24a8cd8aea3c786a001cae6c907bd85a707e25d8f04cb36bd27fc34e18f30f7f

General

Target

426c6e1b1cdf078fe14dc121725beb90_NeikiAnalytics.exe
Size

12KB
MD5

426c6e1b1cdf078fe14dc121725beb90
SHA1

68ae76e5c5fc76875d82f4c94a57614b374fd4fd
SHA256

24a8cd8aea3c786a001cae6c907bd85a707e25d8f04cb36bd27fc34e18f30f7f
SHA512

c56c4e8059e95ecc5428b718fdbeb3104bb8477f6287d7f0150adee9f65946bb8b369dd7e84814a174423651b8f7d2c410a13fcc8a61b20a448ea5006098e99e
SSDEEP

384:5L7li/2zYq2DcEQvdhcJKLTp/NK9xawc:JkM/Q9cwc

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	426c6e1b1cdf078fe14dc121725beb90_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
3584	tmp4D27.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3584	tmp4D27.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3244	426c6e1b1cdf078fe14dc121725beb90_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 4844	3244	426c6e1b1cdf078fe14dc121725beb90_NeikiAnalytics.exe	87
PID 3244 wrote to memory of 4844	3244	426c6e1b1cdf078fe14dc121725beb90_NeikiAnalytics.exe	87
PID 3244 wrote to memory of 4844	3244	426c6e1b1cdf078fe14dc121725beb90_NeikiAnalytics.exe	87
PID 4844 wrote to memory of 4916	4844	vbc.exe	91
PID 4844 wrote to memory of 4916	4844	vbc.exe	91
PID 4844 wrote to memory of 4916	4844	vbc.exe	91
PID 3244 wrote to memory of 3584	3244	426c6e1b1cdf078fe14dc121725beb90_NeikiAnalytics.exe	92
PID 3244 wrote to memory of 3584	3244	426c6e1b1cdf078fe14dc121725beb90_NeikiAnalytics.exe	92
PID 3244 wrote to memory of 3584	3244	426c6e1b1cdf078fe14dc121725beb90_NeikiAnalytics.exe	92

C:\Users\Admin\AppData\Local\Temp\426c6e1b1cdf078fe14dc121725beb90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\426c6e1b1cdf078fe14dc121725beb90_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tdp1qnrg\tdp1qnrg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F49.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6A120EFC55C24E6B8E9821B9CEAD7B70.TMP"
    3⤵
    PID:4916
- C:\Users\Admin\AppData\Local\Temp\tmp4D27.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4D27.tmp.exe" C:\Users\Admin\AppData\Local\Temp\426c6e1b1cdf078fe14dc121725beb90_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
83791caa372ea468690152134203801b

SHA1
2374a6aa4ba70bd431c42e0c9ca8caf3f757b6ac

SHA256
c9d0e66a339e20f36434846ed58a7f97a4184b59b812a159516915b3dee1a85b

SHA512
2e1a58f96c687108edcbf880d05ef17e5b4f6c7c34c160887e629da2d248ea9963b5372ff8de7bcc270508180345c131c91c70900f7b2579164b653613f9efc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4F49.tmp

Filesize
1KB

MD5
b44960e95c056b09cb7630b8dbe6f7f4

SHA1
bc2bd0fd2c93a6a3728262c7f596ca4a7c442b08

SHA256
24c598c071f1a5da08342a3fa357f760acd1eca7cd3dd39bf604036296ac9d6f

SHA512
1a2928570a530b2180a1343c03aa7e70637c805319ba22ad590b95855cff712be054bc1ac42eccfe3db668c9b2a1122b990bf95844fa773748ee2b8fdc8b28b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdp1qnrg\tdp1qnrg.0.vb

Filesize
2KB

MD5
0da6e6aa712094c6e99667d5b60e5310

SHA1
b30f57c5970c0f992c49f304ac8a7b202ae3df8c

SHA256
c7a32b16fe7a47abdf8f1244737c36af6cdbec5b0becee55e97f9cf30b51257d

SHA512
df5c8cfb492c0c49dc3fb20db77bf75d9ae8087e2c2aa5e1383249677e9e211de0ed7693243763f97414dae6eccab6757cc855f11f6c4556a037848c9e485147

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdp1qnrg\tdp1qnrg.cmdline

Filesize
273B

MD5
94c37402821d8dad1af530f4ca0db116

SHA1
906fd9e63311233b499697b5ddaacc6f3cdb43aa

SHA256
e872a463303af0c0eb1e5bc0ae58160111cf8801da9423f050358e91d37e4bf4

SHA512
588de7c6878b6ef16c4d9ac366076e726f8d559d442ef0bec22da6e197cc19e69ecd7cb33e199412e628cc250a8f0ff00c5e6439aed7965c294b4c1e5a67f735

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4D27.tmp.exe

Filesize
12KB

MD5
9f0c3483d11370d201ce36efa30cd604

SHA1
004d64372e8b649d4c596ccf71fb91be2e89eea2

SHA256
7036d862923e44228806dcd768f8882862c88822b9843603f94671f2e3d4e72a

SHA512
26ec16f688258bd00c6feaf04b17f5f5d579da54954ce852459bf6cedda3a441f4a5d5f0f048df387c38b11a058113418a7c1986b9a711275419f557d1116633

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6A120EFC55C24E6B8E9821B9CEAD7B70.TMP

Filesize
1KB

MD5
3e9949c378b759749eb0c541e27748ce

SHA1
e9102761753ab636519de22b6ca167f628ea90f6

SHA256
2f6697520a92480711325031e5bc6c9b541d825283f39a4da8881c64a0efc0eb

SHA512
132042c680930471a4586fa436a4798d4f1db4c8426fb359986cec30e2ade2c2a39afea639f8c022a2533c139c54f290d13914b9a2fa30cf37212181efcc49ca

Download Submit
memory/3244-0-0x0000000074EAE000-0x0000000074EAF000-memory.dmp

Filesize
4KB

Download
memory/3244-8-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/3244-2-0x0000000004D80000-0x0000000004E1C000-memory.dmp

Filesize
624KB

Download
memory/3244-1-0x0000000000580000-0x000000000058A000-memory.dmp

Filesize
40KB

Download
memory/3244-24-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/3584-25-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/3584-26-0x00000000007C0000-0x00000000007CA000-memory.dmp

Filesize
40KB

Download
memory/3584-27-0x00000000056D0000-0x0000000005C74000-memory.dmp

Filesize
5.6MB

Download
memory/3584-28-0x0000000005120000-0x00000000051B2000-memory.dmp

Filesize
584KB

Download
memory/3584-30-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing