a5bd7f0cff464447aa29f3f4f3447db2268f7c76da17d88d33539841b8cf01f3

General

Target

5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe
Size

12KB
MD5

5c8d3638fc0e093018f422de7e703520
SHA1

611d88790efba6f623d6520bce8949fccb069151
SHA256

a5bd7f0cff464447aa29f3f4f3447db2268f7c76da17d88d33539841b8cf01f3
SHA512

3d43673fbce20097dc22c4a51622175b4097753636cb121921c948fbf6b3d34572cddf984693692a5510ae2de5dca83c5a9f20daa71ed9eb3b94f3491f83f219
SSDEEP

384:iL7li/2z0q2DcEQvdhcJKLTp/NK9xa4+:8YM/Q9c4+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
3564	tmp3BA2.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3564	tmp3BA2.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 3752	2200	5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe	84
PID 2200 wrote to memory of 3752	2200	5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe	84
PID 2200 wrote to memory of 3752	2200	5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe	84
PID 3752 wrote to memory of 4148	3752	vbc.exe	86
PID 3752 wrote to memory of 4148	3752	vbc.exe	86
PID 3752 wrote to memory of 4148	3752	vbc.exe	86
PID 2200 wrote to memory of 3564	2200	5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe	87
PID 2200 wrote to memory of 3564	2200	5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe	87
PID 2200 wrote to memory of 3564	2200	5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe	87

C:\Users\Admin\AppData\Local\Temp\5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ulkrkk4j\ulkrkk4j.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D38.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc44258DC0DDC44589BD3B73642F12451.TMP"
    3⤵
    PID:4148
- C:\Users\Admin\AppData\Local\Temp\tmp3BA2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3BA2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
d8d9d2bd0063cc3879f2010b898f05d6

SHA1
38065e07ca41f14d51a7768704a4a1d9d64692f5

SHA256
7df8345aafb49400d9643aceae1a5c2cdcff7ceb57d965341d437d677bf5a0ed

SHA512
48f32966d11be2597084b41594df0f33910ddb832a53441cc70feb1f38caeac9c80ede292dc1017355c7beea9df5ec9c974f383b2400470ae8d2c7a9df3ff888

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3D38.tmp

Filesize
1KB

MD5
95498b6136feb4a905820f3318bfe7ef

SHA1
891a211b6b66efdbfbc2ad6c16bc541be1af8b14

SHA256
ba76a64a54ecf11c07b7a27ffecd18a82365c550bb6ad263cfe25d6f284e5e1a

SHA512
18ceb41599378ab51f4ff05bbb46746b10478a0348d6fd415f86a9cb5888f0f72937ec1bc37f795ef816505b0c85801325940cb477d6c4e953cd8c70e2a11161

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3BA2.tmp.exe

Filesize
12KB

MD5
ec362cd85d6b58bcab109a810b5ef323

SHA1
1d30d6c8e11e89ff7e9e1bda4188df85c4329460

SHA256
7e91c5ae3e7a09c167ce5268860f3fab17cb712fc97b306c2726a277984bea0e

SHA512
e70838024d113c540da017035ea54e5bfd4b8ce7bafea2a896d17d4710c5d5837bd0c1ecf0158c4985533a58d35670a7849980c817bc5ac66ccf204146aceae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ulkrkk4j\ulkrkk4j.0.vb

Filesize
2KB

MD5
acb23bcf04b5257acd249207e19dd5fd

SHA1
9eec907ed6c68b3fe62451f822e7f23c50e897eb

SHA256
c7cb35bbbdad7567bd2b4a3aefe974e2e37e9224deb97a5ca5e272ffe7d09b24

SHA512
aac6e6323d9ac3a1092cb8f59dea18d5c7ccfeb57fb78cc1e6f19216cd59601c6cb4db4f129cd51206b3812e51de51b3db2fa44cd5235a0b843594af6b90b18a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ulkrkk4j\ulkrkk4j.cmdline

Filesize
273B

MD5
a372c4cf3f771b4678ecb944860f6342

SHA1
70ef3d14936c10ddd37841fe0aeb0fc2259df791

SHA256
4e048348fefdd2576477c7679f36336e4d36c26d49dcbb10cd67e4ae761010ae

SHA512
596398bd761af0195356e8a73e13bdf49cebcca88f69dea077b8838dc44e4caa3baa8e53af9ac0f13773b303b0793e3708590c6b39cfb4767ed0a48949d9a37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc44258DC0DDC44589BD3B73642F12451.TMP

Filesize
1KB

MD5
e9a4da7ccb2145134157cab40bedb740

SHA1
99db9c13799919e594661dc221f51ff3f2dac43c

SHA256
68904c03f982676686018b4f80d1b8b315ef37cb6aaf84cae54a3f0dc1943986

SHA512
a5d1a30c238a4489300bd212f2cc730faa9fee81bfa753d0e97582ea7a1cdd96a408b68a4c3413aaaf5545d18c91c8f2749d57422783874e9ea278006c6a528b

Download Submit
memory/2200-0-0x00000000748BE000-0x00000000748BF000-memory.dmp

Filesize
4KB

Download
memory/2200-8-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/2200-2-0x0000000004A70000-0x0000000004B0C000-memory.dmp

Filesize
624KB

Download
memory/2200-1-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/2200-24-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/3564-25-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/3564-26-0x00000000006D0000-0x00000000006DA000-memory.dmp

Filesize
40KB

Download
memory/3564-27-0x0000000005620000-0x0000000005BC4000-memory.dmp

Filesize
5.6MB

Download
memory/3564-28-0x0000000005070000-0x0000000005102000-memory.dmp

Filesize
584KB

Download
memory/3564-30-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing