7e09f3a3afb083991a5a3c5cbc9a85d8f2a6f08ff555c55d391c16194a4a3948

General

Target

a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe
Size

12KB
MD5

a495330e156d736c6684d5dc97166880
SHA1

f28df3c1532e6e473317336d1f382409646e14b7
SHA256

7e09f3a3afb083991a5a3c5cbc9a85d8f2a6f08ff555c55d391c16194a4a3948
SHA512

73b38467eef0063111e4ad608f9f939988675c364afeca0176ec492d69f658077d5da421e8eb4aaf93e1503e064fc103723c2c520d2956300ca366ae0e4aab2b
SSDEEP

384:BL7li/2zDq2DcEQvdhcJKLTp/NK9xabo:h/M/Q9cbo

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
3512	tmp859.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3512	tmp859.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 2680	1420	a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe	91
PID 1420 wrote to memory of 2680	1420	a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe	91
PID 1420 wrote to memory of 2680	1420	a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe	91
PID 2680 wrote to memory of 4016	2680	vbc.exe	93
PID 2680 wrote to memory of 4016	2680	vbc.exe	93
PID 2680 wrote to memory of 4016	2680	vbc.exe	93
PID 1420 wrote to memory of 3512	1420	a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe	94
PID 1420 wrote to memory of 3512	1420	a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe	94
PID 1420 wrote to memory of 3512	1420	a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe	94

C:\Users\Admin\AppData\Local\Temp\a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1rrmx3co\1rrmx3co.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES12C8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9751923ABE0478AB9E9E0138F4043F6.TMP"
    3⤵
    PID:4016
- C:\Users\Admin\AppData\Local\Temp\tmp859.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp859.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4456 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1rrmx3co\1rrmx3co.0.vb

Filesize
2KB

MD5
1bd01271c383fc157f30d2ddb90e5789

SHA1
769e28e5c01f7e3435b7b607bd41bdf8867766f4

SHA256
81601d02e11a9661dded6d88b489823bed41d492afc808105dd70e4ef976c4ce

SHA512
b424f22f216f8c6ea8e37c2656cc5b8c75cc4aaee984d7e7bbfa80448d12114c9517fe866eabf3eafe754b3b7033bd8366d8cc112b749cc35d6deefc2e035443

Download Submit
C:\Users\Admin\AppData\Local\Temp\1rrmx3co\1rrmx3co.cmdline

Filesize
272B

MD5
d108178706833af533ba138e617c77e3

SHA1
f0aa198425f3aa467a0158493b64e2eb3697cbfe

SHA256
5cd7a653ba0aa00b2f4bc5d346c253755258847a96c831092b6afbda8559a7e8

SHA512
0c7a2eade95c2882977a7612ce3d93edf049e834a3188feb930f460cddf38f83310e648a79b1f81e9ee5db0286e2b45ab88af32ca156c5ef20557819b3ad43c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
816894d12e74c4b3e48940d6b5a9b31c

SHA1
affe9c946ccc19f454d8f7fad1752a8ae03502d9

SHA256
8b448b2d43febd28655fb5805fa115a68c9cb36d3d22f7c139379f89679121fe

SHA512
f31a513d443815280c4597e6e6d2b6d03853542d74c85108bb16fe7a572f6c3b50ac061b1932ee639ef6ac86503272cb178d67c77a2b7bdf18ae1daaca7939df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES12C8.tmp

Filesize
1KB

MD5
156b82ee6e99459f6d738f291106d5ab

SHA1
476cba1de7b6c10435b4522e8586d56468591836

SHA256
70bcd6413ad6638e512a7c5fc3bf79a72bf8f37ef079267823593d45b83c3ef2

SHA512
7d19d69aedfc441980795d753d9f8ea8604aebd82bd959bc0b2bec962eefbf0dbe0238c811f33370d898832e62830f8dcafbdba74d0d04ce860e2c8ca962adbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp859.tmp.exe

Filesize
12KB

MD5
8c20e40334d2f2845df1452fd6a4a43a

SHA1
7c56442e8c92d9a8dd3d9b9ff075ea43fb39f2a0

SHA256
f30ad6195aa98b721c4f8ace0e3995f4a74be7516677de921138cabe16a58931

SHA512
b56f9d0459d8eeadd8c91e4472f6b68feba82b37ae2be90e4da01f0fcf9229c53a9cf6214f71f32fe854b1349aaf545d0070bf877fe2576810e4c44f68c0166d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9751923ABE0478AB9E9E0138F4043F6.TMP

Filesize
1KB

MD5
8459b9e312a6bf1fb45809804fb15cdd

SHA1
646555731c45b2424c1c45bd4d563b92e20161e0

SHA256
e60f0a2a6fe423e224477c982b66c0a8c149b2169ed0c1b71a38dd0af5a3e176

SHA512
7fa3ba5028fa50f380c69305c09945736a00195822c1be95d0b5d0b3141c586fac2de257e5e9c7132218d85bb5ee38223bb347c3190173af018e3a29fc32800e

Download Submit
memory/1420-7-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/1420-2-0x00000000050D0000-0x000000000516C000-memory.dmp

Filesize
624KB

Download
memory/1420-1-0x0000000000700000-0x000000000070A000-memory.dmp

Filesize
40KB

Download
memory/1420-0-0x00000000747DE000-0x00000000747DF000-memory.dmp

Filesize
4KB

Download
memory/1420-26-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/3512-25-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/3512-24-0x0000000000780000-0x000000000078A000-memory.dmp

Filesize
40KB

Download
memory/3512-27-0x0000000005680000-0x0000000005C24000-memory.dmp

Filesize
5.6MB

Download
memory/3512-28-0x0000000005170000-0x0000000005202000-memory.dmp

Filesize
584KB

Download
memory/3512-30-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing