8480565219048ad3be4eef266b82e098d4627d550344dbf2922cdd168769aa16

General

Target

85aaa29c478fedc1a4f4b1d151e75740_NeikiAnalytics.exe
Size

12KB
MD5

85aaa29c478fedc1a4f4b1d151e75740
SHA1

d5c5f5c4862a20dff5e98066bd99b6a38970cba5
SHA256

8480565219048ad3be4eef266b82e098d4627d550344dbf2922cdd168769aa16
SHA512

f9f9a0e17bc7c1757aad3084917bdfd36da2b02ab1272dc83309782d98829d0f3f3c34bda87618567658c5369ffddeaa115112ab841648cf8179b3b5fa345831
SSDEEP

384:1L7li/2zjq2DcEQvdhcJKLTp/NK9xajw:V/M/Q9cjw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	85aaa29c478fedc1a4f4b1d151e75740_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
3892	tmp4E40.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3892	tmp4E40.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4200	85aaa29c478fedc1a4f4b1d151e75740_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 3028	4200	85aaa29c478fedc1a4f4b1d151e75740_NeikiAnalytics.exe	86
PID 4200 wrote to memory of 3028	4200	85aaa29c478fedc1a4f4b1d151e75740_NeikiAnalytics.exe	86
PID 4200 wrote to memory of 3028	4200	85aaa29c478fedc1a4f4b1d151e75740_NeikiAnalytics.exe	86
PID 3028 wrote to memory of 4808	3028	vbc.exe	88
PID 3028 wrote to memory of 4808	3028	vbc.exe	88
PID 3028 wrote to memory of 4808	3028	vbc.exe	88
PID 4200 wrote to memory of 3892	4200	85aaa29c478fedc1a4f4b1d151e75740_NeikiAnalytics.exe	91
PID 4200 wrote to memory of 3892	4200	85aaa29c478fedc1a4f4b1d151e75740_NeikiAnalytics.exe	91
PID 4200 wrote to memory of 3892	4200	85aaa29c478fedc1a4f4b1d151e75740_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\85aaa29c478fedc1a4f4b1d151e75740_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\85aaa29c478fedc1a4f4b1d151e75740_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b0b0k4o0\b0b0k4o0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5014.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc159B9E5C715A4254B95D9FA0C0F888ED.TMP"
    3⤵
    PID:4808
- C:\Users\Admin\AppData\Local\Temp\tmp4E40.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4E40.tmp.exe" C:\Users\Admin\AppData\Local\Temp\85aaa29c478fedc1a4f4b1d151e75740_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
c6f1f4813e42ac61511bb7894ff6e415

SHA1
cb7d655da65b10b4b9a30d85747384e98a712f0d

SHA256
6ab40fe779d3e948b83212f8f92a3e98a47488181507f5626d5ee70c5ed2db27

SHA512
c10478a536dfa72ae7a7e2c583e9cfe3ee4237ae1ecf6148c93f12ff5b00ba442158f8c54e30372280dca3a9e30aeca487a135580217a21f43479468a8606e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5014.tmp

Filesize
1KB

MD5
752dd06f7d0f1a7e82da9dd52bbda346

SHA1
d55a538dd8ae7feffc76d2c11f0e9ab9f39e4cc1

SHA256
5fc2251735af83c5dd7c6b991648e7cdad4e91ae3b8b009c956ce4930cbc537e

SHA512
03fcad2884835d86ee79c76c0a86c934aa708319469a70d64d268115ae9aea98faf6b0c0046376550928034785b2ebf463423abd231750d8d6d19e5d5c539383

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0b0k4o0\b0b0k4o0.0.vb

Filesize
2KB

MD5
1fa1ee14bb52dc707ce1e1cac82f80d3

SHA1
3ea2ef4e68248fff18d333c5423757d5b7ca2923

SHA256
a607d1c4f902b8d605df662bcdd88c9553f64a095c5922465087a05a526ccd39

SHA512
2c0589dbc9ffa3ec59af580980aa1835bc048dd99d31a054ddffd68716a2f23b520bf523cf04b7c23dfaa698487979f66630181275af136feb6fdeda9f022675

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0b0k4o0\b0b0k4o0.cmdline

Filesize
273B

MD5
ce4459d3baa73949277dca0ac87c3aab

SHA1
1b2ec75473ec40abab3f903076b73bbe5eb075ed

SHA256
7b4b30b82c8ebada185e1a88fa3e5ab5fdc7fd39a68824c0c667fedc6a4b975d

SHA512
5681d145a8adfbeb8eb33b61f7ea8419aff357f4ce0a54bd96840f8ea66d6ee37760986857c6a2216da0a1814bcae147dc6922df4f48391733d0cc1e78521d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E40.tmp.exe

Filesize
12KB

MD5
176499a6c63ad8e2441c47030ad2de40

SHA1
73a7bb91e73860ff1dc8ef306f7143a36640821d

SHA256
6c7ff4b791c4de633d899a037426f67343d80d8ca83be97b6594d079cbd17359

SHA512
da98fd33549f8ddbfa7512df8a3c28d12dda63d02ad90387e50fbe67c02fd99b598d9f0432c823f92668a98009708beaf8c3f72b8cb1640446ad096221bab156

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc159B9E5C715A4254B95D9FA0C0F888ED.TMP

Filesize
1KB

MD5
551ca94c9579ac8f165309547ade0ef2

SHA1
5f50ac844c729c25dabcb22cbd45cb3fbe1a3828

SHA256
52964f4353ea661b130334abc46d769564fe1d360ba1f0a3018c9bef0da7a19e

SHA512
70d9a4ccacd821e1a0cb3087b15c3c71742c9043b9b1f8aa5ec97ee9a2600b0926a4bb912ffc379841ac5359c8bfe011905d65fc128c6e09f7c6f8ec28cd32b6

Download Submit
memory/3892-25-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/3892-26-0x00000000005F0000-0x00000000005FA000-memory.dmp

Filesize
40KB

Download
memory/3892-27-0x0000000005510000-0x0000000005AB4000-memory.dmp

Filesize
5.6MB

Download
memory/3892-28-0x0000000004F60000-0x0000000004FF2000-memory.dmp

Filesize
584KB

Download
memory/3892-30-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/4200-0-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/4200-8-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/4200-2-0x0000000004DA0000-0x0000000004E3C000-memory.dmp

Filesize
624KB

Download
memory/4200-1-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/4200-24-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing