161f9df3b4d00c5891f5797d0c208fcd01bff6518581f6540f8a8748f097dac0

General

Target

766cee9061cbc8d629d749c22bb528f0_NeikiAnalytics.exe
Size

12KB
MD5

766cee9061cbc8d629d749c22bb528f0
SHA1

89e932eb1767148ab8f8c1abab3a208f1408aef0
SHA256

161f9df3b4d00c5891f5797d0c208fcd01bff6518581f6540f8a8748f097dac0
SHA512

860da66a926f0cf6fe733dd4ff57c47820154139186c7d06c2ae859428a1ad6658de140e9ee74eb1ecbcc72ae1aaa34167b00b9d0310bca2445f15098336c6df
SSDEEP

384:TL7li/2zVq2DcEQvdhcJKLTp/NK9xa2q:3FM/Q9c2q

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	766cee9061cbc8d629d749c22bb528f0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
2192	tmp49BC.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2192	tmp49BC.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3368	766cee9061cbc8d629d749c22bb528f0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 3408	3368	766cee9061cbc8d629d749c22bb528f0_NeikiAnalytics.exe	89
PID 3368 wrote to memory of 3408	3368	766cee9061cbc8d629d749c22bb528f0_NeikiAnalytics.exe	89
PID 3368 wrote to memory of 3408	3368	766cee9061cbc8d629d749c22bb528f0_NeikiAnalytics.exe	89
PID 3408 wrote to memory of 3328	3408	vbc.exe	91
PID 3408 wrote to memory of 3328	3408	vbc.exe	91
PID 3408 wrote to memory of 3328	3408	vbc.exe	91
PID 3368 wrote to memory of 2192	3368	766cee9061cbc8d629d749c22bb528f0_NeikiAnalytics.exe	92
PID 3368 wrote to memory of 2192	3368	766cee9061cbc8d629d749c22bb528f0_NeikiAnalytics.exe	92
PID 3368 wrote to memory of 2192	3368	766cee9061cbc8d629d749c22bb528f0_NeikiAnalytics.exe	92

C:\Users\Admin\AppData\Local\Temp\766cee9061cbc8d629d749c22bb528f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\766cee9061cbc8d629d749c22bb528f0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\heuc5tvx\heuc5tvx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B70.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9CA4F64B45F9459B96FA4AB2457F4144.TMP"
    3⤵
    PID:3328
- C:\Users\Admin\AppData\Local\Temp\tmp49BC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp49BC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\766cee9061cbc8d629d749c22bb528f0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
9ed16f53235b848172ef73479e3d1306

SHA1
7a770d5dd2e477f833fd26137127110acf6c7ef7

SHA256
d0a70943a30d5a24d6f01623b217af3a444b2355b5de910661a681db0c46e41f

SHA512
cb9b983b06cdc2590b21f7d821938ef03064facad67240628030e044fea2954f837949d49d47c76a19b1a5c0d419f1216de18beb55b563b93d6c728948ec1a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4B70.tmp

Filesize
1KB

MD5
b1bc07d3727460c84c6ea386c2f1a539

SHA1
e6a780579f852e9eb5cfe065d7653d3908b26beb

SHA256
27bdba629f838b6ce02a597cfa52eb19823670e7d1508f139a89358902fa5bd6

SHA512
f95e0dbc8767ffd7debc7f2f52baade0768492985844db416659919b53df52460d8a3b6fcd5f3ac007ebf2899521f82c872655ea6d63b077601c9c90eb6f5519

Download Submit
C:\Users\Admin\AppData\Local\Temp\heuc5tvx\heuc5tvx.0.vb

Filesize
2KB

MD5
68847e4fbd7b9e0a9d034104d59a9e38

SHA1
a096614ee5b039fdf4b46211143a674e18ccf08d

SHA256
581903c7a01356582ad8d12a0ef11da2d6a3cdc202beeba1149359c92a89d774

SHA512
97d1216d89da71d52fca5038afbaffd18342c2f1366719883d690c2fdb4f4ac8c89dbf180fbe0edb1c6b2cd731761221e783929773f6a31bae8e4a31c5281bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\heuc5tvx\heuc5tvx.cmdline

Filesize
273B

MD5
1a63c941c2e7a9f26a05af82578aaa52

SHA1
6642a074fcb83868898bfe133bd9c1bb8959fd84

SHA256
a28b0ba67cc85d97d81076d528826c1be31c473ece0cda541305134b4d6b551a

SHA512
edda96e9158cd2e344a4c9a4a225f39f9b13bd34ba93285417a5545f7a208b207ac08fcdc17e75b118472a8da466dc55b75645ed0a55eb8d3cb142980d8c720b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp49BC.tmp.exe

Filesize
12KB

MD5
e65ebca41472bb0b20385f7805b1cb16

SHA1
db3dbb086601b79a30ce5d1ae336e184f8311194

SHA256
4d31585ac0d6917f3b1d53628f7e4ff37992c138c17e6a1c97c483390bf9a1ed

SHA512
99fe953947f03108feb52c7ddaab024cc843092378d66e4a23372c84c1daac7d04c001801517d64858b41810f4d2487ecb67ad2315f46d9feb510821081fbd9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9CA4F64B45F9459B96FA4AB2457F4144.TMP

Filesize
1KB

MD5
885f3d6a074b8cb0fcd7e2a458df494a

SHA1
aca368de17dcf98b942f04b2e2cee0d3e9541cad

SHA256
47316476da7af3a0f24a3ed4008dfa9897963d909d7689577f443d3c09e1392b

SHA512
f78d3f24e7341a11c409863b8070b32ba6852e85de6cc0eccd48faf2d3ac1c51a79ec98f4a399fe5839bf3ea1eb5349a7d3169bf8a4cefbbaf68f0f540fea021

Download Submit
memory/2192-26-0x00000000006A0000-0x00000000006AA000-memory.dmp

Filesize
40KB

Download
memory/2192-25-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/2192-27-0x00000000055F0000-0x0000000005B94000-memory.dmp

Filesize
5.6MB

Download
memory/2192-28-0x0000000005040000-0x00000000050D2000-memory.dmp

Filesize
584KB

Download
memory/2192-30-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/3368-0-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/3368-8-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/3368-2-0x0000000005530000-0x00000000055CC000-memory.dmp

Filesize
624KB

Download
memory/3368-1-0x0000000000CF0000-0x0000000000CFA000-memory.dmp

Filesize
40KB

Download
memory/3368-24-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing