770b0b9dc75dad954a5722f698dc3f16a82d06100f97d5fd02cfe4c9b02ffe12

General

Target

19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe
Size

12KB
MD5

19362c9092cf3bf6d32fbd9973264f10
SHA1

e6185143bd2081220a80498289bb4864e614bfb8
SHA256

770b0b9dc75dad954a5722f698dc3f16a82d06100f97d5fd02cfe4c9b02ffe12
SHA512

fbb6c893971d54e79be857738e70a4d48e8cdf008d32582e262f7c095c5da304f5621168ad178c2fcdb7ec9719e585d99a1a74bcd677e91650b4ef47a277182f
SSDEEP

384:5L7li/2zzeq2DcEQvdQcJKLTp/NK9xaiQ:JaMCQ9ciQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
4172	tmp4DE2.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4172	tmp4DE2.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4540	19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 2476	4540	19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe	85
PID 4540 wrote to memory of 2476	4540	19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe	85
PID 4540 wrote to memory of 2476	4540	19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe	85
PID 2476 wrote to memory of 1252	2476	vbc.exe	87
PID 2476 wrote to memory of 1252	2476	vbc.exe	87
PID 2476 wrote to memory of 1252	2476	vbc.exe	87
PID 4540 wrote to memory of 4172	4540	19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe	88
PID 4540 wrote to memory of 4172	4540	19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe	88
PID 4540 wrote to memory of 4172	4540	19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ou23djo4\ou23djo4.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5033.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8A737BA299864E80B59ADB44B9D0689C.TMP"
    3⤵
    PID:1252
- C:\Users\Admin\AppData\Local\Temp\tmp4DE2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4DE2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
22086ccf1e6a1df0f3b7908dee37fce8

SHA1
1544846c17e424b8a5c12f0d92ac8c05faef6239

SHA256
c78e562413ee74ee805fcc7af360b66f50a3f28984fca8ebac287f50f8aeaf77

SHA512
61b8f0250ebb71d5887cb8ad85e5066e65606e799ab927fe090b9b3725fbc066b3fc71c11276b570b6ab8c8914f563638addeef1730a7a1ac594299a508ab037

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5033.tmp

Filesize
1KB

MD5
1250abefdcfe5e757ba095c24257574c

SHA1
819dab8a6949f9e222cda8af9e3aa313f3a7c609

SHA256
077082d14e8b9983cd98b0449e820f8bb83027fa527caaa30b78c760db749653

SHA512
d1feedb2d41084ac27410dcbb05e0e14846d2426c96226b73133de7116e8a1278dd75697b1f9eb0f9a9cdc9f927728cbb5b5c84de11c83bdbf986838bcf70104

Download Submit
C:\Users\Admin\AppData\Local\Temp\ou23djo4\ou23djo4.0.vb

Filesize
2KB

MD5
c2e5e8058d847b00b63844cc85c0c521

SHA1
93fb9985e6f9ee97445f95c75a7602f2e8218199

SHA256
2957d951158d425e4a53534899ea99fb9558715e6790ba2d854ff67e217fcc59

SHA512
19ae5e627b08ae03965b106d917aaaa223456bfe50aa1ac74b98b70210551669be631d8aa9f529c98d6b62964a42726922b231e9844b63a573f65e79bf9d7194

Download Submit
C:\Users\Admin\AppData\Local\Temp\ou23djo4\ou23djo4.cmdline

Filesize
273B

MD5
ff67b9afdf03cc19be04b0f095eee788

SHA1
3a2043e32f38c7b533e801bea683dfdc8d85fdac

SHA256
482147ded32319c93f62412e94f71eb65d5990f492c2ee2200af508857b3ab45

SHA512
25c84eecb9b6fc32e59aa5365711350cbfafec673009c9ca82f5acfa195588d40e8aa97c01458667eed76cceef31fb217f64f8090f520439982f437472e310b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4DE2.tmp.exe

Filesize
12KB

MD5
84a9fce18076e90521258abd590d9127

SHA1
cc7bbf4590e4fa3987d6b24c5681b64d8105bc49

SHA256
9a6603b377d4936d1da8761bb0b1fbb53049c23f16e80efc1fca73501268a82c

SHA512
fe6d00bd45d1b662d7a90739287bf10b91a8e4d923c482ecc1d3dc354f8953134b99052fa7a47bac6f8d3daf881a26cc2cca6c10836f7e0440962cf6d8d5b907

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8A737BA299864E80B59ADB44B9D0689C.TMP

Filesize
1KB

MD5
7ca3abf5e1669f6273fbe5ad027b0131

SHA1
5cf5e7dcad9c73536776f05331519f1af6d3653e

SHA256
79d40d63870b09f409db5125ee2c646bcecf168a6400dee4a6b7e58649da94c5

SHA512
b99ef3d94dd83b45846cfeaf2000edbfb448aedc904651cd62e93c5f863e656c8609c96e8c550d17f184e26ab6f2aed7788e40c9353e38ded496842b5b8950c9

Download Submit
memory/4172-24-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/4172-26-0x00000000007F0000-0x00000000007FA000-memory.dmp

Filesize
40KB

Download
memory/4172-27-0x0000000005710000-0x0000000005CB4000-memory.dmp

Filesize
5.6MB

Download
memory/4172-28-0x0000000005160000-0x00000000051F2000-memory.dmp

Filesize
584KB

Download
memory/4172-30-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/4540-0-0x00000000752AE000-0x00000000752AF000-memory.dmp

Filesize
4KB

Download
memory/4540-8-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/4540-2-0x0000000004950000-0x00000000049EC000-memory.dmp

Filesize
624KB

Download
memory/4540-1-0x0000000000010000-0x000000000001A000-memory.dmp

Filesize
40KB

Download
memory/4540-25-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing