Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 01:22
Static task
static1
Behavioral task
behavioral1
Sample
5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe
-
Size
12KB
-
MD5
5e7d3090a4a4d29a3489992fdeba41b0
-
SHA1
f3771fa931e91fd34772d17dfd3245153b14eca9
-
SHA256
be85695b3b872d21ed9f3964b33263e9c53638fab301614aac13cde64b7510ab
-
SHA512
cc7f63b2fc748ceefde3dc0819cddef7388f9c475348e9df71ece489edef6a067838fc1065f9a7a38d48a10a430518bc74af78bb2d72262811985a379d44906c
-
SSDEEP
384:iL7li/2zWq2DcEQvdhcJKLTp/NK9xar5:8WM/Q9cr5
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe -
Deletes itself 1 IoCs
pid Process 964 tmp373D.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 964 tmp373D.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3832 5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3832 wrote to memory of 4984 3832 5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe 84 PID 3832 wrote to memory of 4984 3832 5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe 84 PID 3832 wrote to memory of 4984 3832 5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe 84 PID 4984 wrote to memory of 3372 4984 vbc.exe 86 PID 4984 wrote to memory of 3372 4984 vbc.exe 86 PID 4984 wrote to memory of 3372 4984 vbc.exe 86 PID 3832 wrote to memory of 964 3832 5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe 87 PID 3832 wrote to memory of 964 3832 5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe 87 PID 3832 wrote to memory of 964 3832 5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\df5xu4mq\df5xu4mq.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3894.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA6E5B6E5CFDE4D04829B178BC9209964.TMP"3⤵PID:3372
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp373D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp373D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:964
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5279dfe372bf97b0f16f26c01b38df0ae
SHA13dcb28c0373847b008e52daadbf4fb595605aa32
SHA25651753483b41ad909290855b0c693da6b5182a46371ba71c757e03b3719254e97
SHA51208359c1af8e54944a15d225003195b1587211c930bfedcfb080aa4e96fb7f0f4752c21432ae6c37826c68fa67cfeb9d5a47a0627c364d1134ac7b39985d65a90
-
Filesize
1KB
MD5ce8e2b166f03e1bc3547d6a509fb63f5
SHA165990d470f23113d2f39b5fa3dd9c2251666cea6
SHA2564ee4dd944580900218002950184bdcce5a85fe7b7f409676358709eb78f24672
SHA5129cf5497b03d934fb068f1ffffd624272de0f62fd36552cbc2a5ee69513402a05b1eb1176891076d7362a7fbcc7f969e4eac26e8b89008b62460029a1c4b7b225
-
Filesize
2KB
MD527078adc3da0872741177fc825e6c4e2
SHA1cc13e2ec1e440b360a1855768e601a71ae7a06d7
SHA2567002e5e1555d2b3bcca3acbdc976ff445a757699e0d44c2d0f5efb5a9794cf1f
SHA5127311e926c41ec6c69c3bd13d062b8f5bb8e63052cee9226ba13ffec6cce45928dd3fc6f31fd890b87b63149dae4b731722bcf0f973332ea858a623a9aa1700ba
-
Filesize
273B
MD56746de9010cff33a3b6471bc5196eac5
SHA1cf56cfa7e7daf2db4b044ee4bd38ab55aeefa12b
SHA25637c84438a5f578ca0dfd24ec8e31bc3c3d6a2eb4bd31adc90be9b695ef439a13
SHA5121074e73e83a9e6d98bf5b07d40ae7ebf427654aa98988c4c490d8f86140dacce28b066e776453deb60c70580db239a681cfaf48012537d1ff25c0042bf31c410
-
Filesize
12KB
MD5436273e53633901c67c2e8baf90a35e7
SHA1063c3693ca0c39b6d850910c7388b8903de8f232
SHA2562e5ce3eff5640e5d13abcccae896f819585b134dcbebecf3928e833fa4076adf
SHA512349e2ed0eac2a6d262ff752ef4dce606b6dc7b09cfa722020c9fa59772d36025c4c6b05315f7abce91a5ae00ed6a927b5269793291d4ccba8e3861d653a26a28
-
Filesize
1KB
MD5cf2f28692faddd7765bb3ac3a27e6e4a
SHA1b41200f76053f6b7a7874bfb90708177505a811c
SHA25671f07e565c00ace2f1354e1eef1eba0dce4900f7e2f13a169d0cbf1b7af3878c
SHA512880e55a63a6ffc73a8f701a51ccbcf99880d13192a0878e4df1635798df587a3b786afe56b69fa8bb73decbd5d96b67be33dd720dc07022ef12f0e53d6758c60