49bd8efeb38b53f62b869eed0b610d770b9672489d0677210b1f380b33e8a5aa

General

Target

46605b61bc44071e2b46a2343d704ca0_NeikiAnalytics.exe
Size

12KB
MD5

46605b61bc44071e2b46a2343d704ca0
SHA1

b229efcbc315ad396b687c1ff647360bfebb5d8a
SHA256

49bd8efeb38b53f62b869eed0b610d770b9672489d0677210b1f380b33e8a5aa
SHA512

5658acf71edf013fe415a3c76f52627f61074197eaa02dc9e4e9c15f80d536ace9a20888278d88a74806be1c56c73e9f1085c414c36c0a8deaf7c98f36ba3956
SSDEEP

384:nL7li/2z5q2DcEQvdQcJKLTp/NK9xa/A:LZMCQ9c/A

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	46605b61bc44071e2b46a2343d704ca0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
2116	tmp4046.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2116	tmp4046.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	46605b61bc44071e2b46a2343d704ca0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 1960	3064	46605b61bc44071e2b46a2343d704ca0_NeikiAnalytics.exe	85
PID 3064 wrote to memory of 1960	3064	46605b61bc44071e2b46a2343d704ca0_NeikiAnalytics.exe	85
PID 3064 wrote to memory of 1960	3064	46605b61bc44071e2b46a2343d704ca0_NeikiAnalytics.exe	85
PID 1960 wrote to memory of 4672	1960	vbc.exe	87
PID 1960 wrote to memory of 4672	1960	vbc.exe	87
PID 1960 wrote to memory of 4672	1960	vbc.exe	87
PID 3064 wrote to memory of 2116	3064	46605b61bc44071e2b46a2343d704ca0_NeikiAnalytics.exe	88
PID 3064 wrote to memory of 2116	3064	46605b61bc44071e2b46a2343d704ca0_NeikiAnalytics.exe	88
PID 3064 wrote to memory of 2116	3064	46605b61bc44071e2b46a2343d704ca0_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\46605b61bc44071e2b46a2343d704ca0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\46605b61bc44071e2b46a2343d704ca0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3z2dr0oy\3z2dr0oy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES419D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9E25EB23A46348FB9C5FABE2F64A556.TMP"
    3⤵
    PID:4672
- C:\Users\Admin\AppData\Local\Temp\tmp4046.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4046.tmp.exe" C:\Users\Admin\AppData\Local\Temp\46605b61bc44071e2b46a2343d704ca0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3z2dr0oy\3z2dr0oy.0.vb

Filesize
2KB

MD5
da48af82a4f696f786467aa4ad976f15

SHA1
fd2e529fa28eb558db64e48922a5de5860830650

SHA256
8591665482f1a77a64d434cb67a3b7a572267cee7fa701447a90761eee2993d3

SHA512
63be531fd199ae83811f2b53dbe2868a0e4e58da9a096afa6625d8713127ca00f489733b3033906c353b63a142a697b0f1928ba65f8a75264fa2346b37d930e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3z2dr0oy\3z2dr0oy.cmdline

Filesize
273B

MD5
2d3586393374b9022f07a762d52f65df

SHA1
a64ff37432d210819db77aaeec7075eee1949dac

SHA256
8dc6ed5513f5c670531fc4b430e8ab308969bf44b72454f5822b28e4770cab0e

SHA512
9e2ac39b74744df625d9ae1c5b5825d9ef4d500dc02b6d6c6f8912c242597ebc675fe631476b9f69d293497dc7ec774b025624225aabc8d8c250dc2faf3fb89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
09b9a90111eb3bb76c206d4b03b48fe1

SHA1
789fe784cd548786cc8b93f33bdab0386b6fc75e

SHA256
4262ca4c46f87e840fdcd735b9686b1ead3187af137bb11ebbabecb5bb2a8946

SHA512
024966e583383e42296c100e148dfd71314cd728d8a0a61ab63fe4f9836b06d58fba8d271ada12dee2f0fc6defa5a47021ec050aa52b8d7b1490132bd4cabdb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES419D.tmp

Filesize
1KB

MD5
f4b62634edb6ec1bbb86df5a36d8bca9

SHA1
50e466cad30692f02d6a03c7e5ee4dbe7bfa50ae

SHA256
e2392f98597a1115ebde65b24557de927534661a70d0a9eb7ef6174589ec46af

SHA512
c916a72a2405c5188f2920c1e07c70207dd5b793447f6ec5b37928d81ff8c3929a08d3667fb43ea73668d0ffb286fc2464e90c2a8c24f102d212ca535df7107e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4046.tmp.exe

Filesize
12KB

MD5
80a2fb416bf907f65011775d72c6b5aa

SHA1
8ef51344f5188231a6fb2b7cadae01e6f2bd82ab

SHA256
7afd32339046123984cb6b707c100cf4a036d5e166eda6e36774cf6bf2f55537

SHA512
a18c745c75ac2e84b6fd1c71290faaf47eeb16e7d43cdeacc7ce3ee1c0d9e184399d1b608f0f9563fe6bc8a9a916ef5036c16e1c8814569f5861ed5836e9dfc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9E25EB23A46348FB9C5FABE2F64A556.TMP

Filesize
1KB

MD5
ba920f14b8cc5ca9993c849d37058a6e

SHA1
7e15a4a8f28481bd1b21b3c11399ce6683d43fd2

SHA256
f20b6e104fa76cc79fc047362630feefc7906caec7c2a0abf045ec83625e1bba

SHA512
e9063f2a170f2a6973580fbf48d9fdccf88f062be8f43df051129b0d58f0cea55d83df115e3828358e0e69800cb90231f415f07b2d241660e54c8f232f0455b0

Download Submit
memory/2116-26-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download
memory/2116-25-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/2116-27-0x0000000004FA0000-0x0000000005544000-memory.dmp

Filesize
5.6MB

Download
memory/2116-28-0x0000000004A90000-0x0000000004B22000-memory.dmp

Filesize
584KB

Download
memory/2116-30-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/3064-8-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/3064-2-0x0000000005530000-0x00000000055CC000-memory.dmp

Filesize
624KB

Download
memory/3064-1-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

Filesize
40KB

Download
memory/3064-0-0x000000007480E000-0x000000007480F000-memory.dmp

Filesize
4KB

Download
memory/3064-24-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing