f3e4cfc3f347d1feff2019072d06c342c89f6b8fa712eabd16d07395f101fbd1

General

Target

bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe
Size

12KB
MD5

bf4c8e250602dbd4b327ad48c7680880
SHA1

7b4d6196f0492f7e6d763eb8cbfdbb8869015466
SHA256

f3e4cfc3f347d1feff2019072d06c342c89f6b8fa712eabd16d07395f101fbd1
SHA512

fc9c62013975078833602eb0bdd911c5569b8c2f1d7f7461976438b3a9839ecd82be768f050690d6213b2a5c6ca1f203521225590ba84057ee5d5d64357c2f63
SSDEEP

384:oL7li/2zgq2DcEQvdhcJKLTp/NK9xaX/:WkM/Q9cX/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
4960	tmp5D53.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4960	tmp5D53.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 1632	2712	bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe	86
PID 2712 wrote to memory of 1632	2712	bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe	86
PID 2712 wrote to memory of 1632	2712	bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe	86
PID 1632 wrote to memory of 1288	1632	vbc.exe	88
PID 1632 wrote to memory of 1288	1632	vbc.exe	88
PID 1632 wrote to memory of 1288	1632	vbc.exe	88
PID 2712 wrote to memory of 4960	2712	bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe	89
PID 2712 wrote to memory of 4960	2712	bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe	89
PID 2712 wrote to memory of 4960	2712	bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\clkw3chy\clkw3chy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5EAA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA2830E2EFD7C44C2A8C1BF8372BD9122.TMP"
    3⤵
    PID:1288
- C:\Users\Admin\AppData\Local\Temp\tmp5D53.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5D53.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
cbd7b57c2280f69333a82d3a6fdfac69

SHA1
6ec39946ba6595b1412838a83776e08fd3c8f8f0

SHA256
d63c8e287a291be58e64bd94dbb64de4f85b456cdcc1715b1655090f16bf1271

SHA512
6f27cd58226e3816fda51cf1594ae571a491530e80fcfb18ff3bba887085dbd46d0f642660b48b5fa32d3f80cd27835bb0373a3251d73a60ff1ecbb66b81ed28

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5EAA.tmp

Filesize
1KB

MD5
135db46718d6488a6e73f0fb68ab6689

SHA1
9dac195cfff54594969ede3d31b1f64d30d3952d

SHA256
59c810917d545154777ba8aa191d8f112154e915658abac5423499d31885a2f2

SHA512
6623a1a7fb5208ed555a6277644e85343b77fa44685124f07f4f3e063f1d868fbe247df2bd1e5a7c76f005c50a7692008a78455a793ba98044001b9b72cbd2d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\clkw3chy\clkw3chy.0.vb

Filesize
2KB

MD5
7613f4ab6c7f5ed05598bc32b3ffd345

SHA1
1b3ba08066d5dd8bc15c67d2572154d3da841aca

SHA256
d282dfae22a0a3521428b731d2c3dbd7b4f1b700033fa40f494773291aaa88e2

SHA512
0167c5e71d795e24cb862d6a0e3318cb3bb73a4842246152bfbaf45b3b4502da434884eca00a4c28dba947a2af9f1075174a586185037316289a6a878ecbda85

Download Submit
C:\Users\Admin\AppData\Local\Temp\clkw3chy\clkw3chy.cmdline

Filesize
273B

MD5
a5ad41bfadf3f6fb09c1e21c716d722f

SHA1
03b89587afea39c380ac5153cb79c269ba6c42f5

SHA256
da85193a335e69a560f3a084e514f87eaef3210dd27f0fe8a01bb12b447ec6eb

SHA512
056c82e1b157dc892c3a6b6cb4de133b53441a23d282d03b7af1fd5f5de7ee07337e16b60ce1c2947744e9f209c211deb2f36d066faff5d5f8d17bb149fdb3de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5D53.tmp.exe

Filesize
12KB

MD5
0407298d251bb899c1c8b5f92532fd1c

SHA1
5f7b23fa82b78808fc24371799943e88bedb6edc

SHA256
b991767d2248624233b50096ea9a198e21242ac29999d6da3fba85535d277fb4

SHA512
0cbd5351c8694f3969a2bf8c9d3f771998eebc8b9a6041b6b6150fabccc73b96d4e65d4c1d18f9f4b45a870cf09bcd4c5d41c749364b6d7cbec8df6a853878fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA2830E2EFD7C44C2A8C1BF8372BD9122.TMP

Filesize
1KB

MD5
27c648bd941db13d6c9fa417fa6f3500

SHA1
56043775f3b3beaacb796bac99bb4240abbbc203

SHA256
7d1ff60fb6337eddbf5f25abcb3e57cba04e6dd569776ad3672174b2b3ee79c4

SHA512
2ff13eaf7cb9ddff2ebcc99a6cda38f19ae2c9d98a759dba2431807fc258b62c912e8631f654de798a2608ada30b7726203a2c5dba94c0ef3607abcab73d7cd8

Download Submit
memory/2712-0-0x00000000744BE000-0x00000000744BF000-memory.dmp

Filesize
4KB

Download
memory/2712-8-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/2712-2-0x0000000004AD0000-0x0000000004B6C000-memory.dmp

Filesize
624KB

Download
memory/2712-1-0x0000000000060000-0x000000000006A000-memory.dmp

Filesize
40KB

Download
memory/2712-24-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/4960-25-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/4960-26-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4960-27-0x0000000005320000-0x00000000058C4000-memory.dmp

Filesize
5.6MB

Download
memory/4960-28-0x0000000004E10000-0x0000000004EA2000-memory.dmp

Filesize
584KB

Download
memory/4960-30-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing