77390c50c1d21906606f24e83ed688eabad46ffefa23c997f7502d3dc1e7493a

General

Target

a20d57c0607756012494044935299f30_NeikiAnalytics.exe
Size

12KB
MD5

a20d57c0607756012494044935299f30
SHA1

b74a755eb0f0632d7530c20d1d1621d3849a11d8
SHA256

77390c50c1d21906606f24e83ed688eabad46ffefa23c997f7502d3dc1e7493a
SHA512

4caf3cc76373b80f004029ad868ac12c07027dfc9f80a776dabc2051c437e062b1bf4e8f1e307c27f522ff481648570af99db3e362ded5c6a4e19e874d2ddfe3
SSDEEP

384:5L7li/2zzq2DcEQvdhcJKLTp/NK9xaCQ:J/M/Q9cCQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	a20d57c0607756012494044935299f30_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
4832	tmp3E33.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4832	tmp3E33.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4288	a20d57c0607756012494044935299f30_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 3692	4288	a20d57c0607756012494044935299f30_NeikiAnalytics.exe	87
PID 4288 wrote to memory of 3692	4288	a20d57c0607756012494044935299f30_NeikiAnalytics.exe	87
PID 4288 wrote to memory of 3692	4288	a20d57c0607756012494044935299f30_NeikiAnalytics.exe	87
PID 3692 wrote to memory of 1436	3692	vbc.exe	89
PID 3692 wrote to memory of 1436	3692	vbc.exe	89
PID 3692 wrote to memory of 1436	3692	vbc.exe	89
PID 4288 wrote to memory of 4832	4288	a20d57c0607756012494044935299f30_NeikiAnalytics.exe	90
PID 4288 wrote to memory of 4832	4288	a20d57c0607756012494044935299f30_NeikiAnalytics.exe	90
PID 4288 wrote to memory of 4832	4288	a20d57c0607756012494044935299f30_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\a20d57c0607756012494044935299f30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a20d57c0607756012494044935299f30_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\stmm2xgd\stmm2xgd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4045.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc60E76AE2D731458B89D3EF5E7E998AFB.TMP"
    3⤵
    PID:1436
- C:\Users\Admin\AppData\Local\Temp\tmp3E33.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3E33.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a20d57c0607756012494044935299f30_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
e86ec87b74114805ab61a5802ea61292

SHA1
43a17d29c742feeb1c1a6b5f95689a663c89d317

SHA256
0469f1d4cc6bc18c807d2eea95bbdbc352fadd44c1e432900df5ed0833e5acca

SHA512
e244348e8225b81caa69af322ed4aeed4e7e09f82420af5b96cec220caa85f0d1bacdf23dec08834ef4a29991da23880cca892fcca2bfcfab6c60c5c8a513c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4045.tmp

Filesize
1KB

MD5
032d122bee89b3a7a88d6fa2c66d1637

SHA1
0991d410c8418d54253b081b4c50e481f3ed18e6

SHA256
414b15e7371979730a57d865ab068314216e5df5258faaf0bcde9163100c1d70

SHA512
f161ee94d997aff8bf5c1d9c3e9e4d36d56d72d66724c830c9ff355fcd4bf49c4f44239a96cbbdadf2f03295f6f05de4f51df5bf00ae35f094f670d8e182b19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\stmm2xgd\stmm2xgd.0.vb

Filesize
2KB

MD5
667d0c8c3fc8537466dbc2c8a2bfb9a5

SHA1
bb7049c49df61b0aeebac5f327c842806edda94c

SHA256
6532c8f235e65f4ace217d64b6486c65fd7b0a6b5581bf1fd2a584f08f8f4a28

SHA512
9226476e2e3c48bfcb3ac7f02265dee209ab12b1c678cba2fa02f78f78a379495b62745d03d6baa85354fb84248220df273c99cda704007e3fa0cfb29c88fa7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\stmm2xgd\stmm2xgd.cmdline

Filesize
273B

MD5
021b1f3b71c0232d7d0ce93cd2c743bd

SHA1
d6fa13eceb05dea1220ba2bff69c545403f64461

SHA256
12f6b7fe7f8f014d2fed2f2b961fd0a9e52f532c9201bc69fc97cb370d18e762

SHA512
df4d2aca6017e320ec142d48157d635c6b964bfc63c7ef49f6877375cd13c257f0a59aad11cb96efc60d51d83c6a260d5b0f1f68928b15f957ffcd5a41b62ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3E33.tmp.exe

Filesize
12KB

MD5
07be51f175d510a8c1079ad6d7d5dd38

SHA1
88af4367518907625b6fd852d71b82ebaea7f768

SHA256
b39797fb18e36aaced0d2b637c8430cec64dd59283be476149769532342f3fd1

SHA512
27a126bdcb3b46d41f4f732b8494a5bef296ce9a1deb8c2ba46b4607cb30d73de6fdd7c36fc61ece510416453183c010c551da2a618008f1b99606d4928fdfda

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc60E76AE2D731458B89D3EF5E7E998AFB.TMP

Filesize
1KB

MD5
7e322455245db04165d843b587719e41

SHA1
5f9db970bb055496c3d79e0e9436d2711adb339b

SHA256
f1b2e4572b10a85fa61cd492a69b4b7df08853da87b04dcc9f653349e6ee02db

SHA512
41a64376ad993b3cde60827f4a8cd8ff5e6cfc9bd9a3d1fddac943de49a8752660d0ca3e83ba49d12da098bebb8b486e029c64f11010bd21ab478c5dd366df48

Download Submit
memory/4288-0-0x0000000074EBE000-0x0000000074EBF000-memory.dmp

Filesize
4KB

Download
memory/4288-8-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/4288-2-0x00000000053B0000-0x000000000544C000-memory.dmp

Filesize
624KB

Download
memory/4288-1-0x0000000000A40000-0x0000000000A4A000-memory.dmp

Filesize
40KB

Download
memory/4288-24-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/4832-26-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/4832-25-0x0000000000E40000-0x0000000000E4A000-memory.dmp

Filesize
40KB

Download
memory/4832-27-0x0000000005CE0000-0x0000000006284000-memory.dmp

Filesize
5.6MB

Download
memory/4832-28-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/4832-30-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing