e9229d328373c8c01ad68ebf81f72fe64c7e93a1728f11d13e2e3ce90a68c2c0

General

Target

2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe
Size

12KB
MD5

2e7adf1d541f263e48978764067027b0
SHA1

626b0d6930094dc168c9f2da08d44080f2171dcc
SHA256

e9229d328373c8c01ad68ebf81f72fe64c7e93a1728f11d13e2e3ce90a68c2c0
SHA512

dd26b90a471a151bacaa99f5b6fb2316e23de7441f3c589ed62cfef35c331a1e0ea18f4f20ec7a72a5125168bc031b2b2d1713b178810245cfa08c1820a1942b
SSDEEP

384:RL7li/2zkq2DcEQvdQcJKLTp/NK9xaQb:RQMCQ9cQb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
3868	tmp7BF7.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3868	tmp7BF7.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 836	2124	2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe	86
PID 2124 wrote to memory of 836	2124	2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe	86
PID 2124 wrote to memory of 836	2124	2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe	86
PID 836 wrote to memory of 4728	836	vbc.exe	88
PID 836 wrote to memory of 4728	836	vbc.exe	88
PID 836 wrote to memory of 4728	836	vbc.exe	88
PID 2124 wrote to memory of 3868	2124	2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe	89
PID 2124 wrote to memory of 3868	2124	2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe	89
PID 2124 wrote to memory of 3868	2124	2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3aojdmq4\3aojdmq4.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CE1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC1A391C0D1494635ACA56A10D67F30F5.TMP"
    3⤵
    PID:4728
- C:\Users\Admin\AppData\Local\Temp\tmp7BF7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7BF7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3aojdmq4\3aojdmq4.0.vb

Filesize
2KB

MD5
140da8cc32c35aa30ff91c149e38afd1

SHA1
f63a570a347d6a9fda21d13b12bfa8bea2cf05eb

SHA256
831f8ceb917b9c3b6d0600433b9d6d6834d030e2873b1c8d3ff1720949c2603b

SHA512
1fbb3e4ee785bc2a289f4e7f27c25fe9db56ac00471608836631e7b2d0d579e6d3d3a337019c5008e729b0d19024459359b07765370c8e5534117c317068285e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3aojdmq4\3aojdmq4.cmdline

Filesize
273B

MD5
70dd0855db41afd1f68a920825fe54bf

SHA1
b3b107e70540b1e77d162476b65487b47af0b3fa

SHA256
7d61585d8e1bf43182f54fa314f1344526ed05190d4a547061734913000eb421

SHA512
dd63b408a1f65d198964a491be2c1f5c7349b279076452efc7d3eb3c8f13a997717a8d95832a532ce23c640d8b9ea17c11788e283d74b4c471a3ff9b0f0aae87

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
661cd275fd72be6d3e5d7ecbb667c91e

SHA1
d4911b3bd3d7b96975bd3da2f051e4b1753b251b

SHA256
8882461b44be62a6b4a33dd6a5ba5e6ed4b59bcfa47cf6d1e2c4f5af52bf4983

SHA512
3ad7f5006bbc8b888587b0239648397c7627cc538a3b10e93c4136b708f92367f94c5b2efcbe74c57a717dd2e9ca801c907fe20649f7058ad027fc42157fcf47

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7CE1.tmp

Filesize
1KB

MD5
8e5fb318fde944366de2524184b6d20a

SHA1
56298c9696e70f3e814e4ab50f2c852ee20b41c8

SHA256
27e14678ceb291f68270ba18e963219c1c30806f0397f035e42802f8252907c1

SHA512
d37a147b078bc52146daedd192c354a263378b2bb1a93934ecb19a3a67b9e6d0cef18fbe251ffe6f9afccfbd8a2e2b692824c02e5406c07179d511d14c96ddf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7BF7.tmp.exe

Filesize
12KB

MD5
9356fb4ef026084c3461ae0c82ba2907

SHA1
8bab3be13cfb89190f57711f32b765b9bb073c42

SHA256
255c1b05d8842e4e597eea53ea70b34040a6e96564c5129046c1216999788b06

SHA512
5ccce5bd2222a69f4effe93c88c5f4224122c1a40da7865ce8b9c7558371f76c1194c7935db4578270c0616d6c83a16b23588728fcbb42e815c0940e19a57082

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC1A391C0D1494635ACA56A10D67F30F5.TMP

Filesize
1KB

MD5
1033e42ee510fff47a31ea9bff740531

SHA1
4713372d792ead7ef5657780c01fa571924878d9

SHA256
09dd1f70bfa26c5bda7c54bc7dd797b14457b2f04fa265c0118ae1b13dd28312

SHA512
d75620eb549327bb20fb25c129c9d114d16a3ede6c6227ae8b9b20ecea2755fc58aaaa38800e80ebf85d253c5b688edcf89e374f42329eb15dd8c3b698bfdd7d

Download Submit
memory/2124-0-0x00007FFD79D70000-0x00007FFD79F65000-memory.dmp

Filesize
2.0MB

Download
memory/2124-2-0x0000000004F20000-0x0000000004FBC000-memory.dmp

Filesize
624KB

Download
memory/2124-1-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/3868-23-0x00007FFD79D70000-0x00007FFD79F65000-memory.dmp

Filesize
2.0MB

Download
memory/3868-24-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/3868-25-0x00000000053A0000-0x0000000005944000-memory.dmp

Filesize
5.6MB

Download
memory/3868-26-0x0000000004D40000-0x0000000004DD2000-memory.dmp

Filesize
584KB

Download
memory/3868-28-0x00007FFD79D70000-0x00007FFD79F65000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing