Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06/06/2024, 20:35
Static task
static1
Behavioral task
behavioral1
Sample
96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe
-
Size
12KB
-
MD5
96ebdd4a73ae3b37ce3d048681a48f60
-
SHA1
ea1792921f99d943a6b9567a45561c157534f7db
-
SHA256
0f7f9480172c6da790f19d065cab92249b91bec5b101622879bb0facdc9fceda
-
SHA512
b8e88401add52b8fcc49167bfe8045d467955469a660ae96cd760544526dd11912251a1e2cb763cfbd66c6c1451dbb58485b956bda7acea05dda62f6b9a66e4e
-
SSDEEP
384:cL7li/2zYq2DcEQvdhcJKLTp/NK9xaNp:6UM/Q9cNp
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe -
Deletes itself 1 IoCs
pid Process 2652 tmp4DE2.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2652 tmp4DE2.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 568 96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 568 wrote to memory of 932 568 96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe 88 PID 568 wrote to memory of 932 568 96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe 88 PID 568 wrote to memory of 932 568 96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe 88 PID 932 wrote to memory of 1752 932 vbc.exe 90 PID 932 wrote to memory of 1752 932 vbc.exe 90 PID 932 wrote to memory of 1752 932 vbc.exe 90 PID 568 wrote to memory of 2652 568 96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe 91 PID 568 wrote to memory of 2652 568 96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe 91 PID 568 wrote to memory of 2652 568 96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\05n3rjai\05n3rjai.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F78.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A5D3DB2937D4A19960E9D7CECE8571.TMP"3⤵PID:1752
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4DE2.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4DE2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5021fe420534bbf97e3d780bf9f9f6ab5
SHA1a9be3d88e95e23e220e62b7bb82dd9839ee3f143
SHA256ad488028d85d772587054b26f5a0f6ce4d8adf56ab0e194b6b979685e2c8cb53
SHA512ccd5b06c5fe99c9e91737797f6bc528ef45964936c3b27f683f47c3d8a7c23ca3d14c4d6f565d8691b78505eb2ec42bf75381dc9ec6827a2119fb809e112c862
-
Filesize
273B
MD574dad794e05f01dc5a40a01da18c180b
SHA1b09e470b6ace2e96fb46df2fd3518367b3470b91
SHA2560f3ee0493025a1b29546902bbf882734666cd518a63dd408cfc40da1d9096352
SHA5120f554728fa762411d011fa4aa815a34b1db35b9c570ce08cda031f9c45e566869a0c50dd8639c49345af22380c24dc14ea410e4028c05467646fa6a4672ed37b
-
Filesize
2KB
MD512f93dbf0ba2262acdf828655ae77d94
SHA10ae33357bb626d0d8bd016b00a94053b70e108cf
SHA256871f96772ed2dfb47c814144cb4f9a4308ea17ecfc4e7ad179fbe4f26015fe7e
SHA5125a08cce813af88a2c36ecc8dd85b0a7adcaa3991d7f021b2ac244fe7b0232c4dbe0f58cda5d6160607e8eba387351609b63ca5cb6a2a04bb41f150ace9bc9359
-
Filesize
1KB
MD56e809b13fe8adebb135cd1e9329ffe8a
SHA189425c9c129a79bc08f6c9d5ed600ebdfa2e8ada
SHA256767ca06c8d672aa79d724a1e6671d2fb824e410dc00ca4c4e049d85ee8844f08
SHA5120f377bf10f4db4095d7f24261195de203436d6ecf3dd69879022157a33c8149847802ebf343614e9e04faae3b83bf9019ebe612c26fb62330304dc96cc3a6d3e
-
Filesize
12KB
MD5bb63640629a4f6d323c3fcd7fe8b4ddf
SHA11fc543140b4c949630b262d4a7d52ddd36248190
SHA256da91e9d1305ceb0f0a805c9649d7aedcfb0bed22ed03319509ce899a95719fbf
SHA51204feb7d005b71a264e79d087503f8376a09e18af5d44aec372ef1ae2a7b8ab86f2078df64914ba20aae9f5c406eab4d985412f6187a5a0f35e54d86aa51c7c70
-
Filesize
1KB
MD57ca3abf5e1669f6273fbe5ad027b0131
SHA15cf5e7dcad9c73536776f05331519f1af6d3653e
SHA25679d40d63870b09f409db5125ee2c646bcecf168a6400dee4a6b7e58649da94c5
SHA512b99ef3d94dd83b45846cfeaf2000edbfb448aedc904651cd62e93c5f863e656c8609c96e8c550d17f184e26ab6f2aed7788e40c9353e38ded496842b5b8950c9