8f3aa9fffa1c5bf95985363b7d7ac43d6833886c765c31a1980462b01ea332ce

General

Target

10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe
Size

12KB
MD5

10f2a22d4a71a472382bf4e7bbef6150
SHA1

3558289bc9522485515301838869c808d35c1133
SHA256

8f3aa9fffa1c5bf95985363b7d7ac43d6833886c765c31a1980462b01ea332ce
SHA512

cd139cb79977c1f487d726e4586ecf924ffd5642bac7cce512248b54107ba3360e94ea0f3d8d361bcae1990b130580bbfa09709c45a04b4b3ed9874022fe0648
SSDEEP

384:sL7li/2zOq2DcEQvdQcJKLTp/NK9xano:qWMCQ9cno

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
4084	tmp48DC.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4084	tmp48DC.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1496	10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 908	1496	10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe	89
PID 1496 wrote to memory of 908	1496	10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe	89
PID 1496 wrote to memory of 908	1496	10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe	89
PID 908 wrote to memory of 448	908	vbc.exe	93
PID 908 wrote to memory of 448	908	vbc.exe	93
PID 908 wrote to memory of 448	908	vbc.exe	93
PID 1496 wrote to memory of 4084	1496	10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe	98
PID 1496 wrote to memory of 4084	1496	10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe	98
PID 1496 wrote to memory of 4084	1496	10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe	98

C:\Users\Admin\AppData\Local\Temp\10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ejiirzvu\ejiirzvu.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES61D2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc15980FB990544C559317E6D13636325A.TMP"
    3⤵
    PID:448
- C:\Users\Admin\AppData\Local\Temp\tmp48DC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp48DC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
ea71a6b2fa8af8f81164bebd79658b67

SHA1
1773a8251d2b8fbe640d46c491036189c627768b

SHA256
e4216c1d503189842d266ca0e852424ae22dc3234cff186b8499b074d1ad9b7f

SHA512
9c1b50e806dd301641a5e5b1ec742a88e54071c7ab7dd5db4187ac00a003a3395c8915a38cf85346c6bb13238250ce3e0bba7cdbd09c9deba3c610cd8ada2b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES61D2.tmp

Filesize
1KB

MD5
04cf43cc78f51a22a095dbf19cec3015

SHA1
62c8860ba85f23c1088d3a162b861c76eeb123e3

SHA256
659b8486e2db4751e350da5a1cf96b92d3fcf18a811c730b2eda1ca1f013778b

SHA512
a8adb0119186f9855a74a8eca31e87c5ccd724d6dc95b3c353b4b62e8a2e989f27493eb58d878dc4b6e5efa9727b6214c8af1b12456594131a78a113e5d8a85c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejiirzvu\ejiirzvu.0.vb

Filesize
2KB

MD5
128fa2cd34aea55a1c1ea83fafbeb0e0

SHA1
ea3768ae2120e36d08187ec5947288d05160e575

SHA256
4c5e000db9c4d307d4d0cd9ccaf6112ea677bd0f01c5125e7568acbf4a56dcf1

SHA512
42a51b0f71b2dcea0e4946dd6c06cb8d988227bab39cb524d7c6b4a5df6a668026eb0025738d90d888c5b5c02c442426c5697d3b1ab26cf8e1f1d5c14ccc17d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejiirzvu\ejiirzvu.cmdline

Filesize
273B

MD5
bb89893e52ac15d4337d703959faac20

SHA1
198bf97f592f3d88d0fed0d865eacbd8bafc2816

SHA256
54c6ec0e61083ed80edbfc0a3d4d98e54869bad26678b6a28bfe3900edfdd960

SHA512
f4e956533e0020812d5f8afc3c1c70bcd775cd1367bfef151f1f299d7ff58343747497724f697440f3b99978c32658275c4be079c799d8bcfdb252185fe416c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp48DC.tmp.exe

Filesize
12KB

MD5
5d09af7bb411793a1ad551e3d30262c0

SHA1
441a7807d7763343ae8b7cb9caae3f4504b1d79c

SHA256
0aee977dbb1032be48074a050c8b65142482ac2d312a4069571cef15356899a0

SHA512
a54a8fc90a585d8206d7ee4669c79605b4c33986e266ee61afc83b36a30389a2f5377f85a9feb9d5b40f4b9ff22a49d55fc6bd7762f640a4073069e7fe64ac33

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc15980FB990544C559317E6D13636325A.TMP

Filesize
1KB

MD5
b6c24eb8ec6e8079cfbbe7246fde980d

SHA1
33045d3ef860b264b23f246664edc6df94513730

SHA256
98f80545af34a2b65c50cd0f4cc1c3f884b461f39bf4bd5ac3f27968f34f5b1e

SHA512
2a79a37e06295a146d04dfbf784be40045b2b3c2fbe8e67f37116992a610ae5feafe52227ef0bf7fd392ca350d1656845093ed7bc3a7f66290da64b12a1a3125

Download Submit
memory/1496-0-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

Filesize
4KB

Download
memory/1496-7-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/1496-2-0x0000000005630000-0x00000000056CC000-memory.dmp

Filesize
624KB

Download
memory/1496-1-0x0000000000B80000-0x0000000000B8A000-memory.dmp

Filesize
40KB

Download
memory/1496-26-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/4084-23-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/4084-24-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/4084-27-0x00000000050E0000-0x0000000005684000-memory.dmp

Filesize
5.6MB

Download
memory/4084-28-0x0000000004BD0000-0x0000000004C62000-memory.dmp

Filesize
584KB

Download
memory/4084-30-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing