684289abd865c137a1356368db6e5f5760bd46789b0783324af6f8461dae986f

General

Target

3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe
Size

12KB
MD5

3e439772261bc91cc430e15cfe5ca2f0
SHA1

869ef60e1227083740fdb0a7b94d79a417cb0d2d
SHA256

684289abd865c137a1356368db6e5f5760bd46789b0783324af6f8461dae986f
SHA512

541eeaffa2a3e7275ab69125d3a428734d29e35969adf2b774cf0721bf6b96191b18811c08dafff2722fc6b6480723d02f59237431bf9288cba4e1fec2d76a71
SSDEEP

384:/L7li/2zzq2DcEQvdQcJKLTp/NK9xay3:zvMCQ9cy3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
1308	tmp5506.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1308	tmp5506.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4204	3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 4480	4204	3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe	86
PID 4204 wrote to memory of 4480	4204	3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe	86
PID 4204 wrote to memory of 4480	4204	3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe	86
PID 4480 wrote to memory of 532	4480	vbc.exe	88
PID 4480 wrote to memory of 532	4480	vbc.exe	88
PID 4480 wrote to memory of 532	4480	vbc.exe	88
PID 4204 wrote to memory of 1308	4204	3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe	89
PID 4204 wrote to memory of 1308	4204	3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe	89
PID 4204 wrote to memory of 1308	4204	3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ntax0uru\ntax0uru.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56DA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4751A8D5A5784C09818FD9E8DF3B87.TMP"
    3⤵
    PID:532
- C:\Users\Admin\AppData\Local\Temp\tmp5506.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5506.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
cbd7b57c2280f69333a82d3a6fdfac69

SHA1
6ec39946ba6595b1412838a83776e08fd3c8f8f0

SHA256
d63c8e287a291be58e64bd94dbb64de4f85b456cdcc1715b1655090f16bf1271

SHA512
6f27cd58226e3816fda51cf1594ae571a491530e80fcfb18ff3bba887085dbd46d0f642660b48b5fa32d3f80cd27835bb0373a3251d73a60ff1ecbb66b81ed28

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES56DA.tmp

Filesize
1KB

MD5
46ded6e81b86e701864b6342d61e499c

SHA1
19466c0aa8ad37db1ed32ad71f0963642368c6e0

SHA256
874a8d51aaec7fe3dbad083d325a0a4804a5fefcc8bea52e3ab73885c700c7f9

SHA512
27293b6b39327f34e31a3446aed6185be7aa3a9bdb0738e979a7ba634ef1bc8d9cc8af12facf26cb0f01bf69b4cadc2fdef9625e3ceb07f15f31f9cf674cbbf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntax0uru\ntax0uru.0.vb

Filesize
2KB

MD5
7613f4ab6c7f5ed05598bc32b3ffd345

SHA1
1b3ba08066d5dd8bc15c67d2572154d3da841aca

SHA256
d282dfae22a0a3521428b731d2c3dbd7b4f1b700033fa40f494773291aaa88e2

SHA512
0167c5e71d795e24cb862d6a0e3318cb3bb73a4842246152bfbaf45b3b4502da434884eca00a4c28dba947a2af9f1075174a586185037316289a6a878ecbda85

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntax0uru\ntax0uru.cmdline

Filesize
273B

MD5
c4a3a41ed450906d304a6255a6cb9d2a

SHA1
e7d9a71734d787925dfc732759bdac1ca6773675

SHA256
823dbab82985406cbf0b713086a326686d097420ed2243c5479aec78fa4e3f72

SHA512
b81646d6c1db74d288bb2357ccdcc00ecc86b3f8dc9171229879e89b6c17dcc20ce9dcdbd5a3bed1318f1bc037c9efee1075cfa188a1b3021902a02528ea1ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5506.tmp.exe

Filesize
12KB

MD5
824306455963608fcb812484e943fa87

SHA1
5036f83e28815281d37e1db9a70e2a7c68b43510

SHA256
a7b2f2a5b949fc677794078f0b35684097d2ce485111b42039219292d4a8ff42

SHA512
d1ad78afc37413f80b38bc4d9b89836b87829276271aebdb1fbf9826d77c2cf4cbcf373fdbe580e75f5cc8c97eb36147076f0a4dc981ad60b40cb25dfa154dd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4751A8D5A5784C09818FD9E8DF3B87.TMP

Filesize
1KB

MD5
27ca12f8db63022e4eeb5341a5d642f1

SHA1
7ae461add92ab77369faebd453d3e459fb70b901

SHA256
ee241cdba1c70e8e99b442e073b5e5a09666ee4c53218a89e9e6639c1f124a7f

SHA512
4b4cb35128d5714ea71d97a7b4cb32621b8046b59418e249cb8ef23007b93aa5524c7f3425b987ebbb2a60b4b416f0d6da2d0c6f348d8d82b6ac274af2c71df4

Download Submit
memory/1308-25-0x0000000000FC0000-0x0000000000FCA000-memory.dmp

Filesize
40KB

Download
memory/1308-24-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/1308-27-0x0000000005EF0000-0x0000000006494000-memory.dmp

Filesize
5.6MB

Download
memory/1308-28-0x0000000005940000-0x00000000059D2000-memory.dmp

Filesize
584KB

Download
memory/1308-30-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/4204-0-0x00000000746CE000-0x00000000746CF000-memory.dmp

Filesize
4KB

Download
memory/4204-8-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/4204-2-0x0000000005670000-0x000000000570C000-memory.dmp

Filesize
624KB

Download
memory/4204-1-0x0000000000C70000-0x0000000000C7A000-memory.dmp

Filesize
40KB

Download
memory/4204-26-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing