1ee57cbd1f0b6b663c4c9ffb24a3e116735c36470d62eca6096a4147526d4eb5

General

Target

af8d238015c563d839f13534630bafe0_NeikiAnalytics.exe
Size

12KB
MD5

af8d238015c563d839f13534630bafe0
SHA1

136891d91d7b8c7c70742b66706e17e10914794e
SHA256

1ee57cbd1f0b6b663c4c9ffb24a3e116735c36470d62eca6096a4147526d4eb5
SHA512

eaab433460fa7f8940ec85ecbdc988fd0138597f06926cd7b9ce1cbc12883211381c063d9d0bd7fe01584147178c4303b74c6f0f30de3f7c99f391e3cc0ef9ee
SSDEEP

384:ML7li/2zSq2DcEQvdhcJKLTp/NK9xaAb:KqM/Q9cAb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	af8d238015c563d839f13534630bafe0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
4940	tmp10D5.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4940	tmp10D5.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	656	af8d238015c563d839f13534630bafe0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 4068	656	af8d238015c563d839f13534630bafe0_NeikiAnalytics.exe	92
PID 656 wrote to memory of 4068	656	af8d238015c563d839f13534630bafe0_NeikiAnalytics.exe	92
PID 656 wrote to memory of 4068	656	af8d238015c563d839f13534630bafe0_NeikiAnalytics.exe	92
PID 4068 wrote to memory of 4084	4068	vbc.exe	94
PID 4068 wrote to memory of 4084	4068	vbc.exe	94
PID 4068 wrote to memory of 4084	4068	vbc.exe	94
PID 656 wrote to memory of 4940	656	af8d238015c563d839f13534630bafe0_NeikiAnalytics.exe	95
PID 656 wrote to memory of 4940	656	af8d238015c563d839f13534630bafe0_NeikiAnalytics.exe	95
PID 656 wrote to memory of 4940	656	af8d238015c563d839f13534630bafe0_NeikiAnalytics.exe	95

C:\Users\Admin\AppData\Local\Temp\af8d238015c563d839f13534630bafe0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\af8d238015c563d839f13534630bafe0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lbq3aa1r\lbq3aa1r.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES179A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C8AEE4B1A7D4AA8AA8ACABEE53C3FB8.TMP"
    3⤵
    PID:4084
- C:\Users\Admin\AppData\Local\Temp\tmp10D5.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp10D5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\af8d238015c563d839f13534630bafe0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3096 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
de12f130f1e33e826e33cb7b49ecfc83

SHA1
99b7653c385cbc7989fb035cbebfa62c6b83df80

SHA256
b6838f2fb1cf6dc91c8fb1cf3bcc894563c5a9844c0f00aaf72f8755b950392c

SHA512
7f9f4b2146bf935f22c97b6966eada1343646ad4d047bc4b3fde7bb2fc4d3ddc2bc3cebad94b94deb99aaf08913bd4df99920b4683de2c97e07434cafa11ac59

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES179A.tmp

Filesize
1KB

MD5
324975f6e68076a72f5d1406d211e603

SHA1
928c61bac4666ee6edb4534dbcea70fb7bfe2cb3

SHA256
048c84c7ea7967950a0f9fdccd5b92f615462f51beca7831bbb43aeae2ad55f5

SHA512
19872bd66b27a39e9dab52907b5a76b591e0a5e3bcad16c7b9da130bf3e24f6fae0602c05db31a2cd5b747b3cef52185b46d734301e545e36ad3be70263d4f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbq3aa1r\lbq3aa1r.0.vb

Filesize
2KB

MD5
c908f29f9a7f9e262abba2281c94dd48

SHA1
4c6c360759103fd958ac9aa1ded598eb85649306

SHA256
147149babf275aa17c2447d5fd826bb8259f36ed15e56be4b2dceb1195523df0

SHA512
8a376ffc857d29ccaa443227d4027a814bb1c7ca5240a86608b9ad6a3bd1200e95ef15e553426309b1f05b26259a6751866ac14bb88d27014157c4e225b9b1b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbq3aa1r\lbq3aa1r.cmdline

Filesize
273B

MD5
6087daf5c682a4a5a5cac7f9f16b820c

SHA1
b533b8f23a8e66e211b756ff62fe9904e8516754

SHA256
d9cd7355b13b3433829f648d19ec0621997ebc86aa290af59c405607d1192a7a

SHA512
7217ae2dd57333ec40254b58e60cdfa7800c044345f42962052d3c7238708d096cec11e97e9bb6a376ab4e87a78723b570d4249c38d7731c56252f39ff8addc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp10D5.tmp.exe

Filesize
12KB

MD5
81f01a33b677e9f8dc0d53447fc87603

SHA1
94766331c2e89ed1f6fc7a25b673b1265693fad8

SHA256
78727d9d748e0ed722164bff376f37a904919ab9c24f849c4a33e08379450a9f

SHA512
63728ebdf48c459d3a664ee009736f3a68dd550ebe22c1c436604a9736cabe0857709ecc087bc884a9c1fc39268056b78e894fe5456eae646e44ef7c74349d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1C8AEE4B1A7D4AA8AA8ACABEE53C3FB8.TMP

Filesize
1KB

MD5
9e30ababe66050c017e96f3a305ff07a

SHA1
b6a4413c4268ebfb56c6351f1aab33c2a90e5eca

SHA256
9278697e621f4dc3b615e3956cbb5bd68d574dbb8b3752f679f1a98fa2b5067d

SHA512
a5a34d83798105103aee6035f7c3c7c76c0246b5e5db7ca05c84fddae98532d1b19bff1d898cdf450adf5d9f40b333cd26b055a5549721b7313345405b09fd1e

Download Submit
memory/656-0-0x00000000744EE000-0x00000000744EF000-memory.dmp

Filesize
4KB

Download
memory/656-7-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/656-2-0x0000000005880000-0x000000000591C000-memory.dmp

Filesize
624KB

Download
memory/656-1-0x0000000000F30000-0x0000000000F3A000-memory.dmp

Filesize
40KB

Download
memory/656-26-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/4940-24-0x0000000000C70000-0x0000000000C7A000-memory.dmp

Filesize
40KB

Download
memory/4940-25-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/4940-27-0x0000000005B60000-0x0000000006104000-memory.dmp

Filesize
5.6MB

Download
memory/4940-28-0x0000000005650000-0x00000000056E2000-memory.dmp

Filesize
584KB

Download
memory/4940-30-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing