30431c1cb1a270dd760e1729567869e8559fe5c77cb2f15f5a095a5ba4e28f25

General

Target

6f979ce825ac1dd02858f6f39fab4ec0_NeikiAnalytics.exe
Size

12KB
MD5

6f979ce825ac1dd02858f6f39fab4ec0
SHA1

37005f046f836709cad7faafe4616c069f50fe07
SHA256

30431c1cb1a270dd760e1729567869e8559fe5c77cb2f15f5a095a5ba4e28f25
SHA512

05b73a08a07e6873b6ba58820fec57e7bfa572751f21af8901945fccdadbd4a4e2539a8fb6ad179aa1549f72bb52140da415d7a08b8a0e4ade54060392056cd1
SSDEEP

384:pL7li/2zTq2DcEQvdhcJKLTp/NK9xabR:ZfM/Q9cbR

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	6f979ce825ac1dd02858f6f39fab4ec0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
4064	tmp5823.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4064	tmp5823.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1428	6f979ce825ac1dd02858f6f39fab4ec0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 4996	1428	6f979ce825ac1dd02858f6f39fab4ec0_NeikiAnalytics.exe	87
PID 1428 wrote to memory of 4996	1428	6f979ce825ac1dd02858f6f39fab4ec0_NeikiAnalytics.exe	87
PID 1428 wrote to memory of 4996	1428	6f979ce825ac1dd02858f6f39fab4ec0_NeikiAnalytics.exe	87
PID 4996 wrote to memory of 2492	4996	vbc.exe	89
PID 4996 wrote to memory of 2492	4996	vbc.exe	89
PID 4996 wrote to memory of 2492	4996	vbc.exe	89
PID 1428 wrote to memory of 4064	1428	6f979ce825ac1dd02858f6f39fab4ec0_NeikiAnalytics.exe	90
PID 1428 wrote to memory of 4064	1428	6f979ce825ac1dd02858f6f39fab4ec0_NeikiAnalytics.exe	90
PID 1428 wrote to memory of 4064	1428	6f979ce825ac1dd02858f6f39fab4ec0_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\6f979ce825ac1dd02858f6f39fab4ec0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6f979ce825ac1dd02858f6f39fab4ec0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\anm5mbtn\anm5mbtn.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A26.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB861C4736E0841128F4EAAD9E1A49282.TMP"
    3⤵
    PID:2492
- C:\Users\Admin\AppData\Local\Temp\tmp5823.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5823.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6f979ce825ac1dd02858f6f39fab4ec0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
c73a2e0924dc8dafd5a8498182844600

SHA1
74eda5339a0372ebfe5a2aaf26062739ff56b29c

SHA256
40e279f5716f24a5046b374e7c3e05d1d0129b4874087d8fc984ce79dcb11cf1

SHA512
c16b022c6fac52e0fbcca004c1416b307944a62f8d45545b3ff9732888e77e793c92d94d4fb6bac9c1e35dba3e5b143c9818e1c6500338e2311337e9d0f19a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5A26.tmp

Filesize
1KB

MD5
203ad2dea0dbda8b5788a9cd5d359983

SHA1
35907fa3412220cca6440fe98511dc25c764e397

SHA256
8a22ec72943737fb139a2b05edbfccf2610a38938899a66ed0571572c5d8b7e1

SHA512
75d4bbc499bee498ffadb12c7073cda7a63c1f15edd42e4e7f202dd0967b710ec2d973feadb391af60635b801e6c16c8b14392c2ff80821b514c4f0eacbc9583

Download Submit
C:\Users\Admin\AppData\Local\Temp\anm5mbtn\anm5mbtn.0.vb

Filesize
2KB

MD5
e63a347d2c2d6a5ebf6fe299ca1d9614

SHA1
b6a1e0f11c8a0ee992b4bc94ff8687e09c35d906

SHA256
4b06b345b28562ed6b0b949aa2ef827454c5878f79f6ae4198c22807ce312f13

SHA512
3167d563e2d74d55a360adaa4911708fae10e76c226e20f6930c4fd27e0aad10df6509f3c5290beeb6cc8cc99843753969e82f0c5650f3593593f2d5593b32ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\anm5mbtn\anm5mbtn.cmdline

Filesize
273B

MD5
26d5939bf24bb80030051ed8e0de94c4

SHA1
5e2fd75a75118c9b9287341a8be9aae5301694ca

SHA256
d9d90eefb50f0d874b6dc7cbc5ffd52cb48f02a7249944a8a7e3c1a425e77e99

SHA512
a654c0a8cdfd725b25f0ee61f6d6688d1190121c48cc1eaffd7651cbb0e1f757e5bc335ef7e19fd02fe31131e5e32a18c5611bd18756842c3bbabfa4b212be6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5823.tmp.exe

Filesize
12KB

MD5
e932c9434686ecbe45529188bebc4c94

SHA1
6f4ba6ec537a6afdacabd8d6a9af9f5d954385d1

SHA256
6a25382651e063eff8e6ceea265a504239fd5b42a7236e47766cf1d8ee90f5fe

SHA512
08faae86d1eaff5565959168df316140fe6e2699d80f4d89100c2ca111d39da0d34391f3758945f6a9f5ba4e372e71ee369b5c9e4901ac6954b7fb0b993e2c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB861C4736E0841128F4EAAD9E1A49282.TMP

Filesize
1KB

MD5
f0ca43c7aba1ef27fddeead7796292fd

SHA1
0bda974e8762c593603a230c22b591e4914a0c4c

SHA256
8b0066d2f417cdad83e03bf43022e10bc9e59ce75aab37ebda63c4f59d0e5daf

SHA512
d069b9de711eb44d5384f471e8f815d99b31509b9f964d7c62ca1f7a3b5fc1f4a929c37de4b1bbdd58ec5f0676a496e95c5ef8874b809b752ae598b2a2b038d0

Download Submit
memory/1428-0-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/1428-8-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/1428-2-0x0000000005880000-0x000000000591C000-memory.dmp

Filesize
624KB

Download
memory/1428-1-0x0000000000F40000-0x0000000000F4A000-memory.dmp

Filesize
40KB

Download
memory/1428-24-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4064-25-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4064-26-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/4064-27-0x00000000051E0000-0x0000000005784000-memory.dmp

Filesize
5.6MB

Download
memory/4064-28-0x0000000004C30000-0x0000000004CC2000-memory.dmp

Filesize
584KB

Download
memory/4064-30-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing