Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2024, 10:30 UTC
Static task
static1
Behavioral task
behavioral1
Sample
514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe
-
Size
12KB
-
MD5
514721b58189a2cb0132f06b1061f900
-
SHA1
2f55a861874e9e32990d9ee8ea86695ece396fa7
-
SHA256
55f4dcbe3a9fecf82f78ba628fb6375e0e800b7d04bae2bc8f78b220926f5c51
-
SHA512
f0fd4c584fd83d4442964fd556c383acdf436b790deda81fe5fcc5509c99c7e89995b03fc37e14b2ff74cba520de1e606d1b959dc247eca367b5bc58de2a39f3
-
SSDEEP
384:XL7li/2zsq2DcEQvdQcJKLTp/NK9xaAY:bYMCQ9cAY
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe -
Deletes itself 1 IoCs
pid Process 4996 tmp6A44.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 4996 tmp6A44.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 380 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 380 wrote to memory of 1620 380 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe 85 PID 380 wrote to memory of 1620 380 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe 85 PID 380 wrote to memory of 1620 380 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe 85 PID 1620 wrote to memory of 556 1620 vbc.exe 88 PID 1620 wrote to memory of 556 1620 vbc.exe 88 PID 1620 wrote to memory of 556 1620 vbc.exe 88 PID 380 wrote to memory of 4996 380 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe 89 PID 380 wrote to memory of 4996 380 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe 89 PID 380 wrote to memory of 4996 380 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iedugzqd\iedugzqd.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C47.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD288C4AA22CA416EBE1912016BAE943.TMP"3⤵PID:556
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp6A44.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6A44.tmp.exe" C:\Users\Admin\AppData\Local\Temp\514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:4996
-
Network
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request147.177.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360313429_1X5GXWWD8KTODKAD6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239360313429_1X5GXWWD8KTODKAD6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 621794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AB07CED5F34D4D739FB2933ACBA00C56 Ref B: LON04EDGE1211 Ref C: 2024-05-29T10:31:22Z
date: Wed, 29 May 2024 10:31:21 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 442324
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 16586B50FB124508A4D9234FC98B2476 Ref B: LON04EDGE1211 Ref C: 2024-05-29T10:31:22Z
date: Wed, 29 May 2024 10:31:21 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360313430_12K7UVO7ZVIINTRIE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239360313430_12K7UVO7ZVIINTRIE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 394521
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 45C39B87D4234CE4B7BE4E2A20D41452 Ref B: LON04EDGE1211 Ref C: 2024-05-29T10:31:22Z
date: Wed, 29 May 2024 10:31:21 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 659775
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1046502CF4E64EABB27D349B07D6B4C7 Ref B: LON04EDGE1211 Ref C: 2024-05-29T10:31:22Z
date: Wed, 29 May 2024 10:31:21 GMT
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTRResponse200.197.79.204.in-addr.arpaIN PTRa-0001a-msedgenet
-
Remote address:8.8.8.8:53Request29.243.111.52.in-addr.arpaIN PTRResponse
-
GEThttps://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90Remote address:23.62.61.115:443RequestGET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Wed, 29 May 2024 10:31:55 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.5f3d3e17.1716978715.f74a574
-
Remote address:8.8.8.8:53Request57.169.31.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request115.61.62.23.in-addr.arpaIN PTRResponse115.61.62.23.in-addr.arpaIN PTRa23-62-61-115deploystaticakamaitechnologiescom
-
1.2kB 8.1kB 16 14
-
1.2kB 8.1kB 16 14
-
1.2kB 8.1kB 16 14
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90tls, http276.4kB 2.2MB 1595 1591
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360313429_1X5GXWWD8KTODKAD6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360313430_12K7UVO7ZVIINTRIE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200 -
23.62.61.115:443https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90tls, http21.5kB 6.4kB 17 13
HTTP Request
GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90HTTP Response
200
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
147.177.190.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
62 B 173 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
-
71 B 157 B 1 1
DNS Request
55.36.223.20.in-addr.arpa
-
73 B 106 B 1 1
DNS Request
200.197.79.204.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
29.243.111.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
57.169.31.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
115.61.62.23.in-addr.arpa
-
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5ede838db2ac379bcd2187fee5d5ecbea
SHA18017173caac4d3d8ca120ef72c3208beb21ae8cf
SHA256b2e2c06f1f15f836ef1ddcd79732e672a7da74e486c998b763ca4b6403e9333f
SHA512b676d8dac7a1b0c59d8195a3ec639c6d3f6bc76cd26b4cb7d988d0eb947bcd42923f41e30cc1499ad6fda6a3161817dc7504bbb65a12b3ec4228983aa68eb22a
-
Filesize
1KB
MD569269eb09d0ceabff42565099075887c
SHA18282e02a710f7bffc849056f32b5d1fcdcc207a4
SHA2560e53d4c81a22112ea35d51948431ed98b53fbdddb5513820ddb5d24f5d8b1217
SHA5123db6f67556e9b32035bf2e26ea803473a1cc1f936371314e1605ce350bf2410d4947da3ec5f05968dfd7b5cb87461b6513502850d4e335d009ab8c86cb765ad3
-
Filesize
2KB
MD5db0173c1d91c9db87a69697c773a1df8
SHA1b838695f8a8fd45daa6eab89186eb40227a989fc
SHA2562e20ccf5e710946b918d78d78a9ddde1e64949eae485c8d937e019d19a7ec79c
SHA512a5ed0d54ed8f9edfb0b00e4b322dc2388efbf7a6b903ac930bf3682cbd8f27fdc10edb3c9f07855c8c471a64ef67eea12730bd95f9d0bdd921469710d23e431c
-
Filesize
273B
MD51ef5cfbd6fb2abe4cbfc438d0a8c9071
SHA18d79314076c0448de52b1884939ccd6c9b2d3f40
SHA256a87868bb39528786edafe8234fdb9866a72144057d7fdf606987ff5f8e36aa72
SHA5121119109a219c1509da71b6fa44055569fdb16156158137aa334d9b5db7d903685f46ba622f5f5edc7e5e5c2dbc9b11af31ae2b00d091a716fd72f8be8f90a52f
-
Filesize
12KB
MD540ecd7af94cf00ac1da5f3efcae39030
SHA18254020b1b689e9bb85298bc6f8ed911dcf82b86
SHA256b7ee237fb12b69c54b4fd9f76e9f69df1544c1be30f214fd2423b45e4a800cdd
SHA512ba31e4ba120e80e09a4f14d9ad9dd389e5dc9e5572f0f0018d789cb586d79089d69f5e52aff03cf7254fc9bf432628862a194522552a212e6fb83bc39fe831d8
-
Filesize
1KB
MD50a997c14455000c99a040f48d5647355
SHA1be845cd9bb7ba5adf3733c2ff40b33af655a73c5
SHA2564fa74e8d657a7d45328c064e64dda0bf625b9a4364d2eb95549e2b68c287a947
SHA5122b663a6229c5d89dc557178ba82f9cc825b4e4152f5cef71a3e78d6ba78ffaeea279ce8f5d87beac993faf7c65bab7afb248131911a8fcba413178e263900742