Analysis
-
max time kernel
132s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04/06/2024, 07:31
Static task
static1
Behavioral task
behavioral1
Sample
3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe
-
Size
12KB
-
MD5
3e439772261bc91cc430e15cfe5ca2f0
-
SHA1
869ef60e1227083740fdb0a7b94d79a417cb0d2d
-
SHA256
684289abd865c137a1356368db6e5f5760bd46789b0783324af6f8461dae986f
-
SHA512
541eeaffa2a3e7275ab69125d3a428734d29e35969adf2b774cf0721bf6b96191b18811c08dafff2722fc6b6480723d02f59237431bf9288cba4e1fec2d76a71
-
SSDEEP
384:/L7li/2zzq2DcEQvdQcJKLTp/NK9xay3:zvMCQ9cy3
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe -
Deletes itself 1 IoCs
pid Process 1308 tmp5506.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 1308 tmp5506.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4204 3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4204 wrote to memory of 4480 4204 3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe 86 PID 4204 wrote to memory of 4480 4204 3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe 86 PID 4204 wrote to memory of 4480 4204 3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe 86 PID 4480 wrote to memory of 532 4480 vbc.exe 88 PID 4480 wrote to memory of 532 4480 vbc.exe 88 PID 4480 wrote to memory of 532 4480 vbc.exe 88 PID 4204 wrote to memory of 1308 4204 3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe 89 PID 4204 wrote to memory of 1308 4204 3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe 89 PID 4204 wrote to memory of 1308 4204 3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ntax0uru\ntax0uru.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56DA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4751A8D5A5784C09818FD9E8DF3B87.TMP"3⤵PID:532
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5506.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5506.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:1308
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5cbd7b57c2280f69333a82d3a6fdfac69
SHA16ec39946ba6595b1412838a83776e08fd3c8f8f0
SHA256d63c8e287a291be58e64bd94dbb64de4f85b456cdcc1715b1655090f16bf1271
SHA5126f27cd58226e3816fda51cf1594ae571a491530e80fcfb18ff3bba887085dbd46d0f642660b48b5fa32d3f80cd27835bb0373a3251d73a60ff1ecbb66b81ed28
-
Filesize
1KB
MD546ded6e81b86e701864b6342d61e499c
SHA119466c0aa8ad37db1ed32ad71f0963642368c6e0
SHA256874a8d51aaec7fe3dbad083d325a0a4804a5fefcc8bea52e3ab73885c700c7f9
SHA51227293b6b39327f34e31a3446aed6185be7aa3a9bdb0738e979a7ba634ef1bc8d9cc8af12facf26cb0f01bf69b4cadc2fdef9625e3ceb07f15f31f9cf674cbbf4
-
Filesize
2KB
MD57613f4ab6c7f5ed05598bc32b3ffd345
SHA11b3ba08066d5dd8bc15c67d2572154d3da841aca
SHA256d282dfae22a0a3521428b731d2c3dbd7b4f1b700033fa40f494773291aaa88e2
SHA5120167c5e71d795e24cb862d6a0e3318cb3bb73a4842246152bfbaf45b3b4502da434884eca00a4c28dba947a2af9f1075174a586185037316289a6a878ecbda85
-
Filesize
273B
MD5c4a3a41ed450906d304a6255a6cb9d2a
SHA1e7d9a71734d787925dfc732759bdac1ca6773675
SHA256823dbab82985406cbf0b713086a326686d097420ed2243c5479aec78fa4e3f72
SHA512b81646d6c1db74d288bb2357ccdcc00ecc86b3f8dc9171229879e89b6c17dcc20ce9dcdbd5a3bed1318f1bc037c9efee1075cfa188a1b3021902a02528ea1ee2
-
Filesize
12KB
MD5824306455963608fcb812484e943fa87
SHA15036f83e28815281d37e1db9a70e2a7c68b43510
SHA256a7b2f2a5b949fc677794078f0b35684097d2ce485111b42039219292d4a8ff42
SHA512d1ad78afc37413f80b38bc4d9b89836b87829276271aebdb1fbf9826d77c2cf4cbcf373fdbe580e75f5cc8c97eb36147076f0a4dc981ad60b40cb25dfa154dd6
-
Filesize
1KB
MD527ca12f8db63022e4eeb5341a5d642f1
SHA17ae461add92ab77369faebd453d3e459fb70b901
SHA256ee241cdba1c70e8e99b442e073b5e5a09666ee4c53218a89e9e6639c1f124a7f
SHA5124b4cb35128d5714ea71d97a7b4cb32621b8046b59418e249cb8ef23007b93aa5524c7f3425b987ebbb2a60b4b416f0d6da2d0c6f348d8d82b6ac274af2c71df4