37d3883b8d0341c369aadfd34b1f3daab5646f1048635b8088da4e47003d75a3

General

Target

6f4b1ef28c116d14956d9953d19a9660_NeikiAnalytics.exe
Size

12KB
MD5

6f4b1ef28c116d14956d9953d19a9660
SHA1

7297655bc5f778eb0e04ec6a1d33ccc0406081f6
SHA256

37d3883b8d0341c369aadfd34b1f3daab5646f1048635b8088da4e47003d75a3
SHA512

c4fff9af387e471bf6c78b65a7f1b27384404835d94c3bd7ab187df8896114e14df16f0670c7341367ef0be5c48b6270e2a2a99ad14223783e2606a3f2aa59d4
SSDEEP

384:nL7li/2zZq2DcEQvdhcJKLTp/NK9xab0:LBM/Q9cb0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	6f4b1ef28c116d14956d9953d19a9660_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
1204	tmp2C22.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1204	tmp2C22.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3216	6f4b1ef28c116d14956d9953d19a9660_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 4176	3216	6f4b1ef28c116d14956d9953d19a9660_NeikiAnalytics.exe	84
PID 3216 wrote to memory of 4176	3216	6f4b1ef28c116d14956d9953d19a9660_NeikiAnalytics.exe	84
PID 3216 wrote to memory of 4176	3216	6f4b1ef28c116d14956d9953d19a9660_NeikiAnalytics.exe	84
PID 4176 wrote to memory of 1068	4176	vbc.exe	86
PID 4176 wrote to memory of 1068	4176	vbc.exe	86
PID 4176 wrote to memory of 1068	4176	vbc.exe	86
PID 3216 wrote to memory of 1204	3216	6f4b1ef28c116d14956d9953d19a9660_NeikiAnalytics.exe	87
PID 3216 wrote to memory of 1204	3216	6f4b1ef28c116d14956d9953d19a9660_NeikiAnalytics.exe	87
PID 3216 wrote to memory of 1204	3216	6f4b1ef28c116d14956d9953d19a9660_NeikiAnalytics.exe	87

C:\Users\Admin\AppData\Local\Temp\6f4b1ef28c116d14956d9953d19a9660_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6f4b1ef28c116d14956d9953d19a9660_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ckxx2kn1\ckxx2kn1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D1B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc919E5635741D42D5B480D8219359D2D9.TMP"
    3⤵
    PID:1068
- C:\Users\Admin\AppData\Local\Temp\tmp2C22.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2C22.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6f4b1ef28c116d14956d9953d19a9660_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
e26a1ede70df5001da18c1eb85bcfd38

SHA1
415bca8211a323e8fada578b11003441ee706143

SHA256
3a2169c3871892670145d096c7e551f06299b9e60d42a6bd20b4f4b459f52102

SHA512
22c91d5da1f5de704f88f54f1e3e6221b373e00256c479790103d609068fa672eea9a19881dd2e29289a67350b623c01785cb7e4c2f9ad4d872c984f85c7ace7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2D1B.tmp

Filesize
1KB

MD5
6e7772daf70afb5fd2e4d7d8762d2d39

SHA1
f03558b0a6e1f28cca4ae0f45d68181ac31c7ead

SHA256
c95ab713baaf74c9e3c0e463ae18f69a0fd484c252788756fb885b49c3610ff8

SHA512
8b65fd26afc4adb02f0a87833c16b761206976369864d2f371fe8ebbdaf5add54dab8a290cfd36eebadbfbde58384ce5ad8af8a31e1dc853ca94e6da7e8314a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckxx2kn1\ckxx2kn1.0.vb

Filesize
2KB

MD5
212bb2012519cebdf39bababfd2e78b7

SHA1
855d1e87d9ab032946283864cb03e0527277d894

SHA256
b0cdd8cfb7f27568d40f3ca0e5d6576f8c8698a43a78d9f17be0a48b463d2e8d

SHA512
be9bdedcb344cc1c23cde0452d72c24b045405ff4bd8ad7b4b6338c55785903b32d595b6743146f6647c53171250533c721c9ab9f50285717d589d324082cdf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckxx2kn1\ckxx2kn1.cmdline

Filesize
273B

MD5
a334c8fe9fe6b74fb602fdcc358a9785

SHA1
f8fc2c2e1e553af4cf632c61db70a357e35f46d5

SHA256
5cddec050b846892d798b7de8d6ae8c6f19c04412ff3964f34b2cf5e9794340e

SHA512
999fbf63b6afcbcc9fd01528616595ee6284c105bc1043b1224e7bae229343665fc6d6a4148b1180306ccffd232445f74bf4581c7ad5e12623a52aead850fd83

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2C22.tmp.exe

Filesize
12KB

MD5
f65958ee1ef1d7b39e74f1c6eed1379d

SHA1
2598cc94ffb0a01f9db5ccbca33f5cc34113035f

SHA256
2409e900f9a97e814010e5bad69b70861d6dcb4afcd5c25140fefd552face198

SHA512
2e67deed46abe03122946f14b2231089653915d369928540ae1ae0d1db139513130d051eda7297baa740ed00a94a6d0ee0413e1bf10770cf5588bacc1f9913d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc919E5635741D42D5B480D8219359D2D9.TMP

Filesize
1KB

MD5
f0aa9a0249c8b43b6a5f5ddbb3e615a5

SHA1
1e8548182453c77e0a926674e2720c1d47b2e062

SHA256
b49c797b4371bb77fd90dccb842d136ae863a7616792afe98563551136964fea

SHA512
205cafd3ed26c71b0b8a4c05f2b66bce3b17411c907847298788dcea75352333d665af363002b8cc10869003b4214627349d631677c40bf10dfb9b6938f43bec

Download Submit
memory/1204-24-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/1204-26-0x0000000000A50000-0x0000000000A5A000-memory.dmp

Filesize
40KB

Download
memory/1204-27-0x0000000005920000-0x0000000005EC4000-memory.dmp

Filesize
5.6MB

Download
memory/1204-28-0x0000000005410000-0x00000000054A2000-memory.dmp

Filesize
584KB

Download
memory/1204-30-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/3216-0-0x000000007497E000-0x000000007497F000-memory.dmp

Filesize
4KB

Download
memory/3216-8-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/3216-2-0x0000000005210000-0x00000000052AC000-memory.dmp

Filesize
624KB

Download
memory/3216-1-0x00000000008C0000-0x00000000008CA000-memory.dmp

Filesize
40KB

Download
memory/3216-25-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing