eb8f94a7ed05a3972b9d53d9c50add9c06324dda19774e403bfe2be924515a99

General

Target

4b2493295303400c36fbc99285710fe0_NeikiAnalytics.exe
Size

12KB
MD5

4b2493295303400c36fbc99285710fe0
SHA1

c2045cabb2078d4e217fe3631039b0e0a6f22596
SHA256

eb8f94a7ed05a3972b9d53d9c50add9c06324dda19774e403bfe2be924515a99
SHA512

4e3377da9d033ed1b3d505ce464946202c9c7cee77ff66bc83e21e7bac09a4b34418886350f56350c5ac8efcb21557b6e058c6f0dcc4692581c83cddf911a6f0
SSDEEP

384:0L7li/2zyJq2DcEQvdQcJKLTp/NK9xa4W:i0MCQ9c4W

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	4b2493295303400c36fbc99285710fe0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
1160	tmp5082.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1160	tmp5082.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3084	4b2493295303400c36fbc99285710fe0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 4184	3084	4b2493295303400c36fbc99285710fe0_NeikiAnalytics.exe	85
PID 3084 wrote to memory of 4184	3084	4b2493295303400c36fbc99285710fe0_NeikiAnalytics.exe	85
PID 3084 wrote to memory of 4184	3084	4b2493295303400c36fbc99285710fe0_NeikiAnalytics.exe	85
PID 4184 wrote to memory of 2080	4184	vbc.exe	87
PID 4184 wrote to memory of 2080	4184	vbc.exe	87
PID 4184 wrote to memory of 2080	4184	vbc.exe	87
PID 3084 wrote to memory of 1160	3084	4b2493295303400c36fbc99285710fe0_NeikiAnalytics.exe	88
PID 3084 wrote to memory of 1160	3084	4b2493295303400c36fbc99285710fe0_NeikiAnalytics.exe	88
PID 3084 wrote to memory of 1160	3084	4b2493295303400c36fbc99285710fe0_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\4b2493295303400c36fbc99285710fe0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4b2493295303400c36fbc99285710fe0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ettmowz3\ettmowz3.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES519A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B301EA4C77E4093A6295219201F597C.TMP"
    3⤵
    PID:2080
- C:\Users\Admin\AppData\Local\Temp\tmp5082.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5082.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4b2493295303400c36fbc99285710fe0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
16ff3ef6ff9020e570f42b94ef6ef59c

SHA1
78e1667064c3ed8a785af24fd196f982b152d19a

SHA256
6cf02b097ed3365b52fcb21506872030f97f6091741a4b0aa639e6168c31c1b0

SHA512
d519f85d8b82dbedac27607777226a528de1a14de7f624eeddf95ae22424a5021a33fd3ca02f1edfcf53f4f7783f52e1a5e394bc855240b1da96fd8dafda817b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES519A.tmp

Filesize
1KB

MD5
891fc5a2538e64340badb17251fb5b45

SHA1
a5d27e86d8a1634c1fab361fb387af122736e27c

SHA256
e67e9ca6508bfda6fb482085d87374fdfe63efe870a33716c9d3ba6b284b2334

SHA512
bb2fb515b0bce7884aaf38fddceec2a5e74349187d3ba1ba1f78289e14516f097a86cbe0a2bc5087b921bad05f5ce8e0eb226475c236c037dfb74f8ea4c82e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\ettmowz3\ettmowz3.0.vb

Filesize
2KB

MD5
18c89170270aacd60db1f787b316f45a

SHA1
5b98b6ce3cf6767285fc54c6dde61f1170946e5f

SHA256
71552cf5f196e9162833e78a6ef53ce86e947143acfc972090644e240846f88c

SHA512
cdc4a923d39e6cd24d831d22723ced222615dee308e2593497a8a1ccba1f4fa44660dcf09a3e112d589a38362e9f2b63c1408333e54df5c3d4f522994f72895a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ettmowz3\ettmowz3.cmdline

Filesize
273B

MD5
8f75e64a3cbd9c9e12bfc4f0a8c458b6

SHA1
611174a33fb21b9de0cd5c0fe7ea4b1a52404564

SHA256
732c0d0e5b621a139607d80113420e688dcac13b3c6cf329f5cb196de927c316

SHA512
ac546a9381ec3d95234e17125bbd716df67b0b7da923b8318a9f33e6520dc46a5f2e72837e56862632fa20bb76f71a882610fcdd2d2bfe853f79113b7bdf4e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5082.tmp.exe

Filesize
12KB

MD5
a54d11ff0278d600782328cc6ff964af

SHA1
b015161c5817b933d5cb054a38e7274f0879fda3

SHA256
43e475d5ef6b591db67403d9cfdcfffdcfa04018a0ad60778de9c939d4a58936

SHA512
a082dbb97754449eb5da6a118fe42b599b65edd2cbb3678e45947aea1a92f66a11a73f3f24d5eeee39b1d2f9903670bff94990876c5ac76e069581e6e0847e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4B301EA4C77E4093A6295219201F597C.TMP

Filesize
1KB

MD5
96a340201a5062aa65513b8f11f1c005

SHA1
2f89f28eeb282ee79ef3c929f95696d62760f026

SHA256
1987670349059d2dcea5b44b0de767644ca7ee7bed92399c793c8bd1a7c50b08

SHA512
c1d6ff63415d411c81157a2e73dcd3dd65a8ba04ddfd07acd06f736c98f990905f864a7c72bc7ce25a380685f404518f178c5aee32ee8b71fc1a8c980f261887

Download Submit
memory/1160-26-0x0000000000FF0000-0x0000000000FFA000-memory.dmp

Filesize
40KB

Download
memory/1160-25-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1160-27-0x0000000005EE0000-0x0000000006484000-memory.dmp

Filesize
5.6MB

Download
memory/1160-28-0x00000000059D0000-0x0000000005A62000-memory.dmp

Filesize
584KB

Download
memory/1160-30-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/3084-0-0x0000000074BAE000-0x0000000074BAF000-memory.dmp

Filesize
4KB

Download
memory/3084-8-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/3084-2-0x0000000005970000-0x0000000005A0C000-memory.dmp

Filesize
624KB

Download
memory/3084-1-0x0000000000FA0000-0x0000000000FAA000-memory.dmp

Filesize
40KB

Download
memory/3084-24-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing