81c764e55a6536314ccdc7247e9084f38c3cfea8108784f62f6db2bb13189bd5

General

Target

5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe
Size

12KB
MD5

5529224042ed82eb529d376b89bce8c0
SHA1

c7c8123b66f94d376601fdf229eb61efb0a341f2
SHA256

81c764e55a6536314ccdc7247e9084f38c3cfea8108784f62f6db2bb13189bd5
SHA512

c958e37d4843e17815f1e3953ab43f9471bbeccc092f38f4c4953b840fd68b6631234165d81926f3cadeb30fa46584879e1bbc11a7ceef18a7ff8b78b9627f85
SSDEEP

384:oL7li/2ziq2DcEQvdhcJKLTp/NK9xaef:WqM/Q9cef

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
4360	tmp5B40.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4360	tmp5B40.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4276	5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 3764	4276	5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe	85
PID 4276 wrote to memory of 3764	4276	5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe	85
PID 4276 wrote to memory of 3764	4276	5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe	85
PID 3764 wrote to memory of 3696	3764	vbc.exe	88
PID 3764 wrote to memory of 3696	3764	vbc.exe	88
PID 3764 wrote to memory of 3696	3764	vbc.exe	88
PID 4276 wrote to memory of 4360	4276	5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe	89
PID 4276 wrote to memory of 4360	4276	5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe	89
PID 4276 wrote to memory of 4360	4276	5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\01iblb0w\01iblb0w.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C78.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc38E59FDAC87F45DF9A653FEA5CC139A6.TMP"
    3⤵
    PID:3696
- C:\Users\Admin\AppData\Local\Temp\tmp5B40.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5B40.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\01iblb0w\01iblb0w.0.vb

Filesize
2KB

MD5
e1c8e59ac67a6094745876efb2b804c0

SHA1
9d8b17fda940ba9c87734890d165f23f21bb2f54

SHA256
72453b5e3b5e0530714f5961fa4fb304f91b10c5428fc0dca2255cf3ea0db570

SHA512
11ea5a32991f7aff02295dac215a7acd17d6b63d1e708575a8784e3638d235a9e9cb574bdfe038961d992d248222a35e51b625fc606fa61735de1116f8d9ea12

Download Submit
C:\Users\Admin\AppData\Local\Temp\01iblb0w\01iblb0w.cmdline

Filesize
273B

MD5
2308a8035fb8aaa63aa2705b6eca5406

SHA1
f5320e757c6f33b46619e507fd05dee322eac8d8

SHA256
3f7c094bb1ab9e066bb9aa21c1bb145709e65637f4f47e6c289d02c7bdc8ee3b

SHA512
4359e689f207e22b7e9edae425ad33c93a4a1b7b24ebac1b1de76405bdc30912d812b57c9c79d979bb9a1ca60c6f511f5ab45eee7921b840ab174f4890760397

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
f1aa5c432a8d836774b188d7f56dfaa3

SHA1
bebd99db499cba57c71d2b7690e283e0d373712f

SHA256
d8eaaaec34a31027c2a815b890fee4492ac3ce1d7996917abe272aef0f459e37

SHA512
4b841e3bd3d2767d1d5df51bbcb81a2f57c7135e4fb1d279d55677c681d4ecef9f6b49b922bb02fa479c7a118bfb0b24fd3bb97e3feb659da62f12d4e88e2356

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5C78.tmp

Filesize
1KB

MD5
ca5842a47180481d7e1f6027d62375b1

SHA1
7472c339d59e6637902258d57ae9256fbcd0c0a0

SHA256
02bfb2e52967f1bf785c8ab568010b313d9f70cb54d9eb742f1414c084987a6a

SHA512
3a4caa6b46a133c70862133936079a580a27c884e93468992abcd7776eea575316db4ca60a35e6b8783f8676f7c116f10c8ff5150925a3b7705674a59040766f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5B40.tmp.exe

Filesize
12KB

MD5
763268100e947ed916349a22124d1182

SHA1
d2800444dd98cfa6639516e6de575c901554bbbc

SHA256
a5b169c3ee4947b47431d333ee1f3102177c2de0a8a97219e8a6fa5b21fe4938

SHA512
9c0dfde349ccdb0abe2978e9f2bfbc71fe361079954f50314db01738bae8f96a96933830c18d77d2c650042ebcfefbf6c3506d64c82ace8652c8129dd1a88471

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc38E59FDAC87F45DF9A653FEA5CC139A6.TMP

Filesize
1KB

MD5
a7cb6a0acb40ec222dc9044312df4b09

SHA1
3bbb6ad6088813cde8c1c8da305e515f02240fcd

SHA256
63cd2877727e4dde05b7d27954225072a69e3145c628240ba861bf060f55c6ff

SHA512
bf02766e771cdc9a2b592a50fcd808bcf1b87191f9e3f0e8feb42c505fc05170dff1a3561b9d7a9772167a2435f18f88dadbfdaad4ed3edd2af77b76d4851501

Download Submit
memory/4276-8-0x0000000074FC0000-0x0000000075770000-memory.dmp

Filesize
7.7MB

Download
memory/4276-2-0x0000000004A10000-0x0000000004AAC000-memory.dmp

Filesize
624KB

Download
memory/4276-1-0x0000000000050000-0x000000000005A000-memory.dmp

Filesize
40KB

Download
memory/4276-0-0x0000000074FCE000-0x0000000074FCF000-memory.dmp

Filesize
4KB

Download
memory/4276-24-0x0000000074FC0000-0x0000000075770000-memory.dmp

Filesize
7.7MB

Download
memory/4360-25-0x0000000074FC0000-0x0000000075770000-memory.dmp

Filesize
7.7MB

Download
memory/4360-26-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

Filesize
40KB

Download
memory/4360-27-0x0000000005AB0000-0x0000000006054000-memory.dmp

Filesize
5.6MB

Download
memory/4360-28-0x00000000055A0000-0x0000000005632000-memory.dmp

Filesize
584KB

Download
memory/4360-30-0x0000000074FC0000-0x0000000075770000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing