e282d3607f5b07def18bbaa16c078baa000aef4eb3d48e615319c56761247993

General

Target

0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe
Size

12KB
MD5

0f5abecd5dfc00bbc09f7052f6405f30
SHA1

251fb46678761cf1c29abdaebf5e616d3dfca8bc
SHA256

e282d3607f5b07def18bbaa16c078baa000aef4eb3d48e615319c56761247993
SHA512

093293378143fd640faa97a2249e63a63e183e2110f52350e30d18048554037c0271c6c25db2513a2909303c7a0b7ac51743bd74089aae22cc0523603904687d
SSDEEP

384:HL7li/2zHq2DcEQvdhcJKLTp/NK9xa+c:rjM/Q9c+c

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
2296	tmp3F0D.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2296	tmp3F0D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	448	0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 1204	448	0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe	84
PID 448 wrote to memory of 1204	448	0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe	84
PID 448 wrote to memory of 1204	448	0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe	84
PID 1204 wrote to memory of 1392	1204	vbc.exe	86
PID 1204 wrote to memory of 1392	1204	vbc.exe	86
PID 1204 wrote to memory of 1392	1204	vbc.exe	86
PID 448 wrote to memory of 2296	448	0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe	87
PID 448 wrote to memory of 2296	448	0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe	87
PID 448 wrote to memory of 2296	448	0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe	87

C:\Users\Admin\AppData\Local\Temp\0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0tmwnen2\0tmwnen2.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4083.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7DF940031065431FB762B513E627683.TMP"
    3⤵
    PID:1392
- C:\Users\Admin\AppData\Local\Temp\tmp3F0D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3F0D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0tmwnen2\0tmwnen2.0.vb

Filesize
2KB

MD5
21303903aa90e227af6bbdae014152b5

SHA1
9dfab9828827d9370b8c65641e9b1b5b77a2e4c1

SHA256
9fd46c542828c6dccd0aec7bbccc4601515d7ba61a3974d91cd0570fc30e1d29

SHA512
fd8ad92637aaeee6233a023f1bb162455f984cd52d36f97e34eddfcb5ed3ab5abb45c2feceddc91638e63e408b1e88bf4987f4aaa4997f50df3e27d3a841d0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0tmwnen2\0tmwnen2.cmdline

Filesize
273B

MD5
ad258dacf7bedf5bd82a01dc6ef27d9f

SHA1
15974de5d86701b156fd86b7771ac861c2ed2e8c

SHA256
c440dff4cc3706b339f652ef4a5fe452103bd194c25362b71ce6ca549705ee59

SHA512
394944113f48b737596e85a4d098de894d6906054522748f792010dede398bfbba3b3c17d15540f2ff30724266f6e26051f2e1b037cdeb632349fab263e34a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
159c107fd08487bb3d3b18121ceab8c4

SHA1
bacf0634e95321c489fa9c04884f1a90696e07af

SHA256
5cfc2000d96e96a249f212e9b03c7d813906f983f3572879626f9faa684e1687

SHA512
b953a17ab8b5640bbbd1900083ac1a897f09d6522bff0952b4d55d5e9e8c1309d57dfe1093bd647630905d645dd2a246ff3444a40cccaa1fbc2ab324f843161d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4083.tmp

Filesize
1KB

MD5
0bd0b9e3c1d7d19dd1b0f9ada9c738ed

SHA1
de2a4fb8393a2e11615d4401f2d58691eafde707

SHA256
c17941bf94ca2e2547291e0ec856c3a93fa8b5e8aecaadd9091e4444e5ba80be

SHA512
4513ec9cf2b5c213238782c198cf8efdfddd5fa0047977188c583f9938c60cb00bb2ac8015f78708632ece46865d1973624cd84a49d423c08f1368ccd3591762

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3F0D.tmp.exe

Filesize
12KB

MD5
a9ebe94149d806f6925d8636b4eb76fe

SHA1
4ded125cf0a502b9edbb7c709d3bed5394291333

SHA256
8db3ab97c41fca5fd76a3723e6729c47ab3aa8942a9d7ce7e3891230af428c09

SHA512
e8acddbcd5a44afc49e3d2cd76ae75f78b5bd0c04aee3144c20444dc1882f84bc6580c14ed1ccd9ad2097c7e2541f9eaa66abd383cc374b09bdb26da50c0dc29

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7DF940031065431FB762B513E627683.TMP

Filesize
1KB

MD5
20311d8d32101158ff38bc5d65e5f04e

SHA1
76dd3aaa0cea1a6f0a1b2ade5ca64cc92323ccb2

SHA256
018fc59863a355e0d59d7564af2795b7ffbf33fe43bd0d39823b326089aada71

SHA512
f29d36af3b788d50819251f196284386b4abcc6d9e3cdb66d3c4679bd4700c890445e6f0607ec6aac97d58c5b7b9f91fd694a25dd44a61cfacb97b79c8b11359

Download Submit
memory/448-8-0x0000000074F60000-0x0000000075710000-memory.dmp

Filesize
7.7MB

Download
memory/448-2-0x0000000005720000-0x00000000057BC000-memory.dmp

Filesize
624KB

Download
memory/448-1-0x0000000000D80000-0x0000000000D8A000-memory.dmp

Filesize
40KB

Download
memory/448-0-0x0000000074F6E000-0x0000000074F6F000-memory.dmp

Filesize
4KB

Download
memory/448-25-0x0000000074F60000-0x0000000075710000-memory.dmp

Filesize
7.7MB

Download
memory/2296-24-0x0000000074F60000-0x0000000075710000-memory.dmp

Filesize
7.7MB

Download
memory/2296-26-0x0000000000F70000-0x0000000000F7A000-memory.dmp

Filesize
40KB

Download
memory/2296-27-0x0000000005E50000-0x00000000063F4000-memory.dmp

Filesize
5.6MB

Download
memory/2296-28-0x0000000005940000-0x00000000059D2000-memory.dmp

Filesize
584KB

Download
memory/2296-30-0x0000000074F60000-0x0000000075710000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing