398deb4ed694c71ca48f6fb70cd669e6743f64acf8d1d7ad4bcc9bd095549f76

General

Target

4e0ac92347b930531fa7cce4144b5600_NeikiAnalytics.exe
Size

12KB
MD5

4e0ac92347b930531fa7cce4144b5600
SHA1

f96cba060a83722e90cec4ef58cccd63b25277ae
SHA256

398deb4ed694c71ca48f6fb70cd669e6743f64acf8d1d7ad4bcc9bd095549f76
SHA512

b55a040d1f4f3ee6aecbd0ffd867d39396b4f2d36c30156352b0e4328683f39430621cdc889684b3db6fdafcef82cf1cee50541a7caf799a25967d131a117422
SSDEEP

384:OL7li/2z7q2DcEQvdhcJKLTp/NK9xahK:YHM/Q9chK

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	4e0ac92347b930531fa7cce4144b5600_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
368	tmp5C79.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
368	tmp5C79.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	4e0ac92347b930531fa7cce4144b5600_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 4964	1700	4e0ac92347b930531fa7cce4144b5600_NeikiAnalytics.exe	88
PID 1700 wrote to memory of 4964	1700	4e0ac92347b930531fa7cce4144b5600_NeikiAnalytics.exe	88
PID 1700 wrote to memory of 4964	1700	4e0ac92347b930531fa7cce4144b5600_NeikiAnalytics.exe	88
PID 4964 wrote to memory of 1996	4964	vbc.exe	90
PID 4964 wrote to memory of 1996	4964	vbc.exe	90
PID 4964 wrote to memory of 1996	4964	vbc.exe	90
PID 1700 wrote to memory of 368	1700	4e0ac92347b930531fa7cce4144b5600_NeikiAnalytics.exe	91
PID 1700 wrote to memory of 368	1700	4e0ac92347b930531fa7cce4144b5600_NeikiAnalytics.exe	91
PID 1700 wrote to memory of 368	1700	4e0ac92347b930531fa7cce4144b5600_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\4e0ac92347b930531fa7cce4144b5600_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4e0ac92347b930531fa7cce4144b5600_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nrxzssug\nrxzssug.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5DCF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8C44918E85C847519D5C5F4547DA1AE.TMP"
    3⤵
    PID:1996
- C:\Users\Admin\AppData\Local\Temp\tmp5C79.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5C79.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4e0ac92347b930531fa7cce4144b5600_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
72cfea5b9ab0d00615f9193af27751a9

SHA1
d0b99400510e2f4b280c9876047fa389ff660bef

SHA256
9f02c33cc7f6037aadff6820ae87e53c1fd6a362866536d48b0b2f2fcfc840f3

SHA512
a4bf2c20b383e86bdacf8e1cb877bdbc187c70d18dcdef9c4f064485563d108af35a727f72bf7735b7d96801980319e2a606c61d3639fef85033a74988409b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5DCF.tmp

Filesize
1KB

MD5
2e5dd0362a793a3225a6737979a8c4d0

SHA1
8d832a0670363c887efa80e422961ee7474fd39f

SHA256
1a0e30f56d4312ab5efb48e06b1688aec1ee5f8b2a69cf3fb1615e80312c3396

SHA512
04c6f9400f9534db19e072af180e9e301a3ddd19a2913b7778998fe3643cca7ff976b4fd8756542f13001937b159055357451e7cdb5a2b181ab3beeebb0751f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nrxzssug\nrxzssug.0.vb

Filesize
2KB

MD5
1917ea283c54057cbfc470621710dcea

SHA1
bfcdd3c101e1086d0656e8a3e066df25c6aa4016

SHA256
5c975a00aa6e0f1f1899ea1699f1ade975264098bf433fc549c8944cd2c7ca67

SHA512
c95fb08df95d54738cfeaef974902d3b6e766a0317f8af73ce50393a4b68c426589a5352288edb9bee5dbf8c3fc90f4c15f5362e4bfa5545966bf03dc19c84cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nrxzssug\nrxzssug.cmdline

Filesize
273B

MD5
38551b6d488c9155f89b54847cf2d378

SHA1
5c395eea1042ed672b6d3a6f6859ba1c2c3aa019

SHA256
1ba5d325253e42cd54f63703a872058d4cbfb0b5e9cc430ac06651a56d892a07

SHA512
5866c5ce6e205ac4285463eadb0e5252defde074be83bb9247b09d2751a8aac772fcbdd8590d8ef6a221492b8b7a221c7c8f94c9a39380b523ba605295b512a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5C79.tmp.exe

Filesize
12KB

MD5
8c953710cd7165e2d8a7845f34cd2b60

SHA1
86884c0bbe5f49d000bba2a2c87aa015e835a040

SHA256
1a5521b36479f37e1b683dee175e01b94d403b34e3f2e635ff4e0a915e4cf1aa

SHA512
303e2248c49baa7ebbf138e0e029e51c7516d2422906a1e003a41ff52c7e594a3bd7513682b1b427cba69b36a441fbb1c3647525d13ea72d6aecf606cb37adb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8C44918E85C847519D5C5F4547DA1AE.TMP

Filesize
1KB

MD5
33e1e4573e2ef29bf0bd1719b74e4652

SHA1
d1b071c1b2e2c688d11cc77f17937db1d86b5872

SHA256
6266b8d76d14b969d75c63c2c8675997b04f172948575f93c1605c365567d883

SHA512
856303caf058bce7c853f40231e114b035d86e96e63d5546d70dbea850b15a75a9dc5d330930865303dbbda5265b1c55c3546e30741eaaabfcb2c12383699a56

Download Submit
memory/368-25-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/368-26-0x0000000000A20000-0x0000000000A2A000-memory.dmp

Filesize
40KB

Download
memory/368-27-0x0000000005960000-0x0000000005F04000-memory.dmp

Filesize
5.6MB

Download
memory/368-28-0x0000000005450000-0x00000000054E2000-memory.dmp

Filesize
584KB

Download
memory/368-30-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/1700-0-0x0000000074E6E000-0x0000000074E6F000-memory.dmp

Filesize
4KB

Download
memory/1700-8-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/1700-2-0x0000000004E80000-0x0000000004F1C000-memory.dmp

Filesize
624KB

Download
memory/1700-1-0x00000000004D0000-0x00000000004DA000-memory.dmp

Filesize
40KB

Download
memory/1700-24-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing