28eb3beb520000445ad2d399c6a67e1ca2eab0a360a7aeeb39eca6aaff3a19d0

General

Target

152e047a90b072967e1ed9d0f8fa2640_NeikiAnalytics.exe
Size

12KB
MD5

152e047a90b072967e1ed9d0f8fa2640
SHA1

e43716c46e584735510d8f1fc2368e437802305e
SHA256

28eb3beb520000445ad2d399c6a67e1ca2eab0a360a7aeeb39eca6aaff3a19d0
SHA512

e453e420e9726333fa52aa9dc4783d25907019179eb382d7ebec2a945bd481d017b3e8574a8f632cfd8d3795936c2d578cfc61201757db3d3db244a54e596a80
SSDEEP

384:1L7li/2zUq2DcEQvdhcJKLTp/NK9xaME:VIM/Q9cME

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	152e047a90b072967e1ed9d0f8fa2640_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
4484	tmp3DE5.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4484	tmp3DE5.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3252	152e047a90b072967e1ed9d0f8fa2640_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 2200	3252	152e047a90b072967e1ed9d0f8fa2640_NeikiAnalytics.exe	85
PID 3252 wrote to memory of 2200	3252	152e047a90b072967e1ed9d0f8fa2640_NeikiAnalytics.exe	85
PID 3252 wrote to memory of 2200	3252	152e047a90b072967e1ed9d0f8fa2640_NeikiAnalytics.exe	85
PID 2200 wrote to memory of 2952	2200	vbc.exe	87
PID 2200 wrote to memory of 2952	2200	vbc.exe	87
PID 2200 wrote to memory of 2952	2200	vbc.exe	87
PID 3252 wrote to memory of 4484	3252	152e047a90b072967e1ed9d0f8fa2640_NeikiAnalytics.exe	88
PID 3252 wrote to memory of 4484	3252	152e047a90b072967e1ed9d0f8fa2640_NeikiAnalytics.exe	88
PID 3252 wrote to memory of 4484	3252	152e047a90b072967e1ed9d0f8fa2640_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\152e047a90b072967e1ed9d0f8fa2640_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\152e047a90b072967e1ed9d0f8fa2640_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s4uz2c2b\s4uz2c2b.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3ECE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF14982DAAD9D4E4588B326E6A6D6883.TMP"
    3⤵
    PID:2952
- C:\Users\Admin\AppData\Local\Temp\tmp3DE5.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3DE5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\152e047a90b072967e1ed9d0f8fa2640_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
82eefbf2f80eb2224c65493e7847dab9

SHA1
ee1f67ccd6e69d424bee459d8aecd7a27c40e954

SHA256
d812b8d44e1ccbb7ca9afe7250547e6c57b26e7da47cf76138bef3446bdda116

SHA512
f5ed9c5b917bfb31396082cfca0ae9f1805e6c27e1afb389f0d1be67cd79e694efcea743aee9a5da81043430f86244777a1700024b87cec9f2d590d64a8063ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3ECE.tmp

Filesize
1KB

MD5
9bbf8261f72627c3c33a1386d5691570

SHA1
76911c242596308378df0b9f0dba54641ebfc773

SHA256
1a6a75af6514224a508300f41b7e779236be5bfe65c029ca0d3984c0f5399017

SHA512
0d380858332b3db0c5b818bfda7f5c08adb2d29d483ce17e2a53327c8c07ad2294a07ca9856e55295d4b82645a05e383b927fa9d7d9354e9faee0566a42cf41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\s4uz2c2b\s4uz2c2b.0.vb

Filesize
2KB

MD5
015de1b039da2f6db35ac94d83290bcf

SHA1
478d1eae654ab1c2a84b61fbf5b93419fba6ce21

SHA256
263423d2eb78bb9b41b127006479d3022a6f6f55eafce009e55453ed0339bbe1

SHA512
7f821806b344704dbbc5df5c8a514bf49081a4a8078de67e159e690cb8a050576ddfb389e7f21840aa759bbf6b4a8b82a4f3050ce3040e7355874809cc8a0ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\s4uz2c2b\s4uz2c2b.cmdline

Filesize
273B

MD5
dbc6d1da707ac13655d4acff8ddd874a

SHA1
ac91154dbffa6464b0bb428fc3206fc1c73b90e4

SHA256
4a8696608c95892b252f1e0f659c0e8ed1e61b0c1460416e5e05e97cb39994a7

SHA512
0be1f72740c95528544e5bd87e1a190bfa3a0166de428683a681a8a2afa9e7aa609956434da5b644d6c2ffa8fe91ec63970b578e60879eb5726c3d5e787b1d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3DE5.tmp.exe

Filesize
12KB

MD5
7b838d6e754ea512e60b152f4b654016

SHA1
55e064491fa7a8935242521a7805929e5d22d74d

SHA256
b7d1161c41970e81216dc2032dc42beacbd28d15e625212b012157e58b29fdcb

SHA512
ced2210c9bbdc911bd0c79c1c37eb2d8665704a717dcfc1c52067e41675b601c99301a5a410489ebbab18ef213454db90a897ca0e421f3106c80da9c7ea02d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF14982DAAD9D4E4588B326E6A6D6883.TMP

Filesize
1KB

MD5
59e2d5ade172e4776ded084aa3aab945

SHA1
1bc6da435db2b1f17b8a5f61d0ce802e789c26d3

SHA256
e3f541ce12d69477ac4bb9dec915f05216e46809e4ee52d8c6ecbff81805242a

SHA512
c59bf65d3751b0f94a0e7a4fcddd97ff68116cbe75a9f18f2f5163f8f79540344b4dd8a9d1e65272d52645c7ccecc703d018e1176ecfcefbd377f9cadfa8bb09

Download Submit
memory/3252-0-0x000000007448E000-0x000000007448F000-memory.dmp

Filesize
4KB

Download
memory/3252-8-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/3252-2-0x0000000005590000-0x000000000562C000-memory.dmp

Filesize
624KB

Download
memory/3252-1-0x0000000000C40000-0x0000000000C4A000-memory.dmp

Filesize
40KB

Download
memory/3252-25-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/4484-24-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/4484-26-0x00000000000C0000-0x00000000000CA000-memory.dmp

Filesize
40KB

Download
memory/4484-27-0x0000000005000000-0x00000000055A4000-memory.dmp

Filesize
5.6MB

Download
memory/4484-28-0x0000000004A50000-0x0000000004AE2000-memory.dmp

Filesize
584KB

Download
memory/4484-30-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing