fb50b6a71a516686d6e468384844a6cc2c1604a0490fb978541e8d5ed1c7442d

General

Target

12e40db81d4bb74b6d9370470ffb93e0_NeikiAnalytics.exe
Size

12KB
MD5

12e40db81d4bb74b6d9370470ffb93e0
SHA1

cbbde5a9f1485b5d1ffc8b97d6a9731c13fdcdca
SHA256

fb50b6a71a516686d6e468384844a6cc2c1604a0490fb978541e8d5ed1c7442d
SHA512

1fc5536772c2b847814493a99cd932e28f050aeddf40f427aa653c4263eedb7a0013aa643af42220ccc5d5629c77020dae9b2da5504efff99088399d8fb194df
SSDEEP

384:BL7li/2zBq2DcEQvdQcJKLTp/NK9xa91:hhMCQ9c91

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	12e40db81d4bb74b6d9370470ffb93e0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
1484	tmp419E.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1484	tmp419E.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2960	12e40db81d4bb74b6d9370470ffb93e0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2712	2960	12e40db81d4bb74b6d9370470ffb93e0_NeikiAnalytics.exe	80
PID 2960 wrote to memory of 2712	2960	12e40db81d4bb74b6d9370470ffb93e0_NeikiAnalytics.exe	80
PID 2960 wrote to memory of 2712	2960	12e40db81d4bb74b6d9370470ffb93e0_NeikiAnalytics.exe	80
PID 2712 wrote to memory of 2412	2712	vbc.exe	82
PID 2712 wrote to memory of 2412	2712	vbc.exe	82
PID 2712 wrote to memory of 2412	2712	vbc.exe	82
PID 2960 wrote to memory of 1484	2960	12e40db81d4bb74b6d9370470ffb93e0_NeikiAnalytics.exe	83
PID 2960 wrote to memory of 1484	2960	12e40db81d4bb74b6d9370470ffb93e0_NeikiAnalytics.exe	83
PID 2960 wrote to memory of 1484	2960	12e40db81d4bb74b6d9370470ffb93e0_NeikiAnalytics.exe	83

C:\Users\Admin\AppData\Local\Temp\12e40db81d4bb74b6d9370470ffb93e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\12e40db81d4bb74b6d9370470ffb93e0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jpngzpjc\jpngzpjc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4323.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA16CD8965F454C871A2F2CC2933DEA.TMP"
    3⤵
    PID:2412
- C:\Users\Admin\AppData\Local\Temp\tmp419E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp419E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\12e40db81d4bb74b6d9370470ffb93e0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
f19f5ce9c87c70da42142ed0b679042b

SHA1
e45cc034e49bad4d5ab4c224136f91bd4e7e68f9

SHA256
f52ca886b0683401e9e64c379f0a951c615ed5feedecc7f92088b7d5e08cc139

SHA512
5e87d087a4d1c8591107c58d93d47ec79d3221622ca48011204259c020f1b08d61e799014f87f7cc218d0b5fd9cb5128da93d04ddd3f3c7d04ad9c695a743a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4323.tmp

Filesize
1KB

MD5
fcb6da6806f89867867e4ee15663c544

SHA1
cb0fd3f8614a480a1e01428fc173f7271a45cdc6

SHA256
1c0b67128bd1e4d416109c184a79fd6696b445b11f7087f9e71c8fc18d7f4b31

SHA512
fc1e3b3e5da94d23a5047fcd3fe25d4b06e473845692d157293ec69d9e89f1f9da548a54e211879bf7525c3c94f925bb7251b120a2a768e89007767410656da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpngzpjc\jpngzpjc.0.vb

Filesize
2KB

MD5
14cf0578bdd5ab16e00aa9431b9c6145

SHA1
aaf1a6a727cbece21ea6c278a76c06d9ec74a769

SHA256
2fa3f44b89dfa38717126180b73ae6a75cfd001b21dfb4b4e68caa0a366823ba

SHA512
6e639029e304ca696c5c168b8c770b1b2477b0b36f40925c01b8c2e91f6ccbd22ae0c412364f46a2c41b6f5cd9cf559732a695f188a1dfb3a6b358946dc4cc43

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpngzpjc\jpngzpjc.cmdline

Filesize
273B

MD5
dbbf66057642d60871382f4495d617ef

SHA1
5997d37ef70bb4424ea6d8b083b2e0191b4c43b9

SHA256
4e49a14c0183a12e52a8258c767e2534108d180a0b06826b234f69a90262a309

SHA512
e6f1a17de651d5e4a44cca62fe4e4daf461b5264231a506e91e898ba86b340b58926ef9be61c0057baee839cbd24d33ef70b10883cba6ff0631d02dd1fd29ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp419E.tmp.exe

Filesize
12KB

MD5
1a5168cc1c31d8cbed9a9681e5a05c45

SHA1
6591e50cfe4d92beb1e9b7a0652473694a055caf

SHA256
7310f9ffff5cb97969a7f26016affb4922cdc6561bfed224d0a5f82fea0f8d5e

SHA512
0c5f59e6c7d159b5d895cd2aaedab1544acb43e64bb42998d4b13cda139d00843cce615627604d0a5b803dddf7420db6744445ac09a6edd646ed3b7947a6031a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA16CD8965F454C871A2F2CC2933DEA.TMP

Filesize
1KB

MD5
fdb0829e148799c464f848962bb7eabd

SHA1
f8e1bb32afbb4b9c650fc3a3166b99441c43b52f

SHA256
82fca6e748987087d0980496b86aaa53a7b02b3e0e1f45b6c124836ade20ee69

SHA512
779f471c213f279f94e957bf8330d85adc888379e7c8ca90d16d8e91cda416434c7dc586e8c55ac79a37235580b4f4f3b958c6349e76cd64dac1147b74fbbc41

Download Submit
memory/1484-25-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/1484-26-0x00000000002E0000-0x00000000002EA000-memory.dmp

Filesize
40KB

Download
memory/1484-27-0x0000000005220000-0x00000000057C4000-memory.dmp

Filesize
5.6MB

Download
memory/1484-28-0x0000000004D10000-0x0000000004DA2000-memory.dmp

Filesize
584KB

Download
memory/1484-30-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/2960-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/2960-8-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/2960-2-0x00000000059D0000-0x0000000005A6C000-memory.dmp

Filesize
624KB

Download
memory/2960-1-0x0000000000FC0000-0x0000000000FCA000-memory.dmp

Filesize
40KB

Download
memory/2960-24-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing