803d6a9b843255fe332a86c44e4708ae2d0977ea8d94e1e09cfabd9d087ae3f7

General

Target

182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe
Size

12KB
MD5

182ef97364bb9b12f59442fa3997fa00
SHA1

5967673d4fab2ccfb0e0e1c3a9e7513bd7be4bd7
SHA256

803d6a9b843255fe332a86c44e4708ae2d0977ea8d94e1e09cfabd9d087ae3f7
SHA512

df22819d6cd19a341b8d2944403295218760312a9e25c2828464d4bb3f339047ce4fbddf72c16832f5faeb3e21bec54eb882e918a890360b7ec2076af5b459b0
SSDEEP

384:xL7li/2zgq2DcEQvdhcJKLTp/NK9xaNx:xkM/Q9cNx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
1880	tmp5FE4.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1880	tmp5FE4.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 4872	2708	182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe	88
PID 2708 wrote to memory of 4872	2708	182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe	88
PID 2708 wrote to memory of 4872	2708	182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe	88
PID 4872 wrote to memory of 4804	4872	vbc.exe	90
PID 4872 wrote to memory of 4804	4872	vbc.exe	90
PID 4872 wrote to memory of 4804	4872	vbc.exe	90
PID 2708 wrote to memory of 1880	2708	182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe	91
PID 2708 wrote to memory of 1880	2708	182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe	91
PID 2708 wrote to memory of 1880	2708	182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p3jjnxpb\p3jjnxpb.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES61B7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6CCB6294E11B453E878FE8A9341163.TMP"
    3⤵
    PID:4804
- C:\Users\Admin\AppData\Local\Temp\tmp5FE4.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5FE4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
86f5808c2711df688ed2d4aefbc96f7f

SHA1
fa414b3fac861ee1ff293b78dde357678c7777c6

SHA256
ee1890c3bca3b17a85c0ed94a8a7a859823d4f7779c10edce5cdedbf44b80306

SHA512
2bbbcde0623fe40969cd7d5a549176698ab8f45707956164a97cb233a2447e7675d3b1e6ab322087090e23a33169d2f3d6833e14b84d6cb0675c9f47e3058a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES61B7.tmp

Filesize
1KB

MD5
a658c4245f28c9268b6498ad586947c8

SHA1
433c7cb070a3046a75eb33d4cd7d4766c40267da

SHA256
887fae0e1997fc1e77ee0964bb4b8a302ae4bc5be6d50afb171f510c3e7a139a

SHA512
9d8c62bb91315003bac48a6831bcd1c51926a7fd05378c230dce4b314a72a78db7f7af8727fead290ee397fbcc82124387bf2e334fc280078b4874472c6ae2ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\p3jjnxpb\p3jjnxpb.0.vb

Filesize
2KB

MD5
1949a02617d753a20356fba49b9c7d8a

SHA1
380921a0ae1fc3f655a36ac873418b33fce3a50c

SHA256
606edc0977533b99fc7ac56a8bc0fa309f5b6b5e3bbd12164142309d14bf4b4f

SHA512
d16a3ff84e7f01cbce6f180f16def656719e7c58e0869a4502710ea9c0871cdb55304254ceeaeee2aa83bd6a71dd3eaa43063b14d5eea1e341f78128a89137d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\p3jjnxpb\p3jjnxpb.cmdline

Filesize
273B

MD5
a5dc156203421d3c7db07812b457d100

SHA1
f425ce5de54994ff6a724f05624aae80602e73ca

SHA256
bdf564421062cfa23919b457e93488fdcb2e2f639455a6092bfeca737dddc223

SHA512
c06d15e37d667b38bd419187d9632c15cd9d12b2886bed69516c7ce7b016c7568ccc0c0c05088216ed24c3bf2116cb67119971b3fdef70d2a5b09a28b5e7ca55

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5FE4.tmp.exe

Filesize
12KB

MD5
99448358c844ef93ff9481d83c41247b

SHA1
597abeb5e0b2e10d80d76b2e181ceb223eb48439

SHA256
6cc0e6423f3312552b2013e626c3bfacb3ed10c4849e2e2947cd58b3ed45c0cc

SHA512
86771c1b0ff9a4f9d1d4a54273680696d183552cd538844d37a30db7e58a31952e1996fe8b4a8adca1ee2709490e9cc15d1b0ee5bff8ee6b4dd735847dcf164d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6CCB6294E11B453E878FE8A9341163.TMP

Filesize
1KB

MD5
59a689d5c30e7c17b58ae1dd98e72287

SHA1
f386f74ee09d6c49465da9b5dacb93a4b892b541

SHA256
aee0e6b2f93b9c4126f8a309c1a9667d9b12ce700f40bc3f4703af44dda09009

SHA512
b82f2f3799594374ef47821a307e2b4540279c84d45708469faac17f1aa5f3332b23999af6505fc894d21e7a9878f4a8a19a6e7c80338b227d77e195d06b26dd

Download Submit
memory/1880-25-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/1880-26-0x0000000000A70000-0x0000000000A7A000-memory.dmp

Filesize
40KB

Download
memory/1880-27-0x00000000059F0000-0x0000000005F94000-memory.dmp

Filesize
5.6MB

Download
memory/1880-28-0x0000000005440000-0x00000000054D2000-memory.dmp

Filesize
584KB

Download
memory/1880-30-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/2708-0-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

Filesize
4KB

Download
memory/2708-8-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/2708-2-0x0000000005430000-0x00000000054CC000-memory.dmp

Filesize
624KB

Download
memory/2708-1-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

Filesize
40KB

Download
memory/2708-24-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing