afe59a90801f9938ab8c456147d0767a7f4428f311675d4426d657b7d773220d

General

Target

5395289d26fba4ea86c7c00b11946f70_NeikiAnalytics.exe
Size

12KB
MD5

5395289d26fba4ea86c7c00b11946f70
SHA1

af5c9e7a3ba9f499c4f871d140e7e7dd46827884
SHA256

afe59a90801f9938ab8c456147d0767a7f4428f311675d4426d657b7d773220d
SHA512

2b5a02ec3001c5c703fe377ee59fbfff1574403e52553a03586fa574b1109b0615d0b7e0fd46062076642e9fec3629b72b50c48dea98e89b028595965a16126b
SSDEEP

384:3L7li/2z+q2DcEQvdQcJKLTp/NK9xal0:7+MCQ9cl0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	5395289d26fba4ea86c7c00b11946f70_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
1276	tmp52C4.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1276	tmp52C4.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4832	5395289d26fba4ea86c7c00b11946f70_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 1832	4832	5395289d26fba4ea86c7c00b11946f70_NeikiAnalytics.exe	85
PID 4832 wrote to memory of 1832	4832	5395289d26fba4ea86c7c00b11946f70_NeikiAnalytics.exe	85
PID 4832 wrote to memory of 1832	4832	5395289d26fba4ea86c7c00b11946f70_NeikiAnalytics.exe	85
PID 1832 wrote to memory of 1536	1832	vbc.exe	87
PID 1832 wrote to memory of 1536	1832	vbc.exe	87
PID 1832 wrote to memory of 1536	1832	vbc.exe	87
PID 4832 wrote to memory of 1276	4832	5395289d26fba4ea86c7c00b11946f70_NeikiAnalytics.exe	88
PID 4832 wrote to memory of 1276	4832	5395289d26fba4ea86c7c00b11946f70_NeikiAnalytics.exe	88
PID 4832 wrote to memory of 1276	4832	5395289d26fba4ea86c7c00b11946f70_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\5395289d26fba4ea86c7c00b11946f70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5395289d26fba4ea86c7c00b11946f70_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rty4yqi0\rty4yqi0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5515.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE7F92C07B4E540F5954B4BDEDCF8F5A.TMP"
    3⤵
    PID:1536
- C:\Users\Admin\AppData\Local\Temp\tmp52C4.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp52C4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5395289d26fba4ea86c7c00b11946f70_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
e86ec87b74114805ab61a5802ea61292

SHA1
43a17d29c742feeb1c1a6b5f95689a663c89d317

SHA256
0469f1d4cc6bc18c807d2eea95bbdbc352fadd44c1e432900df5ed0833e5acca

SHA512
e244348e8225b81caa69af322ed4aeed4e7e09f82420af5b96cec220caa85f0d1bacdf23dec08834ef4a29991da23880cca892fcca2bfcfab6c60c5c8a513c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5515.tmp

Filesize
1KB

MD5
a324a1c86d0653e3785c59779b952523

SHA1
50056a9a15b2060b54cc3e10679c26c8650a66e1

SHA256
63fefa1c9702e6e5a31fc8e9aa625f5c75d214aa11123de1305ead09bd993506

SHA512
c7d9578b10c0fdfc7423d264e2acf52be0e6baf29788235b01d7bc58981d6f2ffa4c97dc579c4b862456253e844565326e16a6ec614ab76f193a566c3c5e87fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty4yqi0\rty4yqi0.0.vb

Filesize
2KB

MD5
667d0c8c3fc8537466dbc2c8a2bfb9a5

SHA1
bb7049c49df61b0aeebac5f327c842806edda94c

SHA256
6532c8f235e65f4ace217d64b6486c65fd7b0a6b5581bf1fd2a584f08f8f4a28

SHA512
9226476e2e3c48bfcb3ac7f02265dee209ab12b1c678cba2fa02f78f78a379495b62745d03d6baa85354fb84248220df273c99cda704007e3fa0cfb29c88fa7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty4yqi0\rty4yqi0.cmdline

Filesize
273B

MD5
f6b4a6a38b8b75c6f5cf2199d4e21d45

SHA1
f251e68b71c835bcfde18241b127753fd480fc01

SHA256
54033c15e6e1fd1630af3d4557da29a10ea7e1090f0a59845bfa8dd6df83d108

SHA512
3b4c066539b6e14c25ec7229b301d311fa01e335be87c6c76a3021ad57b54eac860c74e00f80886ecb708f1f8be52776024b3353aec3fb68bdf71f6d6f21bcfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp52C4.tmp.exe

Filesize
12KB

MD5
cbc8df4b038defa9ed0c7d556b6f4072

SHA1
cfe6eaea0fd86dedb706cd0e76f0d743737d56b9

SHA256
56c003871fb9be2a9b911a0fce23e26211fdbca6686bdb9de1540b8b14ed795f

SHA512
d4136448fa788d1aa7812fc2f0de2963d681f329a72043a5e163761dbbd781cf68333c7c692bd3f7d51685a393e1567af28530b7268a62cbc85398eb6c72fd28

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE7F92C07B4E540F5954B4BDEDCF8F5A.TMP

Filesize
1KB

MD5
6a2fd3387b64fdd72ba84117d210bb2e

SHA1
c9461bc577144516cb9b4e1ac25a6019a5d23fbd

SHA256
4ef9f8754e1c7f0c39e35cdec8401cad883dc95dc4e7366e0309b0a1751c77a8

SHA512
64ebabeb3120dd09c83cfef063bbeff791f7acf60a7d05ef9dd177635a9a45bfb03ea55325e8e91d6615dddc3305844234bad8e3cc3add6ccbbb77d2a03a3184

Download Submit
memory/1276-25-0x0000000000770000-0x000000000077A000-memory.dmp

Filesize
40KB

Download
memory/1276-26-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/1276-27-0x00000000056F0000-0x0000000005C94000-memory.dmp

Filesize
5.6MB

Download
memory/1276-28-0x0000000005140000-0x00000000051D2000-memory.dmp

Filesize
584KB

Download
memory/1276-30-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/4832-0-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

Filesize
4KB

Download
memory/4832-8-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/4832-2-0x00000000054D0000-0x000000000556C000-memory.dmp

Filesize
624KB

Download
memory/4832-1-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/4832-24-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing