772ecfc97593fff77dea0d354a2c865d15264d439ef1053a562c42035906b793

General

Target

9cdf37996fa416236f1fe31484d5a5f0_NeikiAnalytics.exe
Size

12KB
MD5

9cdf37996fa416236f1fe31484d5a5f0
SHA1

a3423bbdbe31d62ab4347daebd16979485432fad
SHA256

772ecfc97593fff77dea0d354a2c865d15264d439ef1053a562c42035906b793
SHA512

055254ad2ced8591544f54cccd0a7f8b5351f0d324c9586d6aed28f66d8b57f259812786d0c760e817253c3a4c2bdf61f458eb6c196ba9fbe55ea5202b329f0b
SSDEEP

384:5L7li/2z/q2DcEQvdQcJKLTp/NK9xalr:JrMCQ9clr

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	9cdf37996fa416236f1fe31484d5a5f0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
3764	tmp5380.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3764	tmp5380.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3216	9cdf37996fa416236f1fe31484d5a5f0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 1620	3216	9cdf37996fa416236f1fe31484d5a5f0_NeikiAnalytics.exe	88
PID 3216 wrote to memory of 1620	3216	9cdf37996fa416236f1fe31484d5a5f0_NeikiAnalytics.exe	88
PID 3216 wrote to memory of 1620	3216	9cdf37996fa416236f1fe31484d5a5f0_NeikiAnalytics.exe	88
PID 1620 wrote to memory of 4924	1620	vbc.exe	91
PID 1620 wrote to memory of 4924	1620	vbc.exe	91
PID 1620 wrote to memory of 4924	1620	vbc.exe	91
PID 3216 wrote to memory of 3764	3216	9cdf37996fa416236f1fe31484d5a5f0_NeikiAnalytics.exe	92
PID 3216 wrote to memory of 3764	3216	9cdf37996fa416236f1fe31484d5a5f0_NeikiAnalytics.exe	92
PID 3216 wrote to memory of 3764	3216	9cdf37996fa416236f1fe31484d5a5f0_NeikiAnalytics.exe	92

C:\Users\Admin\AppData\Local\Temp\9cdf37996fa416236f1fe31484d5a5f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9cdf37996fa416236f1fe31484d5a5f0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ntax0uru\ntax0uru.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5544.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4EC57984F7C04584854D68279F8FD0D5.TMP"
    3⤵
    PID:4924
- C:\Users\Admin\AppData\Local\Temp\tmp5380.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5380.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9cdf37996fa416236f1fe31484d5a5f0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
a654e3dd3b870436a709d9d64e82d5f2

SHA1
cd207c3f1759e099d5c18bf3bb1103911bf2406a

SHA256
997d00eab5a6ea95ef0adf15fd99ba00c01486a231313a0ced15349bd3d79c5c

SHA512
7401af03b5b6c0e33fed7bbfe849acc0ba355915e5bc146dba644781b8cdf21df1a2c685920323c59334e072a0b4326d9a407c1adc10c3f4b32a3344958adb65

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5544.tmp

Filesize
1KB

MD5
3460741d23134d3e2887756403ab2b10

SHA1
f0c4ba700ae61e47432615e8ce1162865f6ac2d3

SHA256
cb9853b033ce6a9268f096da776a63529af7abc21e3e90a8dfdd4559222e0631

SHA512
7103688dfa2d16e0954f87d9f2190caf3f7d35dea8c5b2014a1558b7bbcd435d6078e929d850ad838b6df129d4019379774ef6112f08536749eed7faa7c2364d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntax0uru\ntax0uru.0.vb

Filesize
2KB

MD5
496a784bdc8cf2846496a890cee0084c

SHA1
d28550122c53285542adb1d4907591ca0e4f3156

SHA256
0c9483714466b4b933e4af6ab629c6f8692ea8512a1c898951c638b1db57e146

SHA512
9d347cfbe24db3fa15f31f7428f4b7d6295edd4d0ee275af0a9243a3333c051a6bb9863312037e16b8ffcedc97d2273cc6b7dfa44c5ef78816b797937b54406c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntax0uru\ntax0uru.cmdline

Filesize
273B

MD5
7484d993e5112999a607251c2958b220

SHA1
bb5570f552800441cf1b4c94ae37e1e6e171f170

SHA256
b5d220cc8989c012de0293d420d74aa5c657a5a26ed12921a20dfa11ddb33f8d

SHA512
aaffb322bbf02221e5d7fbad9a8b8a51b69ff16390e4d80c968a15ffaa9a9c6c9e04d1f07836c06b64a3c27ad426efadf56605d6088c04aac52948331f4d995c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5380.tmp.exe

Filesize
12KB

MD5
81adff31d73040f0b6d54063d512d304

SHA1
e2bba9701ec99d2f3d0ee79c019ac0b6782b28d6

SHA256
2bd5cf3398c483536172253de65e912962a1bccf88eb8d5d092cf89a6324fabd

SHA512
41986e705e3f305dc7f029736b03843ba8a46335ddc35532f925fb96448ba2d52e7b7e63bb00b9c912f4dc8a82637d906c84a8cd76ed5d2d2237b70a60e3aaf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4EC57984F7C04584854D68279F8FD0D5.TMP

Filesize
1KB

MD5
a6babcc46d26107c1324b4565e983807

SHA1
371410f831f2eff22ed115421e5a550e1ca85fc2

SHA256
c1613ecad07489bef2d6bc00045f8658787ca605feae6e1ce07aa79f6d33de1a

SHA512
2f97c5e534d393e7ebc6ae04462e4516a6235890d6247363054e80130fedc31f949f013ddc5821996f51f61e589472745091d01b6c4a48f5ccb958da31fee84c

Download Submit
memory/3216-0-0x00000000746CE000-0x00000000746CF000-memory.dmp

Filesize
4KB

Download
memory/3216-8-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/3216-2-0x0000000005870000-0x000000000590C000-memory.dmp

Filesize
624KB

Download
memory/3216-1-0x0000000000E20000-0x0000000000E2A000-memory.dmp

Filesize
40KB

Download
memory/3216-26-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/3764-24-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/3764-25-0x0000000000A10000-0x0000000000A1A000-memory.dmp

Filesize
40KB

Download
memory/3764-27-0x0000000005930000-0x0000000005ED4000-memory.dmp

Filesize
5.6MB

Download
memory/3764-28-0x0000000005420000-0x00000000054B2000-memory.dmp

Filesize
584KB

Download
memory/3764-30-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing