2027e74e4cac3737206305e6f9e305135e3deccccbbd857eb1fbcf92a94dc35c

General

Target

1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe
Size

12KB
MD5

1389bccf738605baf932b69d7da47480
SHA1

18eb54e43446d1466c844d1163f407931e6be481
SHA256

2027e74e4cac3737206305e6f9e305135e3deccccbbd857eb1fbcf92a94dc35c
SHA512

b6a1f8f72f1b4d758cc53292275ee34f880d344889d7538b4b8acd5e1132c6de876246777718ed992da57e290a61ab8b6426c7b6df91bcde4904ab0fa3c9d998
SSDEEP

384:GL7li/2zeq2DcEBvdacJKLTp/NK9xare:guDIQ9cre

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
1996	tmp5DC1.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1996	tmp5DC1.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4652	1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 3360	4652	1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe	82
PID 4652 wrote to memory of 3360	4652	1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe	82
PID 4652 wrote to memory of 3360	4652	1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe	82
PID 3360 wrote to memory of 320	3360	vbc.exe	84
PID 3360 wrote to memory of 320	3360	vbc.exe	84
PID 3360 wrote to memory of 320	3360	vbc.exe	84
PID 4652 wrote to memory of 1996	4652	1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe	85
PID 4652 wrote to memory of 1996	4652	1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe	85
PID 4652 wrote to memory of 1996	4652	1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe	85

C:\Users\Admin\AppData\Local\Temp\1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u3mxmmke\u3mxmmke.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5FB4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD517C7C26E5040448BDA3CBBC2C97C8.TMP"
    3⤵
    PID:320
- C:\Users\Admin\AppData\Local\Temp\tmp5DC1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5DC1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
b30721bf350120da6abb907ecf5c4f8d

SHA1
2f1e4df02b055b2243422e3e8ee8cc7afbfd70a0

SHA256
a8d37aa41b633f8694e6bb74dd5cef9c6da95aa530017ddb02388946bceea050

SHA512
0426a14959b5e0bd1be90f3cf4f9aed8dcfa1b785dc7a69462d6e6325613b9da81051d43b2596f7408b1fd46e04154cd3152d2d726904c31de8c73d74b7eb6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5FB4.tmp

Filesize
1KB

MD5
a88c05681ad8f3d2a1d94c2782fe4987

SHA1
fbb87c88f2f07a01251c77426efefc1146f4a213

SHA256
32cda52bf937a44c7a893edf3026cd749d85bb65b4b34384e5fa8c863c53f84f

SHA512
071615a0a1fb94370165bd6bbcd7b47fc3e3bff8bebef257582cde7d614f72d435eceede95bcd3a1315a198aed008d4c4855145dacd8bbf9684d75305469c2ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5DC1.tmp.exe

Filesize
12KB

MD5
d77555c89c68f7d9f8afb45b0d1e436a

SHA1
ac08880ffd912d2ed8ca6ad3ef28b7da05e17f9c

SHA256
f26a3cb16fb30a60a2e6818915b3d0f43b5f52dcc6e4387da49ed198766ef469

SHA512
ff8184d8fb5b136ab1c2927b622cd876bf971cf3d57dc6a4a6919f173da1fb085a46922fad2691ec55511272565fbb0328eedec69b43e4b765ff5143cd6f646d

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3mxmmke\u3mxmmke.0.vb

Filesize
2KB

MD5
85b1d5fe383e6b56195cf2ecbc313fc2

SHA1
8080e430b593d6ad12ce15e67bcbb3f1188dbc69

SHA256
b8fbe58f0e3318a0e380f2f861ce0f4cc0659f0c711e56720f4637bebba2088b

SHA512
4fc026071536c616105035b8c1d74fdf2743d77b535d0f3429f42b2d83fb0c7bce30c9e9ad100c36e62f37db94016f49a40736ebd9e47037701250c6c8359fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3mxmmke\u3mxmmke.cmdline

Filesize
273B

MD5
942fe616ab8c73f7fc036f020aed7837

SHA1
68a4b740bc44f0f672dadc3cf1fcbe07ed49d952

SHA256
eee4609f3a1ede724a4aaab3f96ab0f39f78485f523f2f46ac5232c27bbeba97

SHA512
c5712a1cf554d2e2445bb0df832ea9a7a7532b7b635ebdca66946ff719930219a9c54d8ede982bfb2fe6434c0cadd067d220540fed62b66160761c048336855d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD517C7C26E5040448BDA3CBBC2C97C8.TMP

Filesize
1KB

MD5
724d3c6f1937bfef48da342fe1ddc8ba

SHA1
078b6f856d42a7b44313b18e83356465dadf78dd

SHA256
0b08f9a5f50b36b6e3c622e0c018bb750d05e93b45dc8887ba94708f55076fa6

SHA512
80cbeffc4aa922b299dde658e27e3fc704676c9f33f0109d87619bd18b4346645464fec18dd0a04c5d159c6cf42afa93ae495af890240ec3ea22d988379378d6

Download Submit
memory/1996-26-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

Filesize
40KB

Download
memory/1996-25-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/1996-27-0x00000000059A0000-0x0000000005F44000-memory.dmp

Filesize
5.6MB

Download
memory/1996-28-0x0000000005490000-0x0000000005522000-memory.dmp

Filesize
584KB

Download
memory/1996-30-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/4652-0-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/4652-8-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/4652-2-0x00000000051F0000-0x000000000528C000-memory.dmp

Filesize
624KB

Download
memory/4652-1-0x00000000008A0000-0x00000000008AA000-memory.dmp

Filesize
40KB

Download
memory/4652-24-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing