e282d3607f5b07def18bbaa16c078baa000aef4eb3d48e615319c56761247993

General

Target

0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe
Size

12KB
MD5

0f5abecd5dfc00bbc09f7052f6405f30
SHA1

251fb46678761cf1c29abdaebf5e616d3dfca8bc
SHA256

e282d3607f5b07def18bbaa16c078baa000aef4eb3d48e615319c56761247993
SHA512

093293378143fd640faa97a2249e63a63e183e2110f52350e30d18048554037c0271c6c25db2513a2909303c7a0b7ac51743bd74089aae22cc0523603904687d
SSDEEP

384:HL7li/2zHq2DcEQvdhcJKLTp/NK9xa+c:rjM/Q9c+c

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
1520	tmp42E6.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1520	tmp42E6.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4368	0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 1392	4368	0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe	85
PID 4368 wrote to memory of 1392	4368	0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe	85
PID 4368 wrote to memory of 1392	4368	0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe	85
PID 1392 wrote to memory of 3352	1392	vbc.exe	87
PID 1392 wrote to memory of 3352	1392	vbc.exe	87
PID 1392 wrote to memory of 3352	1392	vbc.exe	87
PID 4368 wrote to memory of 1520	4368	0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe	88
PID 4368 wrote to memory of 1520	4368	0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe	88
PID 4368 wrote to memory of 1520	4368	0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n5cycwpt\n5cycwpt.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES447B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D02FE191465426E9020C871ECFE377.TMP"
    3⤵
    PID:3352
- C:\Users\Admin\AppData\Local\Temp\tmp42E6.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp42E6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
7b1818a32322e32a1966cf212aac3b43

SHA1
ff0e3fe9cbc3b6aa63e4f71eb832a12c17b129f0

SHA256
0ac3fec603a25e4209fe3bc6e7655648bcf07808272bca5a963b46c73a0584ea

SHA512
d8e5054429a34117694c4ab7e8e113cf5f4b15345425ab8962906a4366292b074ebf91e0fb3ce72e33c85ca925a49a8752ed4b3dca4820cef616b959e7480d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES447B.tmp

Filesize
1KB

MD5
39cadb25c366106bcc4168c35d89e6e0

SHA1
daae382ab90b026f22184e765ed979d2f552854b

SHA256
f9241dfb0b65f8fdcd6a05c551ae48113bbbbf91e2c26ff0a5769f627c3c93b6

SHA512
6e6f27a2af2b5ba54a3da95ef52d8236916c379ce658f1e3f6ea20e0c9e6fd55bfd49b7dd0c4eb629218f0329af4f708c37c40e674aa693efa960182f5fc7738

Download Submit
C:\Users\Admin\AppData\Local\Temp\n5cycwpt\n5cycwpt.0.vb

Filesize
2KB

MD5
708632f6b9d50ae1d5d5e22dc4f79199

SHA1
394ba060b29863d126e2487515ce20ec94ea7ae8

SHA256
0b17fbe427d92bc06c88035f7e0b9eec28579fa96d83dfec74acd326cb94f1d8

SHA512
aa7fbd0ebc646ed39ad093b741869ddf4bf0569f905c9caaea1e20b7e3cd4838a3db91396ebd06a2f4c32006c258ebcb9782b18b2befd5c0ea171a6d9f26f064

Download Submit
C:\Users\Admin\AppData\Local\Temp\n5cycwpt\n5cycwpt.cmdline

Filesize
273B

MD5
05027b734a76de8fcfc166a372c9ea4a

SHA1
8011f3e9449410f41ae52daa83c497fda5bfd725

SHA256
1b0761b02f7ab46e0cf16a9842f00657afb32e829c31d7947c8bb01dc77351e8

SHA512
0dbe16e0c11e20bee8c418cdd64734c56b797472cd0309a308275a16570c7b9571bfbf076f2283f847f2b0b9e09b5eec935fa50427c61759e893b03601dc24bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp42E6.tmp.exe

Filesize
12KB

MD5
38d69b4afed9659acd7d71d4854deb35

SHA1
55e75ef542e67889397063274005fed57d1e7006

SHA256
65be5236934fd1147a41ccf76a0a14b35a33a2ee47cb982376d9b94eff92f431

SHA512
f99b521ceda044dba69242f21cdc1f9d70509df6012b295e62757b027e1b755a774376d5e80d7f72473bf527738be947413477acb1f1b4a15e2ae8ae8e799545

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4D02FE191465426E9020C871ECFE377.TMP

Filesize
1KB

MD5
7c29c2f871a8da390516568283771ec6

SHA1
fe917e081577c3a34663c910e5af6ed87587a4db

SHA256
47c86a4e5bff37caa99ac2989282f7db13bb9cfa29434d5e00f20842ab512529

SHA512
f58a467d64c17b14efa22459af590e0902d1e62be25472687003ae655e6d895accae88a7663c7655c87a0c61ee96002c5b14c05629de569420e5ee4b38a2bf8c

Download Submit
memory/1520-24-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/1520-25-0x0000000000E40000-0x0000000000E4A000-memory.dmp

Filesize
40KB

Download
memory/1520-27-0x0000000005D20000-0x00000000062C4000-memory.dmp

Filesize
5.6MB

Download
memory/1520-28-0x0000000005810000-0x00000000058A2000-memory.dmp

Filesize
584KB

Download
memory/1520-30-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/4368-0-0x000000007504E000-0x000000007504F000-memory.dmp

Filesize
4KB

Download
memory/4368-8-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/4368-2-0x0000000004AA0000-0x0000000004B3C000-memory.dmp

Filesize
624KB

Download
memory/4368-1-0x0000000000040000-0x000000000004A000-memory.dmp

Filesize
40KB

Download
memory/4368-26-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing