220478428b920
SHA1

235b26d7a2ea1a4c05dbfda6fa6711826f16a8f9
SHA256

37d1c491f7218be7b012f3887996c404ebe72a2fce5a2b2b682d12e5d2a6678e
SHA512

6e7378db6950fc2367ae60bd7aa673c832e06fd7ef158b2232554dcf9bd58fb4f559e0481d1e61486fff09ccbbb8c003d6d77c20f3090afd9ce334cb5aff2cc3
SSDEEP

384:IL7li/2zsq2DcEQvdQcJKLTp/NK9xaH5:2gMCQ9cH5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	2078789126d0f957c30220478428b920_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
2892	tmpEDDB.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2892	tmpEDDB.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	2078789126d0f957c30220478428b920_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 848	3068	2078789126d0f957c30220478428b920_NeikiAnalytics.exe	94
PID 3068 wrote to memory of 848	3068	2078789126d0f957c30220478428b920_NeikiAnalytics.exe	94
PID 3068 wrote to memory of 848	3068	2078789126d0f957c30220478428b920_NeikiAnalytics.exe	94
PID 848 wrote to memory of 4012	848	vbc.exe	98
PID 848 wrote to memory of 4012	848	vbc.exe	98
PID 848 wrote to memory of 4012	848	vbc.exe	98
PID 3068 wrote to memory of 2892	3068	2078789126d0f957c30220478428b920_NeikiAnalytics.exe	99
PID 3068 wrote to memory of 2892	3068	2078789126d0f957c30220478428b920_NeikiAnalytics.exe	99
PID 3068 wrote to memory of 2892	3068	2078789126d0f957c30220478428b920_NeikiAnalytics.exe	99

C:\Users\Admin\AppData\Local\Temp\2078789126d0f957c30220478428b920_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2078789126d0f957c30220478428b920_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\alhvm4ks\alhvm4ks.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFBF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc34ABB26E2EA446429DD8D539489FFAE3.TMP"
    3⤵
    PID:4012
- C:\Users\Admin\AppData\Local\Temp\tmpEDDB.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpEDDB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2078789126d0f957c30220478428b920_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1748,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=3908 /prefetch:8
1⤵
PID:3284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
a608f3d17cf3e13a09f79f83671a3237

SHA1
32eb5211499900d9e97742810d5207f9b51c0c01

SHA256
ab93f0739556adfb881e9cc0f0eaf657dc64f21716f4513b8cd6c211825e80f1

SHA512
8c314efae68f7346e5f9b72c5a50f8d0fae752f9055950beba3560f8e39bf19582a24f31ae3ea87e117db1e43b1759074e298dcd37d86c845cd45454bc685777

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEFBF.tmp

Filesize
1KB

MD5
84c13ba2e29af4468a7862233abdcf9e

SHA1
2b325ba77c91ed0c587997301e3ce01797ea5bc1

SHA256
97108cd7ade1fd2a26b2e573cd86f7b640f7424b126d5167faab3ff49c830049

SHA512
266e812781776a4cbc991e58dd4e6e888a3dffd632922ccbff5e226c82f2ddc68698dc5fe5a366838e853eb0e8625288c8b39cf588346e6be9e4ce12c4522005

Download Submit
C:\Users\Admin\AppData\Local\Temp\alhvm4ks\alhvm4ks.0.vb

Filesize
2KB

MD5
aad386b656968393dadadc31077f08cd

SHA1
e6f8fab527f199d3b14233d32069e23ead986aa9

SHA256
e01e133e16a7257117c76e3dc18a3cfa935a19277a747f6fcb40d61096630564

SHA512
2feb01b1587dffda12578d870fcae242100d3a16ed9803d21200026e823e7c839479f4ca071e479b0df34f32c4567c921b37872ddf7cdef4796d04204edeb394

Download Submit
C:\Users\Admin\AppData\Local\Temp\alhvm4ks\alhvm4ks.cmdline

Filesize
273B

MD5
b03e0c31a6d3843f57bdb1ae541c260d

SHA1
3b67469198e76f36d22d7132e237b991392fbb54

SHA256
ee19e89ff3c8668103251b623e17faf6f310a764226a199bd7665fd01dbf3c49

SHA512
b28bfbdabe35b0b1cd216a92a5445cd8078a540ebfa700ebbcb382d8be1bb4d50d862660f62d56d62be71100b50ed52d8970a478a24a7c77a40981699bc13f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEDDB.tmp.exe

Filesize
12KB

MD5
9fde7d952027d265469340f0e6d35da0

SHA1
e747346b4de9379ad5790d35aa1dae859a0ee69f

SHA256
ecc76edeec8c0e267d4be2bc2777cd15c056b3dd4040bce28e62a9e9c1191abc

SHA512
ca31463b5fd7247c4794ab1d17dad834029c20625a4965098001692b4fae386a0b48a1cf04bfc4aa19825e40fa9a8929e4cc20c21699476d5af3b1cdd2ff455c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc34ABB26E2EA446429DD8D539489FFAE3.TMP

Filesize
1KB

MD5
20afb436e7d4efb9aef1c4d373a71eef

SHA1
271ef9d1338f8ad8895930a3d8ea51eade246e3b

SHA256
c7ed622d745d665fb2c084f2fb83d1cc1b42e7981327ebe9371717d8d1f2df73

SHA512
c64a4cf4c2a2cbd0a12128371fd13c631237b99d9f241d9e6a25801634f8436887a2839a972b9eb1979444d0b12170d0d71086899cd32120207578581e201c01

Download Submit
memory/2892-25-0x0000000000F60000-0x0000000000F6A000-memory.dmp

Filesize
40KB

Download
memory/2892-26-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/2892-27-0x0000000005EA0000-0x0000000006444000-memory.dmp

Filesize
5.6MB

Download
memory/2892-28-0x0000000005990000-0x0000000005A22000-memory.dmp

Filesize
584KB

Download
memory/2892-30-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/3068-0-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

Filesize
4KB

Download
memory/3068-8-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/3068-2-0x0000000004EA0000-0x0000000004F3C000-memory.dmp

Filesize
624KB

Download
memory/3068-1-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/3068-24-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing