69741eb0f2d97d84f48a02a85a107f59679c00b7a52fdae0987eb4d14b3c2bd9

General

Target

63032e8e165ccf6ad79818406f6633c0_NeikiAnalytics.exe
Size

12KB
MD5

63032e8e165ccf6ad79818406f6633c0
SHA1

1da77c5f1f8b502e1c4fb826439a28b8c7c3b9fa
SHA256

69741eb0f2d97d84f48a02a85a107f59679c00b7a52fdae0987eb4d14b3c2bd9
SHA512

2fd1fbb8810adb25b412393122678c08bae676af788024764ce1e2839ac3be7766f12c8737c3a61250da31982ae154fdaec372c63419bb4a010e153aa1521fa7
SSDEEP

384:FL7li/2z9q2DcEQvdhcJKLTp/NK9xa3g:FFM/Q9c3g

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	63032e8e165ccf6ad79818406f6633c0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
4212	tmp5D92.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4212	tmp5D92.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	224	63032e8e165ccf6ad79818406f6633c0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 2840	224	63032e8e165ccf6ad79818406f6633c0_NeikiAnalytics.exe	88
PID 224 wrote to memory of 2840	224	63032e8e165ccf6ad79818406f6633c0_NeikiAnalytics.exe	88
PID 224 wrote to memory of 2840	224	63032e8e165ccf6ad79818406f6633c0_NeikiAnalytics.exe	88
PID 2840 wrote to memory of 3284	2840	vbc.exe	90
PID 2840 wrote to memory of 3284	2840	vbc.exe	90
PID 2840 wrote to memory of 3284	2840	vbc.exe	90
PID 224 wrote to memory of 4212	224	63032e8e165ccf6ad79818406f6633c0_NeikiAnalytics.exe	91
PID 224 wrote to memory of 4212	224	63032e8e165ccf6ad79818406f6633c0_NeikiAnalytics.exe	91
PID 224 wrote to memory of 4212	224	63032e8e165ccf6ad79818406f6633c0_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\63032e8e165ccf6ad79818406f6633c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\63032e8e165ccf6ad79818406f6633c0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\okify3y0\okify3y0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F66.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1CAAF79EA2F044C9B4B04DE1A7FC494D.TMP"
    3⤵
    PID:3284
- C:\Users\Admin\AppData\Local\Temp\tmp5D92.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5D92.tmp.exe" C:\Users\Admin\AppData\Local\Temp\63032e8e165ccf6ad79818406f6633c0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
ba2de093c8b6163475ce7840d5f7e23f

SHA1
e87e40a7ab6723402a0e79d21489e69bb51d4586

SHA256
e4397db949a700fea646995c2d7180a2e110ccab8525df4788afd786e896095d

SHA512
62136ee258d664ff102aab7b08859e7bc0c334e9da117efa352965b0437db9087be5d00ac421a4dfef5ce2c1b4254e9ac41f0121dbdea8489f8d82caca38d185

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5F66.tmp

Filesize
1KB

MD5
83555efd5170c66f740da77eac036697

SHA1
32f33586e0f2247a2549c5d20c208be8c58e3a28

SHA256
93d523336b6ab47d92da1e6dbd00b675c19ceb2da749c7d6774b658f1b69a517

SHA512
f1388311efb43929c1df9e0f7de1778dfda641685cca71b7bb614ae4129ef67fc0725ba80bddfdc571f731df6fa21f9148605bb1bf01a6c92232e4397a3981e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\okify3y0\okify3y0.0.vb

Filesize
2KB

MD5
a8f791d305a13b725261caf187cfda11

SHA1
dba1997f2eca205aa8d0ff7d47f32aa98cb35fce

SHA256
ed5133c871b81f68f0742e25189b85726b3e8af63421f593ac2dfede02901e64

SHA512
942a48ade97b325870773f9775c0bb8255fadeb2d6c0f03cfb8c8fa4abb210d2a0423895effdbf98c569beffb4bd582c18db8c7b8266357b0b1d82be5ca1c532

Download Submit
C:\Users\Admin\AppData\Local\Temp\okify3y0\okify3y0.cmdline

Filesize
273B

MD5
d899f7a6561234a270573b5f01ee8b22

SHA1
f162b0b822b9db099e0b204c62f0067a903f571a

SHA256
bbe858f551632b4d4b43c920336cddc9b184d5e883317aae3737dba449d73589

SHA512
637538201739c21e111c3442ebb6708e615b6031256b62f31c33814faf396f0a565ba2b3ba56426e4ac82ad9a3a7fc7919bd2bb86d382c4108d363c1d0fec020

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5D92.tmp.exe

Filesize
12KB

MD5
44734eb8ff3b1e13b2d796fd7bb5fd79

SHA1
1b6f1c445204ac7f1e43c7beb03cfe79b8890b9a

SHA256
85ba7f09cbe5875dcee5487e890577be597be7bd2dd56d10f795cd5a2d42bdd9

SHA512
99a6d65b38af3a6cdb6c3dc86f4edcaaadd72d1e92706bd52ce674510c93810be3418bd85082dd80756ba8df84fe27cf2e3f802ab8dd5249129871d8435e4fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1CAAF79EA2F044C9B4B04DE1A7FC494D.TMP

Filesize
1KB

MD5
b8c46ee6c48fad6100674a300877579e

SHA1
381e855a5d32b79fe1b11b5e73c6cd0ae0e94446

SHA256
92d480865f113688dacb868292b915f165e31b857bd4d55aa2aa31b3849104a2

SHA512
6640329cdfc85d174e0ee43417a5fa6a20524c5ff74caf5fc187af00870fcdc86f0c9e907fdc41a72ffd235c939c82bbee4abc06b326df41ddcb48cc945c6563

Download Submit
memory/224-0-0x00000000746AE000-0x00000000746AF000-memory.dmp

Filesize
4KB

Download
memory/224-8-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/224-2-0x00000000055D0000-0x000000000566C000-memory.dmp

Filesize
624KB

Download
memory/224-1-0x0000000000C40000-0x0000000000C4A000-memory.dmp

Filesize
40KB

Download
memory/224-24-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/4212-26-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/4212-25-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/4212-27-0x0000000005110000-0x00000000056B4000-memory.dmp

Filesize
5.6MB

Download
memory/4212-28-0x0000000004C00000-0x0000000004C92000-memory.dmp

Filesize
584KB

Download
memory/4212-30-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing