4107a1317ca44e3bd0a2bc1915a0264027545f91443ec4373183d392779417a2

General

Target

02822bdd140a1927b857484cf66e6170_NeikiAnalytics.exe
Size

12KB
MD5

02822bdd140a1927b857484cf66e6170
SHA1

5b5cfc4790324141ad8636f029427b5a90403f8e
SHA256

4107a1317ca44e3bd0a2bc1915a0264027545f91443ec4373183d392779417a2
SHA512

20bb40be3b7061392a7b18429bd796942f6beec450d6450ff4998e2a4041e0b5dac71cbcee9ddad2848f6f5d43c094017e627992a400222dd1dbdf032ecbeb64
SSDEEP

384:lL7li/2zZq2DcEQvdQcJKLTp/NK9xaQY:lxMCQ9cQY

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	02822bdd140a1927b857484cf66e6170_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
1344	tmp493F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1344	tmp493F.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	940	02822bdd140a1927b857484cf66e6170_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 3092	940	02822bdd140a1927b857484cf66e6170_NeikiAnalytics.exe	86
PID 940 wrote to memory of 3092	940	02822bdd140a1927b857484cf66e6170_NeikiAnalytics.exe	86
PID 940 wrote to memory of 3092	940	02822bdd140a1927b857484cf66e6170_NeikiAnalytics.exe	86
PID 3092 wrote to memory of 448	3092	vbc.exe	88
PID 3092 wrote to memory of 448	3092	vbc.exe	88
PID 3092 wrote to memory of 448	3092	vbc.exe	88
PID 940 wrote to memory of 1344	940	02822bdd140a1927b857484cf66e6170_NeikiAnalytics.exe	91
PID 940 wrote to memory of 1344	940	02822bdd140a1927b857484cf66e6170_NeikiAnalytics.exe	91
PID 940 wrote to memory of 1344	940	02822bdd140a1927b857484cf66e6170_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\02822bdd140a1927b857484cf66e6170_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\02822bdd140a1927b857484cf66e6170_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\poewdvuv\poewdvuv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A96.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc70DB442B33254FFD8888716BAA174A3F.TMP"
    3⤵
    PID:448
- C:\Users\Admin\AppData\Local\Temp\tmp493F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp493F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\02822bdd140a1927b857484cf66e6170_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
a608f3d17cf3e13a09f79f83671a3237

SHA1
32eb5211499900d9e97742810d5207f9b51c0c01

SHA256
ab93f0739556adfb881e9cc0f0eaf657dc64f21716f4513b8cd6c211825e80f1

SHA512
8c314efae68f7346e5f9b72c5a50f8d0fae752f9055950beba3560f8e39bf19582a24f31ae3ea87e117db1e43b1759074e298dcd37d86c845cd45454bc685777

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4A96.tmp

Filesize
1KB

MD5
a39c5bd8127d545e24454e96e034d831

SHA1
34ae6654831bacd2b1961fc8ceffb2fc5d6813ac

SHA256
2208458764896e849e6442f68bd8299ce0615eb5f7f2e46877c73f3d71284681

SHA512
d477ef06b96c14e58d89314aa2957ef89559393a4c02a02870a594b385efb321d941c86c404361f802e8fc2ee1ffdd0af4d30d91f6d80b1987b5436590ebd981

Download Submit
C:\Users\Admin\AppData\Local\Temp\poewdvuv\poewdvuv.0.vb

Filesize
2KB

MD5
aad386b656968393dadadc31077f08cd

SHA1
e6f8fab527f199d3b14233d32069e23ead986aa9

SHA256
e01e133e16a7257117c76e3dc18a3cfa935a19277a747f6fcb40d61096630564

SHA512
2feb01b1587dffda12578d870fcae242100d3a16ed9803d21200026e823e7c839479f4ca071e479b0df34f32c4567c921b37872ddf7cdef4796d04204edeb394

Download Submit
C:\Users\Admin\AppData\Local\Temp\poewdvuv\poewdvuv.cmdline

Filesize
273B

MD5
ba09c12c44d20edded7730fea98cc8c4

SHA1
50660c93dbc2beed866a66957e45ffa044108c24

SHA256
239395b566d27b8f447c8b0751ca3b4942f5bcff47b1d884daf0c39b4de0f7be

SHA512
8f78f61352e9fcf1886fc595711855551de4c15c6179c89141c759bf0fb9696c3f28a6f8c7c2ca36cd7e9c6aa67d9ac88ec2f841707be12e897609f9e93c92f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp493F.tmp.exe

Filesize
12KB

MD5
bd24c49b8f643e0131afb4789117ca7b

SHA1
4c3c070655b6ef29e21c31a6efd1da36afc9a978

SHA256
1f743852d2e4b7ecfd54162d94b48674d5ec0586ce435e0d580e0620048d00e1

SHA512
fe90572b04a4b5ff9bbf0dfa7ade3411d8bce532aed8505a8a097872f227288517d0c3d352ef638ff28b92a38dd0429df0845c247194ff5ffb78eb36398f00fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc70DB442B33254FFD8888716BAA174A3F.TMP

Filesize
1KB

MD5
1e2c5e160e69d3104e28572c5b8a5f2a

SHA1
f3871ab1c3bb605e5d8fb5eb571f2b8961f40d58

SHA256
0f8efce0157d9c59d74f53e29c9eec86913dd1466be168a8a00670cda2e81fcd

SHA512
e72136a7ba5deaf1067246bd3c7efdddf9b5b1cb0666213a0f4c8a0201920d2be32780545dc4867816cb7e25590ed5357ee242a965d37d3f3c89c2ea9db6c462

Download Submit
memory/940-0-0x000000007467E000-0x000000007467F000-memory.dmp

Filesize
4KB

Download
memory/940-8-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/940-2-0x0000000005850000-0x00000000058EC000-memory.dmp

Filesize
624KB

Download
memory/940-1-0x0000000000DE0000-0x0000000000DEA000-memory.dmp

Filesize
40KB

Download
memory/940-24-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/1344-26-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/1344-25-0x0000000000770000-0x000000000077A000-memory.dmp

Filesize
40KB

Download
memory/1344-27-0x0000000005690000-0x0000000005C34000-memory.dmp

Filesize
5.6MB

Download
memory/1344-28-0x0000000005180000-0x0000000005212000-memory.dmp

Filesize
584KB

Download
memory/1344-30-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing