99dfa27fb032ed7c25f027975a06957f11d00a0ad63b409361c229ef6f672347

General

Target

26773287c87a1f9e06880ffa9ead7e90_NeikiAnalytics.exe
Size

12KB
MD5

26773287c87a1f9e06880ffa9ead7e90
SHA1

d6ab965dada593f263c3274c0a28a58490e556de
SHA256

99dfa27fb032ed7c25f027975a06957f11d00a0ad63b409361c229ef6f672347
SHA512

ed91ea42126c437c182285e378d903251783886e8c55a11add9fc4b8505d5402bbbab0a438f07f20328ab847059160eac5d4db10a10dfd32d7b7ad9ac530f3a9
SSDEEP

384:xL7li/2z/q2DcEQvdQcJKLTp/NK9xaDj:xjMCQ9cDj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	26773287c87a1f9e06880ffa9ead7e90_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
5028	tmp135.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
5028	tmp135.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	628	26773287c87a1f9e06880ffa9ead7e90_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 3192	628	26773287c87a1f9e06880ffa9ead7e90_NeikiAnalytics.exe	91
PID 628 wrote to memory of 3192	628	26773287c87a1f9e06880ffa9ead7e90_NeikiAnalytics.exe	91
PID 628 wrote to memory of 3192	628	26773287c87a1f9e06880ffa9ead7e90_NeikiAnalytics.exe	91
PID 3192 wrote to memory of 3184	3192	vbc.exe	93
PID 3192 wrote to memory of 3184	3192	vbc.exe	93
PID 3192 wrote to memory of 3184	3192	vbc.exe	93
PID 628 wrote to memory of 5028	628	26773287c87a1f9e06880ffa9ead7e90_NeikiAnalytics.exe	94
PID 628 wrote to memory of 5028	628	26773287c87a1f9e06880ffa9ead7e90_NeikiAnalytics.exe	94
PID 628 wrote to memory of 5028	628	26773287c87a1f9e06880ffa9ead7e90_NeikiAnalytics.exe	94

C:\Users\Admin\AppData\Local\Temp\26773287c87a1f9e06880ffa9ead7e90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\26773287c87a1f9e06880ffa9ead7e90_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\baha1eiq\baha1eiq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES15D5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc729D70CC561343AE9F8373E226A9F0BE.TMP"
    3⤵
    PID:3184
- C:\Users\Admin\AppData\Local\Temp\tmp135.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp135.tmp.exe" C:\Users\Admin\AppData\Local\Temp\26773287c87a1f9e06880ffa9ead7e90_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4444 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
7d3049eda040d9a5b382a46d16993118

SHA1
1af8a96e1033e8270796ca59456b9c38fa18d76a

SHA256
17ae20caa826760ccea145b1875ee6defb9b244c854e62fb34a1440047c10cc6

SHA512
e3994ea6033f0da65eebf01b4975005c49ee377a7d9a2e2d032673d59c1759adab26d09d4ab4e6b7c407ebc72133286ecd4ef67b765eb41a0e84d877b44f794b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES15D5.tmp

Filesize
1KB

MD5
53336addb249dbac8599bf9f318d9f93

SHA1
5dba0a9c5c671f598fb072acec4db0cb7077ab8d

SHA256
0baa86114e44e1f3ef7cc134c52f9f63c0506647f052a5214e561db7162ad9f3

SHA512
870a698e7a7c5906a18604df29f3a3fc6eb122e802c6c2c616542e7b54c94bd5b5c9822ab7f726e0ddb29a360753d919dc8168bac48484642893ad112f410f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\baha1eiq\baha1eiq.0.vb

Filesize
2KB

MD5
a5828d9a389d34fccad91d8714f29370

SHA1
506638cb17576f49689cced4fa6ee192bb094ab9

SHA256
05909832ab9c13eb1d09b9091417bd8a0e078e4610fcd716360f923149ec682c

SHA512
1a913e1bb1644d683bd2f3d97fcde91f21851afdc69e9d22335d37eac46edd3be8223a602e0cc610326aa0568ba20f30db934c181a84c21cd370329f7a4318d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\baha1eiq\baha1eiq.cmdline

Filesize
272B

MD5
59ae751e9f8da99ab5ad5959d9df0e81

SHA1
72e80fea07e5de2f8ead6d2da694e0df8b3de3a5

SHA256
d94539650ef05f534443ccd2a349c78e1443647a29041fc6cc46c0f371e513f2

SHA512
ff5024eefdabb01c731187b836a45e514758382ac1700bc39b68c0e05ac32daff47c8aec3fe3e47b4d0b206c6b41d234decdcfe6cbe08a455ddec9330f3c1295

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp135.tmp.exe

Filesize
12KB

MD5
c3dafffc44f891f0d3a7e77083ae5b5d

SHA1
1127df7667959276b1e1a92e8d7db1774bbd6d3d

SHA256
c98d4a35dfd15e7dce9167e144348580f79ef9be122d7b78bc841f8726d31c3d

SHA512
0786de471b92053fe1e1a67fc347016e1c9249da26ac13d6591f163d3c75e0a83e0f862905ff0165e40bc92e43964c2efbdce907151ff8e88d9586a0982de4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc729D70CC561343AE9F8373E226A9F0BE.TMP

Filesize
1KB

MD5
2e4ebdae53080a2422e5734e66ba4807

SHA1
201c5e588ad309626cf36600ad1a0e638f55dd77

SHA256
986f026c9b46dbf6cd9f005b005daae389b139a0905aa2fa3223331f160c644a

SHA512
3b208e1b91fed29a44ce54a044fc95518ea03918e5367bdbb3ef9b479589482eb03204e127b7d7dcb3c2ae0f31b9b6ee6fa614cbc0919fd88c573731a6041eff

Download Submit
memory/628-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

Filesize
4KB

Download
memory/628-7-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/628-2-0x00000000058A0000-0x000000000593C000-memory.dmp

Filesize
624KB

Download
memory/628-1-0x0000000000F00000-0x0000000000F0A000-memory.dmp

Filesize
40KB

Download
memory/628-26-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/5028-23-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/5028-24-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/5028-27-0x00000000054E0000-0x0000000005A84000-memory.dmp

Filesize
5.6MB

Download
memory/5028-28-0x0000000004FD0000-0x0000000005062000-memory.dmp

Filesize
584KB

Download
memory/5028-30-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing