65f2b15eb7305fc785589bb90fdbba81263988309033a379fe198e696cf6a05d

General

Target

0ba0a9f75edf89c263f09e027120fe70_NeikiAnalytics.exe
Size

12KB
MD5

0ba0a9f75edf89c263f09e027120fe70
SHA1

098bc80697937d8d8ac39ccd83239093d38a9a99
SHA256

65f2b15eb7305fc785589bb90fdbba81263988309033a379fe198e696cf6a05d
SHA512

6d9333c8ae6eed573f5be44813cf597361f5baf421856ff4459f81451878b86b818f156a2fcd1cda213212c603afb0db17d949aaaeb10ed762e7f12740cd43a6
SSDEEP

384:BL7li/2zlq2DcEQvdhcJKLTp/NK9xaPv:hFM/Q9cPv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	0ba0a9f75edf89c263f09e027120fe70_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
1600	tmp5015.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1600	tmp5015.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	264	0ba0a9f75edf89c263f09e027120fe70_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 264 wrote to memory of 5080	264	0ba0a9f75edf89c263f09e027120fe70_NeikiAnalytics.exe	89
PID 264 wrote to memory of 5080	264	0ba0a9f75edf89c263f09e027120fe70_NeikiAnalytics.exe	89
PID 264 wrote to memory of 5080	264	0ba0a9f75edf89c263f09e027120fe70_NeikiAnalytics.exe	89
PID 5080 wrote to memory of 4148	5080	vbc.exe	91
PID 5080 wrote to memory of 4148	5080	vbc.exe	91
PID 5080 wrote to memory of 4148	5080	vbc.exe	91
PID 264 wrote to memory of 1600	264	0ba0a9f75edf89c263f09e027120fe70_NeikiAnalytics.exe	92
PID 264 wrote to memory of 1600	264	0ba0a9f75edf89c263f09e027120fe70_NeikiAnalytics.exe	92
PID 264 wrote to memory of 1600	264	0ba0a9f75edf89c263f09e027120fe70_NeikiAnalytics.exe	92

C:\Users\Admin\AppData\Local\Temp\0ba0a9f75edf89c263f09e027120fe70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0ba0a9f75edf89c263f09e027120fe70_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xlewo4jz\xlewo4jz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5227.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc330642B3A91C45FFAC8F5140FE43FF36.TMP"
    3⤵
    PID:4148
- C:\Users\Admin\AppData\Local\Temp\tmp5015.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5015.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0ba0a9f75edf89c263f09e027120fe70_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
e56c3bb62965571dc5f5f3054a66ba0b

SHA1
08377d989355c38bbe9324872fa3c387c3489ec6

SHA256
5de637e686fa47f35bd068f70513a557cfdac59016d4f5491737e6d3af07da57

SHA512
fe3ad21d1ff9dedb0e117dfbd1d5ce405b722c3740f5733dbef30b655ad71383aeda3ec8aa87478b1c44a24b51ff8de83eb49b36e50b7260d4d4175530075fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5227.tmp

Filesize
1KB

MD5
5988769c982f8cc34570695570865783

SHA1
31e55c45346ca7573e02d2614d13dc0a76fcdd56

SHA256
e11f3d44b06f9322b1e58082a57a7e84e51fbecc97bf82a960de12594624d8c0

SHA512
cf7377c9f18bcc7be39c0b6cdab966fb43b2a8ecd20791133968a19860e4605a3498260096bf3a13e837da7c65e664967b2dab7887876044f862d0178a54d8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5015.tmp.exe

Filesize
12KB

MD5
3c644b07f15525cd0ae8477ccfa57595

SHA1
be2e5086f77beaca08c8efb480b3ac3a604c1ade

SHA256
8dddb415676355c548bf6c6c93db0f0244686054965fa8422537b1c507b19a03

SHA512
3efa69b97af630a48b6ee7b0894b225d496a833f5740bd278ae82f1697e9e4376192032bbcae21cf65ccf4ee77ce3529265880024cd01ed881b1021e0dfb38d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc330642B3A91C45FFAC8F5140FE43FF36.TMP

Filesize
1KB

MD5
5e2df4091c08de069ed7e726717bfacf

SHA1
2fd07c1396840f3166d58f012c8c8af1f2a64103

SHA256
b9cf8f5f56e10434f8ce3f5b2395576655447bc49fb174e8b8563cbcb7ed2c88

SHA512
2bc4de5143e09a75a07cd3a5a495b2b3b00c60bca1f8342df0c54da007495337680c7244d7ab13070bf0eaa971718eede482515cdd4204fe968437f90c638aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlewo4jz\xlewo4jz.0.vb

Filesize
2KB

MD5
17dc3866e5c144af82786d14ecf37c49

SHA1
68c9b55af1e6fbd40dcccd7da6e2cc3ec1fc2650

SHA256
983c809d09434d8acce7696bb385b255bc6791ff2b7cbc988ea8637c9a80cf75

SHA512
e60a2be0f1d4fc1b02cb32e55cf3cdc43e82fdadd9e3caac68b0abaa5c5e59b8e34ce7772da8b7d34fc7207c4e99157d38ef12b7f8ecff8393dd9474f8b575a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlewo4jz\xlewo4jz.cmdline

Filesize
273B

MD5
c33c552016a85c485abf54f6841b4711

SHA1
ce1cc66425416036d5c171138dd5ff74e5cc59cd

SHA256
8f9cb69723703a505a490f6fd1889e677f19a0c0775134750d4fc94edffc3733

SHA512
3851b1198abda659f914e0065a11c1d064e90b44ca3a331281570110ee3f268cbf1a3f0c03df367f6ac89ce81c3baa86cc9536e8a0effe5caf43ec3a732bd82a

Download Submit
memory/264-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

Filesize
4KB

Download
memory/264-8-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/264-2-0x0000000005730000-0x00000000057CC000-memory.dmp

Filesize
624KB

Download
memory/264-1-0x0000000000E50000-0x0000000000E5A000-memory.dmp

Filesize
40KB

Download
memory/264-24-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/1600-25-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/1600-26-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/1600-27-0x00000000059F0000-0x0000000005F94000-memory.dmp

Filesize
5.6MB

Download
memory/1600-28-0x00000000054E0000-0x0000000005572000-memory.dmp

Filesize
584KB

Download
memory/1600-30-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing