c5a3a0e9f1c4fb0e9861b3d03c9344d9bb54767f614a39647422ccdfa37d61a7

General

Target

1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe
Size

12KB
MD5

1de6fa7a84e25a1df9d24bbd4a7ae9b0
SHA1

96459fce9384be0e56af03f66d8338374397b10c
SHA256

c5a3a0e9f1c4fb0e9861b3d03c9344d9bb54767f614a39647422ccdfa37d61a7
SHA512

a902a921fd9cdcebe613f83478840e5fec3414fb3c17ce251f27af2f6bd2905ee2fbe2b1e0e29460c68cc125e7ef43dd63f09349311ebb7b969c000e616f012a
SSDEEP

384:pL7li/2zaq2DcEQvdQcJKLTp/NK9xa8v:ZCMCQ9c8v

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
4928	tmp399F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4928	tmp399F.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 4068	1800	1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe	86
PID 1800 wrote to memory of 4068	1800	1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe	86
PID 1800 wrote to memory of 4068	1800	1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe	86
PID 4068 wrote to memory of 3868	4068	vbc.exe	88
PID 4068 wrote to memory of 3868	4068	vbc.exe	88
PID 4068 wrote to memory of 3868	4068	vbc.exe	88
PID 1800 wrote to memory of 4928	1800	1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe	89
PID 1800 wrote to memory of 4928	1800	1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe	89
PID 1800 wrote to memory of 4928	1800	1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vllnqkwf\vllnqkwf.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AF6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC9DA684253E64FB780116760283D01.TMP"
    3⤵
    PID:3868
- C:\Users\Admin\AppData\Local\Temp\tmp399F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp399F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
b81929257c36e92e4fa9a7f7c448175e

SHA1
660ae12f5dafd13c4bb856a297817f5841d5abd6

SHA256
061fbad7d0384812cefb2adc4451b2afcabf8f492994a02db75f4185d50ec98b

SHA512
fee0bd379ce1dcd032e53134bec87c662f929ca139cbdbdbb8ad266ce5a824b2c2ad0669c0dcd82b3a74371136cf3254bab0826a23784e0ab25dfbd3717428ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3AF6.tmp

Filesize
1KB

MD5
c69ec76388a0384c4543b990ad5bd111

SHA1
1b0a352203ff2beaeaa8a42410f48e43cde53678

SHA256
b56e5227368051a4d5edd97a7097572bf584715b4fb695ef9a5128b0cc4f9b62

SHA512
f1fa14678dd50453ef24c8033321b3de5d7abbe6c4e977d407239443570555e3d82fd8d8fa0144ac4a4a85db1d55111dabaf77c21472cf36778016167cf6159d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp399F.tmp.exe

Filesize
12KB

MD5
40e78cb1c8d8206b71e21373f9f6bafb

SHA1
a59edf3534b08bc98fbaf53ae33438da16204d1d

SHA256
220be42308fc53253268d44cd933f91071e37ff04d48927749ec4b363c5654a2

SHA512
0d6013057e0c4862d66ae667778169f34b37399dc19d351500a6a8d90629fc15c9bfa4c15a906734c91dce84d0b7a88739bfb533700c6ddfa2f91f6e8af25713

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC9DA684253E64FB780116760283D01.TMP

Filesize
1KB

MD5
eba2198caef66a765f2e5bcf64a3e1fb

SHA1
619ef83fd3e2c21d4adf9375012727a3f2872c72

SHA256
4480d4b1baf1c8e4ee7c9aa40f67f0674de87a952da680d476b76acf75f4a44a

SHA512
f54870a6482bcb61b3eedd58b8c5d8ac430eae555978466ac576c80b8cc9812b502823ccf39dd1e740dc6575ba33dea558aae1393aa3307524a882c6dd00683d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vllnqkwf\vllnqkwf.0.vb

Filesize
2KB

MD5
f57d4145c3a7b1d97b37a890cfa73004

SHA1
728c7be8c799d2f649f141d309d9f8bbaaf89e42

SHA256
a39da59aeda47e8b31017f84c3aac28b48fded4fed0d7810ac1ccd9968a42e97

SHA512
10b87af4087878f55d90dd695564a6df36a79af5eef76dfbbfc6a8edbceda98669a433d87ec0e55fd08a131d97a7b7d31ca037b01c66b2d7b2b281de30026c76

Download Submit
C:\Users\Admin\AppData\Local\Temp\vllnqkwf\vllnqkwf.cmdline

Filesize
273B

MD5
f60f2788fc3f4d0a1a7b2c059104ba3d

SHA1
03ff636c41f98e12abb2abdb68f7f43651517b4a

SHA256
a9245bf20afb6f35cb67db873de89f0fcca32458c370d927cf7778fa28f6f8d9

SHA512
4217bd415991daf32698ceedeb184d59d2d7d72203f9b7ac636f868bcf6f929592d00ad774eb7f001f1b192227dc8c96d42ffe37c3277d97f97671f189debcaa

Download Submit
memory/1800-0-0x000000007528E000-0x000000007528F000-memory.dmp

Filesize
4KB

Download
memory/1800-8-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/1800-2-0x00000000053E0000-0x000000000547C000-memory.dmp

Filesize
624KB

Download
memory/1800-1-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/1800-24-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/4928-25-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/4928-26-0x0000000000B80000-0x0000000000B8A000-memory.dmp

Filesize
40KB

Download
memory/4928-27-0x0000000005A60000-0x0000000006004000-memory.dmp

Filesize
5.6MB

Download
memory/4928-28-0x0000000005550000-0x00000000055E2000-memory.dmp

Filesize
584KB

Download
memory/4928-30-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing