fdf1fa0f023cd8c1a31303abb28a62aa03379200086e6c668c56483e943a1daf

General

Target

84729d6fc9f2e4164fce1c004bcb0d00_NeikiAnalytics.exe
Size

12KB
MD5

84729d6fc9f2e4164fce1c004bcb0d00
SHA1

b063e460eb56db53cd52fe5a7a52eca694e0a044
SHA256

fdf1fa0f023cd8c1a31303abb28a62aa03379200086e6c668c56483e943a1daf
SHA512

039e7e5bed78c9cee980f5c00e58378c20568dc457b4c7cce02fe64d508bc3f4ede9fe45f74b5a1f06b6c22be836ff94809cae7931b8d4bf31db47538f803a0b
SSDEEP

384:4L7li/2zEq2DcEQvdhcJKLTp/NK9xarC:GIM/Q9crC

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	84729d6fc9f2e4164fce1c004bcb0d00_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
3936	tmp3B93.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3936	tmp3B93.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4628	84729d6fc9f2e4164fce1c004bcb0d00_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 2396	4628	84729d6fc9f2e4164fce1c004bcb0d00_NeikiAnalytics.exe	84
PID 4628 wrote to memory of 2396	4628	84729d6fc9f2e4164fce1c004bcb0d00_NeikiAnalytics.exe	84
PID 4628 wrote to memory of 2396	4628	84729d6fc9f2e4164fce1c004bcb0d00_NeikiAnalytics.exe	84
PID 2396 wrote to memory of 4956	2396	vbc.exe	86
PID 2396 wrote to memory of 4956	2396	vbc.exe	86
PID 2396 wrote to memory of 4956	2396	vbc.exe	86
PID 4628 wrote to memory of 3936	4628	84729d6fc9f2e4164fce1c004bcb0d00_NeikiAnalytics.exe	87
PID 4628 wrote to memory of 3936	4628	84729d6fc9f2e4164fce1c004bcb0d00_NeikiAnalytics.exe	87
PID 4628 wrote to memory of 3936	4628	84729d6fc9f2e4164fce1c004bcb0d00_NeikiAnalytics.exe	87

C:\Users\Admin\AppData\Local\Temp\84729d6fc9f2e4164fce1c004bcb0d00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\84729d6fc9f2e4164fce1c004bcb0d00_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mhh3ulld\mhh3ulld.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3DA5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc53F020162E3748328EF7A5516B559FE7.TMP"
    3⤵
    PID:4956
- C:\Users\Admin\AppData\Local\Temp\tmp3B93.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3B93.tmp.exe" C:\Users\Admin\AppData\Local\Temp\84729d6fc9f2e4164fce1c004bcb0d00_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
493f67d6275c42bab39b1c1a5a4247ef

SHA1
d3f7d1e09032f81ddfe97aeca2f482d33fe52619

SHA256
c76d66eac044b9aa50d6bc3edd6d8c3c6fe5d07cbc12a73784310fa1e8c2e48a

SHA512
9247eee8744d691ddd40735ee1a2538e5adf9f137376196ec6ddcd9b239a16e90027d0ccb99cedb59d03da4fc5b41cbe728f99e97c7cbf80e410f24c01e74bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3DA5.tmp

Filesize
1KB

MD5
2ea2752ba0fda1974e4a4a1d01bdf689

SHA1
a6ffdc7a0f86d250b461c8d364eb50eb7afeb700

SHA256
8b481d16454ca238aeb6a8576727824c818991753fe10317ae8e71e4dc2c649d

SHA512
f0c5219e658d641df06efafe08f2eae13e85ff9e00c5c73e969128393bc833eaebad333806d378ab3b3fcbea257a2804d2314a8857bf676fdf78c8e40bd6d058

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhh3ulld\mhh3ulld.0.vb

Filesize
2KB

MD5
82a7d70fce6ce22c55c3c0c066bf7b73

SHA1
c1dff740d34c833fec97f2eaa93658ebd1b23fba

SHA256
c0c966e6066998576955ac3e7314dad17dcad63599923b2e9f1d67bdb67cb824

SHA512
f016864b906f6f093b61d4e53341ba36b43535f2802ca25e61d18a57e2f150475b66f2946ee1da829dc0b87eb42cb51454e86c8c1a31cde359cbe54647d6e975

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhh3ulld\mhh3ulld.cmdline

Filesize
273B

MD5
3e4f790a8962c24ad38c0e5129ca4ede

SHA1
65887dca275c6e9a414cc2044241da5463b4caa6

SHA256
83f7f5a6362336c57bfcb60cd5f9c9234e8736961e07e8bb2cc250e0eed7323e

SHA512
319c73b4cb83c09e26cc40700696c1fa52774b74fe30072a6d6d0aeb12250813d979cbc007bcf50c8ef2fb2b6b4fa1fcea19bab3b6404a2326a839f93a86c184

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3B93.tmp.exe

Filesize
12KB

MD5
8962f4a167888c2be67280c867b8f789

SHA1
8d497763a419869f6516b520c10449aaab8775bf

SHA256
90df187a8b6181135fe5b74704f68d95b155e369e282885636464e6c49434f45

SHA512
d4eaae93ed471f2d8c28c16c8e7345cde1214cbe3f511f6e109356a840006b1eed84d4c394a19ad3d32d79222af2c3d42cd200bb2baab006a9e246a7545b0dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc53F020162E3748328EF7A5516B559FE7.TMP

Filesize
1KB

MD5
82cfa28872232827124c8b2cc3b93808

SHA1
9b649698ec2c694015dc92443819d54b069ecedf

SHA256
3c57a907a41fd678472bb7a5b6d750b0490d35ea671f308dd78b188c63d1d47c

SHA512
a335bacb0fc190b3d539773599453b4dcf5240d8f23a87e0b0ac2c2d41f1a4f318e936d15e2a58f14bc19ca9c9ea4d0f177efe034aed7813d020f24fc124ca55

Download Submit
memory/3936-25-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/3936-26-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/3936-27-0x0000000005170000-0x0000000005714000-memory.dmp

Filesize
5.6MB

Download
memory/3936-28-0x0000000004BC0000-0x0000000004C52000-memory.dmp

Filesize
584KB

Download
memory/3936-30-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/4628-0-0x000000007536E000-0x000000007536F000-memory.dmp

Filesize
4KB

Download
memory/4628-8-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/4628-2-0x0000000004F20000-0x0000000004FBC000-memory.dmp

Filesize
624KB

Download
memory/4628-1-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download
memory/4628-24-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing