7fb2700ef5fcd0056f571b969e233c0ccb787b3fa7b328d7eeccdc418ecf2477

General

Target

388ae63dfaab745eab37df4c76f1a590_NeikiAnalytics.exe
Size

12KB
MD5

388ae63dfaab745eab37df4c76f1a590
SHA1

b9f777f860f641bbcd156982b080c681331996f4
SHA256

7fb2700ef5fcd0056f571b969e233c0ccb787b3fa7b328d7eeccdc418ecf2477
SHA512

f6fc663f8def8715a2dd04163231ee933e687c390025ceecb00e1d9587c02ae1cfe64275ef868b485021acca5ad4c5b8925674e35c8bb04ef7c5edd03726fc8b
SSDEEP

384:pL7li/2zFq2DcEQvdQcJKLTp/NK9xa//:Z1MCQ9c//

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	388ae63dfaab745eab37df4c76f1a590_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
2800	tmp5B31.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2800	tmp5B31.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	224	388ae63dfaab745eab37df4c76f1a590_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 1112	224	388ae63dfaab745eab37df4c76f1a590_NeikiAnalytics.exe	90
PID 224 wrote to memory of 1112	224	388ae63dfaab745eab37df4c76f1a590_NeikiAnalytics.exe	90
PID 224 wrote to memory of 1112	224	388ae63dfaab745eab37df4c76f1a590_NeikiAnalytics.exe	90
PID 1112 wrote to memory of 4936	1112	vbc.exe	92
PID 1112 wrote to memory of 4936	1112	vbc.exe	92
PID 1112 wrote to memory of 4936	1112	vbc.exe	92
PID 224 wrote to memory of 2800	224	388ae63dfaab745eab37df4c76f1a590_NeikiAnalytics.exe	93
PID 224 wrote to memory of 2800	224	388ae63dfaab745eab37df4c76f1a590_NeikiAnalytics.exe	93
PID 224 wrote to memory of 2800	224	388ae63dfaab745eab37df4c76f1a590_NeikiAnalytics.exe	93

C:\Users\Admin\AppData\Local\Temp\388ae63dfaab745eab37df4c76f1a590_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\388ae63dfaab745eab37df4c76f1a590_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uo2qeglt\uo2qeglt.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D04.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc25482619B9C0486ABDF63475F0474317.TMP"
    3⤵
    PID:4936
- C:\Users\Admin\AppData\Local\Temp\tmp5B31.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5B31.tmp.exe" C:\Users\Admin\AppData\Local\Temp\388ae63dfaab745eab37df4c76f1a590_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
71b7df11cb5d2142da017bd1c19f1910

SHA1
9f19afb7ddace40f88abdd6caba3c962cd55ace0

SHA256
533a7a2285c070e7f0d6b6231fa828140ef0659205ec287dd8300eb3cfcc06f7

SHA512
cde7bdc76393b8a0a0579268a661ea465f1f9e748a5535dbaa11d52fccc798c30e346021f26878b6102d56d0f4f4034c3ae2ff490b3df9bf70b7dd9c2e4658a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5D04.tmp

Filesize
1KB

MD5
31f4a2a7eef76c6607075befa2319e51

SHA1
6c7d33de8b106f3e02b0ba0119b331310dc8aa5c

SHA256
25961d6567fdfa76a9d1bf156aee09d9ecc39832cd2f5979d2e10b7a860f2c52

SHA512
8bdf2f0146e23ab692e89137e553684a0ca9fa97f8b0c03e1916b824cc969043945751847e9464ace7bfe080eda179858427269dec4354b87c3de24aeee21776

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5B31.tmp.exe

Filesize
12KB

MD5
4eff4ef34e30d321dbd21184efb6b3a4

SHA1
f2256cad9121062b06cf322a51a3cf212cecf4aa

SHA256
3f77fbd17f05dd57ec5ad7716c4415ae7d3faa0a994413abfbab8e75f4fd3163

SHA512
2b0c65bd7d2b7375b7eb205feb997f905b48accfae3b1b7e3ba0127fbb762683b272629600c2759199d6cfeb1e708ca7433368b05f07e41c6cde03bb43f3c614

Download Submit
C:\Users\Admin\AppData\Local\Temp\uo2qeglt\uo2qeglt.0.vb

Filesize
2KB

MD5
dc33e80a3a777c6747787ae44bf67456

SHA1
921489cfe33408b6ea09284765f9c161eb321541

SHA256
93a9d5527b695a7a3b13c5fac9a17beddce08907f41b3c5cb9d0517351c5658b

SHA512
1bdd72c5f229df503239b67ca61a393eabaf674eeb5601fb5a7dc0e38c28cac47ae1f66b809f8fbec955b17ef684bec974919e2605b1258ed92e67ed79d8c101

Download Submit
C:\Users\Admin\AppData\Local\Temp\uo2qeglt\uo2qeglt.cmdline

Filesize
273B

MD5
c532bd3e880d8ad1984e977f4a320263

SHA1
ce633c02b917b545e2393c8fccee2c2cb3f138c2

SHA256
67d4b031189c19ae784263621f250618ab2088d166bd9a1866d552ed7df51e23

SHA512
2fad461c3fe17de30b9eebe1c7a65b1f46a9bfa628204816cdbe2687250e94ca0e903813808a8bafc3021b4fd80ef797a32fd6a1b15bdac14604b89dd02a5a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc25482619B9C0486ABDF63475F0474317.TMP

Filesize
1KB

MD5
74cf15e46e2ff2911e6bf17a9df3afc4

SHA1
854730fa509c8a674f048b0d6d11db7a2e3949c2

SHA256
84b102e72661a55647ad4134885dc129e3fc61dd51e408a39db707f37394d512

SHA512
672d344e7bec83f46a0d82a98fe50f6b3e065713ee3c84da78b91a1487288334ca4c1853e3289ab9f961ba2c195e2c6c5c895d4b7389862cf34735ad856a25bc

Download Submit
memory/224-0-0x000000007480E000-0x000000007480F000-memory.dmp

Filesize
4KB

Download
memory/224-8-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/224-2-0x00000000054B0000-0x000000000554C000-memory.dmp

Filesize
624KB

Download
memory/224-1-0x0000000000B50000-0x0000000000B5A000-memory.dmp

Filesize
40KB

Download
memory/224-26-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/2800-25-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/2800-24-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/2800-27-0x0000000004ED0000-0x0000000005474000-memory.dmp

Filesize
5.6MB

Download
memory/2800-28-0x00000000049C0000-0x0000000004A52000-memory.dmp

Filesize
584KB

Download
memory/2800-30-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing