5863ab1c9f2e011e13b02536e160a75582f946e52af1f89311d8db68363b77fb

General

Target

60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe
Size

12KB
MD5

60975a24d0d5bca2ac9dbbb8670673a0
SHA1

0dcde229be7c44eaf6d1bbb928d348069da35cc1
SHA256

5863ab1c9f2e011e13b02536e160a75582f946e52af1f89311d8db68363b77fb
SHA512

9488d131d4a0d2fc9ca647da392fff57efde85b578b7afe20a11fc36f1303c80f15978e9d9542604b5293fceaa42389792f674a63aa3248948bd2a93378b4398
SSDEEP

384:fL7li/2zuq2DcEQvdQcJKLTp/NK9xaI1:T2MCQ9cI1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
4776	tmp3DC5.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4776	tmp3DC5.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3612	60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 4652	3612	60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe	85
PID 3612 wrote to memory of 4652	3612	60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe	85
PID 3612 wrote to memory of 4652	3612	60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe	85
PID 4652 wrote to memory of 2964	4652	vbc.exe	87
PID 4652 wrote to memory of 2964	4652	vbc.exe	87
PID 4652 wrote to memory of 2964	4652	vbc.exe	87
PID 3612 wrote to memory of 4776	3612	60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe	88
PID 3612 wrote to memory of 4776	3612	60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe	88
PID 3612 wrote to memory of 4776	3612	60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\omsp0d1s\omsp0d1s.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3EDE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc71C52FB094A64DB9A33EC49F8C0D9D9.TMP"
    3⤵
    PID:2964
- C:\Users\Admin\AppData\Local\Temp\tmp3DC5.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3DC5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
a7aea68b942a17da9fb948e88226ed6f

SHA1
941159b6299ea4820873222c84e51ba6a6117090

SHA256
35aa515096aae57194f0b42cb5b96b132f21543b962973aa6ea0614db0b3ca53

SHA512
7c903c999388cea14ecca99e2695c0445b6c3310d917be9e6771ecc70b1a69cd9584a07a0c6142723810f0fb613fa851e273a89572480710972d83b062f30f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3EDE.tmp

Filesize
1KB

MD5
eb67d96598f25b3a89b874246118ef43

SHA1
d7808a690682ff9acbc6c272dd37c152e26e9600

SHA256
83bbc22e9e3be8ac3fa83e8379d374c2c4d5def33dbb32ede880843900d1a263

SHA512
2669f8fcb7bb3ede2900e5e49a55411c690257a3305ab67ba2aa88a98904b8d329df293c76da1792be5617a56b0aeeb77c81f1330c11f8614d6b2ce8f2707015

Download Submit
C:\Users\Admin\AppData\Local\Temp\omsp0d1s\omsp0d1s.0.vb

Filesize
2KB

MD5
a4ae228a240cbf62133504dd1af6074d

SHA1
33f12d9ed86faa35d8d1e1b948dc34fbfe61ddd0

SHA256
596ae72ffa357ec348145431d26c245c20e2513828339202240f999b0cfb1783

SHA512
aa350b291eafd3c1e01809b3068e74ea8093ee061393e289afa2b445f6dfe44b1ccedffb2806af8e43d7b41627f8d8222b25c60e3481ee8148a5d08c70940ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\omsp0d1s\omsp0d1s.cmdline

Filesize
273B

MD5
ce7979a7c45f7ee945423e799ba948b4

SHA1
259d1c46c4bbc850994fe37b374af1c26a90b918

SHA256
835d6a3c9262cfd06808261b95b36fda6bad42eb7a22bf76404768ec194ee1d3

SHA512
7a6042320b91c8815b180e39297b1f78d0f015e8538460206a665f25f302b0ccbb3af7fbc47a1ec14db3873e60b5b74fdc9b5aea089ff2d7fef1bbb829ed4e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3DC5.tmp.exe

Filesize
12KB

MD5
b4b9abbf5729aa531a0ab7c3e84672cb

SHA1
e0d2dbcb361666e167ea24f28717602cac3d046f

SHA256
9e051d3d439e3e4020a3b593b14df5ab01c33421a98dbb49c2eb5c211d6b50d0

SHA512
d4a8b9fe13475018302ec27d8c8abf6e5843d8554cc5a6059d7b9cb7e5568127ac11a0acb5260bfa9b2b894f6d8ca0ad7dfce6dbdcfded4fc8ce2189ea84e49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc71C52FB094A64DB9A33EC49F8C0D9D9.TMP

Filesize
1KB

MD5
178f398c42f3bda323140187f66c9a1d

SHA1
ef983aa304088ebb7bd07227abe4801a63b88b2c

SHA256
7bb596e0a2c3304d41f17a44f1f925fe9306d5600fc6389dc7a7552d733cb202

SHA512
f9d5a0f173b6a8b6d5e716a37d9ffb095c43ad60446a0cdc951d320ff0f025fad06fb85521e31dc7d6a971f72bec4635e3c1c2796568de0edfbcb2d43e01624b

Download Submit
memory/3612-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/3612-8-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/3612-2-0x0000000004FF0000-0x000000000508C000-memory.dmp

Filesize
624KB

Download
memory/3612-1-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download
memory/3612-24-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/4776-25-0x0000000000700000-0x000000000070A000-memory.dmp

Filesize
40KB

Download
memory/4776-26-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/4776-27-0x0000000005610000-0x0000000005BB4000-memory.dmp

Filesize
5.6MB

Download
memory/4776-28-0x0000000005100000-0x0000000005192000-memory.dmp

Filesize
584KB

Download
memory/4776-30-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing