8bbe21587d694f62806be0183ebbde1c2ae14a3fcca453a1300fad1ce1b63c07

General

Target

1579d407e4425f29953dd7945b202270_NeikiAnalytics.exe
Size

12KB
MD5

1579d407e4425f29953dd7945b202270
SHA1

9a41373b1fdf82f244a0070dc6539c813c0e9538
SHA256

8bbe21587d694f62806be0183ebbde1c2ae14a3fcca453a1300fad1ce1b63c07
SHA512

72774a82bace005facd60b98b81ff1c29091fa49e6d69595f30f316587f607c1b6070eba0a044a4f6e092223148bf85f8045c9efc972ee3a2fb74a96fdb936fd
SSDEEP

384:LL7li/2zVq2DcEQvdhcJKLTp/NK9xa8G:fFM/Q9c8G

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	1579d407e4425f29953dd7945b202270_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
5092	tmp3B83.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
5092	tmp3B83.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1544	1579d407e4425f29953dd7945b202270_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2800	1544	1579d407e4425f29953dd7945b202270_NeikiAnalytics.exe	84
PID 1544 wrote to memory of 2800	1544	1579d407e4425f29953dd7945b202270_NeikiAnalytics.exe	84
PID 1544 wrote to memory of 2800	1544	1579d407e4425f29953dd7945b202270_NeikiAnalytics.exe	84
PID 2800 wrote to memory of 2200	2800	vbc.exe	86
PID 2800 wrote to memory of 2200	2800	vbc.exe	86
PID 2800 wrote to memory of 2200	2800	vbc.exe	86
PID 1544 wrote to memory of 5092	1544	1579d407e4425f29953dd7945b202270_NeikiAnalytics.exe	87
PID 1544 wrote to memory of 5092	1544	1579d407e4425f29953dd7945b202270_NeikiAnalytics.exe	87
PID 1544 wrote to memory of 5092	1544	1579d407e4425f29953dd7945b202270_NeikiAnalytics.exe	87

C:\Users\Admin\AppData\Local\Temp\1579d407e4425f29953dd7945b202270_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1579d407e4425f29953dd7945b202270_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rsgdnobt\rsgdnobt.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C7C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc39E00BA342C2467D96A4F7B6B3FA5EE1.TMP"
    3⤵
    PID:2200
- C:\Users\Admin\AppData\Local\Temp\tmp3B83.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3B83.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1579d407e4425f29953dd7945b202270_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
d35eae5eb711973acb69c7343114defe

SHA1
e6879cf8ec737fa7933d405ff287fffee274f2bc

SHA256
47c46be8578ccfa96f7425b0bde63d81ba7acbab892f9bbd0667a2a8cd03d5d4

SHA512
9206ff6405390629e01c82640d31038104e2818b05bbffb2dc6a8f9807d7ac98e5638381685ac22f10bd0b3f5c7741d76dbbafc240e8c7691427acd3be07f541

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3C7C.tmp

Filesize
1KB

MD5
88a2b1eba0957f3eed7ff64b249b5e4b

SHA1
aa1b6836c96e9b3367e230d89a7274bf71b38607

SHA256
c416e9296374682f999735a21956f3686462f5975d3fbbb5dde89b3dc7032cff

SHA512
a71f823dc4f5ff428ce1c0c27c02e0046d12dd313ab33d93322a31cd841203f29cfbee57c3e39661fd00cb8f03610c4d3353bb1ed263df5dc50cd437cb6059d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsgdnobt\rsgdnobt.0.vb

Filesize
2KB

MD5
3c62626416648ab295bd06f70acb5193

SHA1
0b5f6cdbba9c5b4eb7c878d476a42ceca0537f11

SHA256
259741c418c6d13ebf351dfca60fa756f479e79ab1b65fcf7031f2367a8ebf5c

SHA512
100466e4c716410635af34f134d81b5daff761c850ee9c16b534cd50821ec2284a4ac3484b0484b153be43709db92361c96b548d0f4d0584826fe0cbce5b3015

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsgdnobt\rsgdnobt.cmdline

Filesize
273B

MD5
312e732e58c1fa994ad9152ed0fbc96b

SHA1
f8cc9358b2fd9fd33788f3692d72e003b8e5425b

SHA256
8da7981c31b8de2905ebeeef2f99e823c8cf4cfa300b21b9707f7a0d91d1ed1c

SHA512
3588df0a96089c02dd8e331e0c4e795360cbab86384f151a20a64faa41ccca76329ac0eab805108cc8b518e2d586dbca853d7df0050a9ca4a00e3dc6989bfab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3B83.tmp.exe

Filesize
12KB

MD5
67526ddd9f0d5550da3eb042250a8604

SHA1
4c2f6c77b862ab55a7a303d2e9866d182f66131e

SHA256
03adabfd1f7c0d44df227d2adaee67f1a487e8a5957601734ff5079f91d5a404

SHA512
38863ac3585ce9143bdf914fa3e024cfb3f1207d35c038fb24b3cf0fdc04dadb7ec83ad57d488a8042e812af49419245776b63b84c82a86ce9c8fd2a7459d7a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc39E00BA342C2467D96A4F7B6B3FA5EE1.TMP

Filesize
1KB

MD5
92390102bd59e498eabf04bc564e7b4f

SHA1
e51baef6cf540f82e9215373dad2021cb70e8e89

SHA256
14a65831c15ae0caa419171345d804fbaa53ec5680efa2f54a6125e6c5783903

SHA512
4e225f8557ec0e63b68e93d98cd2999618bb12f8b98b7a2b432557698bff6795cb00b5fb6cc3cbecbeedf1e612bc0978fce8aba9b41342bca939fe67abde4929

Download Submit
memory/1544-0-0x000000007536E000-0x000000007536F000-memory.dmp

Filesize
4KB

Download
memory/1544-8-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/1544-2-0x0000000005370000-0x000000000540C000-memory.dmp

Filesize
624KB

Download
memory/1544-1-0x0000000000B10000-0x0000000000B1A000-memory.dmp

Filesize
40KB

Download
memory/1544-24-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/5092-25-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/5092-26-0x0000000000850000-0x000000000085A000-memory.dmp

Filesize
40KB

Download
memory/5092-27-0x0000000005780000-0x0000000005D24000-memory.dmp

Filesize
5.6MB

Download
memory/5092-28-0x00000000051D0000-0x0000000005262000-memory.dmp

Filesize
584KB

Download
memory/5092-30-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing