a54cb8ad2c79b23a6155ab200b5a48e024bd66019f89229ea8b8a3c13efe75b8

General

Target

132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe
Size

12KB
MD5

132759bccbe8ce3489eb4253b77b3950
SHA1

cc747cf1e8b64dd0d138083d0e59b01f41447432
SHA256

a54cb8ad2c79b23a6155ab200b5a48e024bd66019f89229ea8b8a3c13efe75b8
SHA512

b26870f285260f172cfbae16f79befd4c0b9e03697e0e8ec3ffa502ccd79b30ee3fdee5af62e8bfd08f0e2ed721cc6f35bfbd2fc927fba198952bcd559731826
SSDEEP

384:yL7li/2zAq2DcEQvdQcJKLTp/NK9xa71:s8MCQ9c71

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
1460	tmp7948.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1460	tmp7948.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4740	132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 1060	4740	132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe	87
PID 4740 wrote to memory of 1060	4740	132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe	87
PID 4740 wrote to memory of 1060	4740	132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe	87
PID 1060 wrote to memory of 4212	1060	vbc.exe	89
PID 1060 wrote to memory of 4212	1060	vbc.exe	89
PID 1060 wrote to memory of 4212	1060	vbc.exe	89
PID 4740 wrote to memory of 1460	4740	132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe	90
PID 4740 wrote to memory of 1460	4740	132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe	90
PID 4740 wrote to memory of 1460	4740	132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rsf2g5tm\rsf2g5tm.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7ACD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc969DAECE63134F6CBC34478424E93F3F.TMP"
    3⤵
    PID:4212
- C:\Users\Admin\AppData\Local\Temp\tmp7948.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7948.tmp.exe" C:\Users\Admin\AppData\Local\Temp\132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
82eefbf2f80eb2224c65493e7847dab9

SHA1
ee1f67ccd6e69d424bee459d8aecd7a27c40e954

SHA256
d812b8d44e1ccbb7ca9afe7250547e6c57b26e7da47cf76138bef3446bdda116

SHA512
f5ed9c5b917bfb31396082cfca0ae9f1805e6c27e1afb389f0d1be67cd79e694efcea743aee9a5da81043430f86244777a1700024b87cec9f2d590d64a8063ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7ACD.tmp

Filesize
1KB

MD5
7c384efabe6a307713ecd8d798d41cb7

SHA1
1bbc200ab0cb1fc992f0f411fed3045f07991175

SHA256
3321c83cc378300aca1c7c377d6a21d1aa3656f491d023f970f1baa238215d2d

SHA512
cee1dc5010ed316641e228664d88a242e648d3af6de0e4eab4f919b05636a3d2f0c2b9a59981a082460d6041e39dde80105ad22a28ef5d0be75914d763cc490c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsf2g5tm\rsf2g5tm.0.vb

Filesize
2KB

MD5
015de1b039da2f6db35ac94d83290bcf

SHA1
478d1eae654ab1c2a84b61fbf5b93419fba6ce21

SHA256
263423d2eb78bb9b41b127006479d3022a6f6f55eafce009e55453ed0339bbe1

SHA512
7f821806b344704dbbc5df5c8a514bf49081a4a8078de67e159e690cb8a050576ddfb389e7f21840aa759bbf6b4a8b82a4f3050ce3040e7355874809cc8a0ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsf2g5tm\rsf2g5tm.cmdline

Filesize
273B

MD5
de5f04b57d10272ad8e85fa0ad691e50

SHA1
141b0b2810e7be5945d90fd81ffe4e0a9618fa21

SHA256
664dd18c7fadadcc12548ae52fec9147e5c6d37b09427400901442e5cda95e6b

SHA512
b41cab55860d6aa86ec2e692cbb26ff8483ff3c2927a14794d6bedf5ae508246831f7e19570f61904378139668082d9089decb8a5f7087dce48d76a2cdc557c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7948.tmp.exe

Filesize
12KB

MD5
64c7dd5f88fc5fb43b1b49f68e955df5

SHA1
f8a02a9b3b8917d16695b145242940df00bbf27f

SHA256
2c4f1ee51abae699af1c875fa450f495703c7a5f6bfcc0a5c87b3b6f7a5146ff

SHA512
b214ebe3f5b6bc467d8038f91c6e511d26bebc77be883b48afd6056a28e38b83948948465fe03479c7368202d7e51554a661f82f4f6b1f6967d7899a1bf6ee18

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc969DAECE63134F6CBC34478424E93F3F.TMP

Filesize
1KB

MD5
010642511501d1daa9f890a1e6f5fe3e

SHA1
ce006640d0d883dc51d1d5f559dc98e029abc1f1

SHA256
fac8b7be9741574ffd7b98d2f56f3a2a2a59631c0998969d443e71a03884a4d2

SHA512
fb48b120c5d6c9bf433af5aa61cc734966f331987c9c3b4fe878cf67cb6928df94f4cdd108053e51d086ec358138f7241d3088d828a591f4f58b9afe031031df

Download Submit
memory/1460-25-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/1460-26-0x0000000000350000-0x000000000035A000-memory.dmp

Filesize
40KB

Download
memory/1460-27-0x0000000005280000-0x0000000005824000-memory.dmp

Filesize
5.6MB

Download
memory/1460-28-0x0000000004CD0000-0x0000000004D62000-memory.dmp

Filesize
584KB

Download
memory/1460-30-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/4740-0-0x000000007463E000-0x000000007463F000-memory.dmp

Filesize
4KB

Download
memory/4740-8-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/4740-2-0x0000000005640000-0x00000000056DC000-memory.dmp

Filesize
624KB

Download
memory/4740-1-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

Filesize
40KB

Download
memory/4740-24-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing