694a7e504e19fb661c77560ca28d2735f1207d60d33e4d657e3ee3fce21fd742

General

Target

74e406cc8c6505f2e89b6a79edc20120_NeikiAnalytics.exe
Size

12KB
MD5

74e406cc8c6505f2e89b6a79edc20120
SHA1

a9258120dfe7c2fb9907d8885e76a44b18053a9f
SHA256

694a7e504e19fb661c77560ca28d2735f1207d60d33e4d657e3ee3fce21fd742
SHA512

741534eb679d74ee130fce36eb4d37d73f556803da20033052f2b38dac8638b9280c5fcb8ab0e4259c4d1f6dfbb21eac7344dd59da9410dc32c226ca89248cae
SSDEEP

384:SL7li/2zKq2DcEQvdhcJKLTp/NK9xafb:M6M/Q9cfb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	74e406cc8c6505f2e89b6a79edc20120_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
1096	tmp4BFE.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1096	tmp4BFE.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1588	74e406cc8c6505f2e89b6a79edc20120_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 4148	1588	74e406cc8c6505f2e89b6a79edc20120_NeikiAnalytics.exe	86
PID 1588 wrote to memory of 4148	1588	74e406cc8c6505f2e89b6a79edc20120_NeikiAnalytics.exe	86
PID 1588 wrote to memory of 4148	1588	74e406cc8c6505f2e89b6a79edc20120_NeikiAnalytics.exe	86
PID 4148 wrote to memory of 2984	4148	vbc.exe	88
PID 4148 wrote to memory of 2984	4148	vbc.exe	88
PID 4148 wrote to memory of 2984	4148	vbc.exe	88
PID 1588 wrote to memory of 1096	1588	74e406cc8c6505f2e89b6a79edc20120_NeikiAnalytics.exe	89
PID 1588 wrote to memory of 1096	1588	74e406cc8c6505f2e89b6a79edc20120_NeikiAnalytics.exe	89
PID 1588 wrote to memory of 1096	1588	74e406cc8c6505f2e89b6a79edc20120_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\74e406cc8c6505f2e89b6a79edc20120_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\74e406cc8c6505f2e89b6a79edc20120_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mngg0cff\mngg0cff.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D74.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6323D0E7505B4D95ADC99250B9A5859A.TMP"
    3⤵
    PID:2984
- C:\Users\Admin\AppData\Local\Temp\tmp4BFE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4BFE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\74e406cc8c6505f2e89b6a79edc20120_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
f1aa5c432a8d836774b188d7f56dfaa3

SHA1
bebd99db499cba57c71d2b7690e283e0d373712f

SHA256
d8eaaaec34a31027c2a815b890fee4492ac3ce1d7996917abe272aef0f459e37

SHA512
4b841e3bd3d2767d1d5df51bbcb81a2f57c7135e4fb1d279d55677c681d4ecef9f6b49b922bb02fa479c7a118bfb0b24fd3bb97e3feb659da62f12d4e88e2356

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4D74.tmp

Filesize
1KB

MD5
155ecf1f95d36ad4c04ce249a803ed24

SHA1
64f9f5144958b7da2a27e47e04cbd44fa0a0f21c

SHA256
6bb72361b963dbada4d57d3371704806c4837c23b15bab6f2678b2921423ad73

SHA512
7ea148328e535cf77a237e3a3ddcfe6265207add8e020cc52ac0ba82e574e8914b04970fcaf6766b5650776673fb56192dbd18d66aa235fd94f458ff38143a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\mngg0cff\mngg0cff.0.vb

Filesize
2KB

MD5
e1c8e59ac67a6094745876efb2b804c0

SHA1
9d8b17fda940ba9c87734890d165f23f21bb2f54

SHA256
72453b5e3b5e0530714f5961fa4fb304f91b10c5428fc0dca2255cf3ea0db570

SHA512
11ea5a32991f7aff02295dac215a7acd17d6b63d1e708575a8784e3638d235a9e9cb574bdfe038961d992d248222a35e51b625fc606fa61735de1116f8d9ea12

Download Submit
C:\Users\Admin\AppData\Local\Temp\mngg0cff\mngg0cff.cmdline

Filesize
273B

MD5
6f81cb6492c54aaaf3c7fc6897e0a77e

SHA1
259ffade4e8ef126606b14afd57a8846fd074c07

SHA256
adf238e0660e67d12cfbcef0c85358cf100e2dfa5dfb53f32fc42ad6c258ad90

SHA512
81d109bfbbe6797d95f8d9066ce18da6ecf5dc970b34891919efbd1c4d2fae2ddface67c89e988144326be34585eefe4ae93bb2168072452bdfb6dd37a55714e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4BFE.tmp.exe

Filesize
12KB

MD5
9890950d621b779c5e54d8dbc9009ec5

SHA1
2e0c170687d7f91f7435f839f64ab02f1b49748b

SHA256
23163b8ca269ce841ada3d7b11103b769b60acb8fa951ed0ad570e1c815f540a

SHA512
2c44f1bdfc9c950b8c650cf30e3312baf2264040c789f49029f46b9351fa6bc4dc8a19af0b5288f51ff660f5cf230ece445aaa6028a4e08f460ce0a7e588eebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6323D0E7505B4D95ADC99250B9A5859A.TMP

Filesize
1KB

MD5
d0e6ac6813b2ab5e6fd433b7d205e19f

SHA1
e05ef9f3448b3b50d6e70c43fd3bf0ff84df7590

SHA256
129aad6c582f6bf6e5a5d6cce29c2f7aeb46640466667c7ea242fa426e243399

SHA512
44866dbaa325fe5e9137a03cef6341930a284b53df9f2c55b03c424412012edc6ef51553e368b23a6b0ce90790d141f7d1393bf612563ab2c590ace2ffa2f0cc

Download Submit
memory/1096-25-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/1096-26-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download
memory/1096-27-0x00000000050F0000-0x0000000005694000-memory.dmp

Filesize
5.6MB

Download
memory/1096-28-0x0000000004B40000-0x0000000004BD2000-memory.dmp

Filesize
584KB

Download
memory/1096-30-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/1588-0-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/1588-8-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/1588-2-0x00000000057F0000-0x000000000588C000-memory.dmp

Filesize
624KB

Download
memory/1588-1-0x0000000000E20000-0x0000000000E2A000-memory.dmp

Filesize
40KB

Download
memory/1588-24-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing