0083fe8ef5fa529b7cb67fdd3927d91ec3d8736beb405db8612e9aee10864bf1

General

Target

0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe
Size

12KB
MD5

0a623403cd3a136d7a11530348715f00
SHA1

7b656d6e6a1732f8656969ae0f84c29d3615cabb
SHA256

0083fe8ef5fa529b7cb67fdd3927d91ec3d8736beb405db8612e9aee10864bf1
SHA512

a78912d7fb9881258dc5bdd57aa29c7ab644953b7df4650a8ba3d0dda407d28fd242d8140b44ff0f88282270efef355c920213e3bd6232b02b5c32b8af899d6c
SSDEEP

384:BL7li/2zjq2DcEQvdhcJKLTp/NK9xaLk:h/M/Q9cLk

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
2972	tmpFEF2.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2972	tmpFEF2.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4780	0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 4576	4780	0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe	90
PID 4780 wrote to memory of 4576	4780	0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe	90
PID 4780 wrote to memory of 4576	4780	0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe	90
PID 4576 wrote to memory of 4256	4576	vbc.exe	92
PID 4576 wrote to memory of 4256	4576	vbc.exe	92
PID 4576 wrote to memory of 4256	4576	vbc.exe	92
PID 4780 wrote to memory of 2972	4780	0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe	93
PID 4780 wrote to memory of 2972	4780	0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe	93
PID 4780 wrote to memory of 2972	4780	0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe	93

C:\Users\Admin\AppData\Local\Temp\0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v0sgr3sk\v0sgr3sk.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5FA9D2C26CC8455FB7B421CCD46D16A9.TMP"
    3⤵
    PID:4256
- C:\Users\Admin\AppData\Local\Temp\tmpFEF2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpFEF2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:3428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
3231ac81703fa30e51fcc1a70ea1ed3d

SHA1
a4a6e1e7f6af1f9a0942a19d84a53cc961d67aad

SHA256
2ee28f5a23fd24512cd6c0f446c0ffe1b85c45731f7dd24fb83c94105ab97e91

SHA512
e075be56d342e46d23ad3ed96c822a6a737976fe992c85aab6a67a8e5b2f243b4ab306cb52cd828a634b0edaf9f76345d2f916debee60da37763682c68203345

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES54A.tmp

Filesize
1KB

MD5
e75dab8b37396e2ea7bf5bbd031193c6

SHA1
c72fd42e777e68023771150f487a0fb811a19837

SHA256
62d9868add283a137e8469863cc9b4e774ff4c5701a593459b3949f27f7eb7de

SHA512
27b6919bcb22116d844c9b88a94ea1f1b467bece9f7dccf9063b17f01d9a583be2318bf17a82d79083d0b2a47902d753c3eeb7af4f64461bdb20f1229e63a5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFEF2.tmp.exe

Filesize
12KB

MD5
457f6b1f50d9c8831bd0d63637f0ecf9

SHA1
4abb48dc056123efb808e5a50e4991d3b82c7dc0

SHA256
7a4c2748d87eee697b8f110f9869c0ba3acdafb7ee1b62c70bc78dcbc0dcc64f

SHA512
2b8020cc7e26d48fb3b156a5bcd73ad69985c33804b09d42985ecc22d29f85877bda45cd90c7a8369d7630e407e17d03db31a8741719878a734f8ac1a3c33dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\v0sgr3sk\v0sgr3sk.0.vb

Filesize
2KB

MD5
33c4f367a7d1bf247c24154718fb8b03

SHA1
1f727abc2e72c828121fe60ee174f3b7d538e734

SHA256
caa4d45954fd0c2a31371d642819847dade2d4d1f3d3d22fe011f63b0442173c

SHA512
c535a92d7311afc30058ef060d60e68dd579c37a661abbf1914641ee296d9cfbee762ae37ef14d97c8250635f3011914585c00a0f42667e1b012cf1acceaddba

Download Submit
C:\Users\Admin\AppData\Local\Temp\v0sgr3sk\v0sgr3sk.cmdline

Filesize
273B

MD5
341b89658ea37e311dca8ff0c88931df

SHA1
0d69962c5c77ea46ccb208f481a87614dce00a5d

SHA256
8d9bdc12235a2ffe26c27e9dd3ad63ee8672e2b3f280f14124368e788638e63a

SHA512
b69efb605874bf711bd391042efdbb6b164ed896e8d9c826b189d33ba47246d3e1068bd391a08fc1e25399c11df90dd7685d8d6d189bf28da73b8df217e4dd36

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5FA9D2C26CC8455FB7B421CCD46D16A9.TMP

Filesize
1KB

MD5
2b3591418018f498fcf864930c73e8a3

SHA1
dcc48ac0b464f4933365ee138e675313ac79b261

SHA256
b87fa527c527c75fd76ce5430b47b6f2b5e20ed633ad4efd019b639483cb9bc8

SHA512
164cc303216c11a4b0ad7099fc5d4971da7e955bfba0a58172772af1456750e856b13370584f44586c7eaf54408ed0d2ac1283b845ac3c2efb86a6f01583adbd

Download Submit
memory/2972-23-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/2972-24-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/2972-27-0x0000000005190000-0x0000000005734000-memory.dmp

Filesize
5.6MB

Download
memory/2972-28-0x0000000004C80000-0x0000000004D12000-memory.dmp

Filesize
584KB

Download
memory/2972-30-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/4780-0-0x0000000074FEE000-0x0000000074FEF000-memory.dmp

Filesize
4KB

Download
memory/4780-7-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/4780-2-0x0000000004980000-0x0000000004A1C000-memory.dmp

Filesize
624KB

Download
memory/4780-1-0x0000000000040000-0x000000000004A000-memory.dmp

Filesize
40KB

Download
memory/4780-26-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing