9b07007572439ce52ae6606cbc4be8ae653bff80e287c1cc2a431a4dd23f3818

General

Target

180b178529d53f2ea77ae670c1bc91a0_NeikiAnalytics.exe
Size

12KB
MD5

180b178529d53f2ea77ae670c1bc91a0
SHA1

07a6cb92cc1ee2b0f86d467b1c20969abb3d4451
SHA256

9b07007572439ce52ae6606cbc4be8ae653bff80e287c1cc2a431a4dd23f3818
SHA512

c9d0a42c4166b417e3db5b46d6678af36d792395918187df2b5fc3d401a37f4b5ac677c8e9961fa3d4ba5b6bbaa175e7875cc9ac8e39559cd2842e3fe3cc513b
SSDEEP

384:CL7li/2z9q2DcEQvdhcJKLTp/NK9xatB:cFM/Q9ctB

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	180b178529d53f2ea77ae670c1bc91a0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
2196	tmp5526.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2196	tmp5526.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	556	180b178529d53f2ea77ae670c1bc91a0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 2172	556	180b178529d53f2ea77ae670c1bc91a0_NeikiAnalytics.exe	85
PID 556 wrote to memory of 2172	556	180b178529d53f2ea77ae670c1bc91a0_NeikiAnalytics.exe	85
PID 556 wrote to memory of 2172	556	180b178529d53f2ea77ae670c1bc91a0_NeikiAnalytics.exe	85
PID 2172 wrote to memory of 3156	2172	vbc.exe	87
PID 2172 wrote to memory of 3156	2172	vbc.exe	87
PID 2172 wrote to memory of 3156	2172	vbc.exe	87
PID 556 wrote to memory of 2196	556	180b178529d53f2ea77ae670c1bc91a0_NeikiAnalytics.exe	88
PID 556 wrote to memory of 2196	556	180b178529d53f2ea77ae670c1bc91a0_NeikiAnalytics.exe	88
PID 556 wrote to memory of 2196	556	180b178529d53f2ea77ae670c1bc91a0_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\180b178529d53f2ea77ae670c1bc91a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\180b178529d53f2ea77ae670c1bc91a0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3gvmmdbe\3gvmmdbe.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56F9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2FCE7B4A94EA41CF806A244E6E854C54.TMP"
    3⤵
    PID:3156
- C:\Users\Admin\AppData\Local\Temp\tmp5526.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5526.tmp.exe" C:\Users\Admin\AppData\Local\Temp\180b178529d53f2ea77ae670c1bc91a0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3gvmmdbe\3gvmmdbe.0.vb

Filesize
2KB

MD5
939b01f7fbd0f943475e809ccb8af282

SHA1
2ca775c99703a68cb0bdc5d63c2c630ad02ff3b6

SHA256
2e5e2ad50f87ee2c1365edc33ca44117fe7168e662c3034c1698d9ecc5fa5f4f

SHA512
7e02984482d187066dfcd332bf2334b4c90ee1a00d6aef7a52139d7bffdf0ca32234db04dc5bfaf0968d5e2faa636935b690e254bf0ba1a05935cd48042a84d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3gvmmdbe\3gvmmdbe.cmdline

Filesize
273B

MD5
6861def369865d9edb5b442297ed92f4

SHA1
63192a34fe49188792dc8bacf024565d70b05e73

SHA256
d65788d99905e32359105d81fd8d7715ea0b85b705e7e239a3d3dc9d28d4616c

SHA512
0dcb661c9d9a132307ec1a434d58ef373f43fbb7ca61028273b7b2d1668d6cb76f0473eb0d5a36026a01746014d48aaeda9daa5cbccf4ce1f989478c9674e82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
80186e60cb47c454e2ad548e92aa7127

SHA1
298b74555895ffb6cfca71fcce4336c09fac03bc

SHA256
798491fe41564223764c6957e2383fd141f3498b0d1266ad08a517eb75f6d012

SHA512
d6a406a3e02accad404189d8fbff9833e887eefc950929d9c9a050136d5dc540aef00800cc8b8c6b7ffd9783ffcb1b06afadaabc6d34eafbbf03f2c3bd5483d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES56F9.tmp

Filesize
1KB

MD5
16346a348a4e2034f830bf563314845a

SHA1
fadddb5207dac2da914c5bea18e7f694d3e323c0

SHA256
c961fde98b405739fa236dd9ee199f0f9475eb712b929cfd560f94803016d825

SHA512
b86b79b7c83b627fe9231c6d7ac09a211ee11323209a6ae040159e79d76f1ded8aa8b907599a0e9b6b23e8ff64f1d9c80c9427cc10c7fc14e3d4fcbaeafdc952

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5526.tmp.exe

Filesize
12KB

MD5
ebfb3736dd16a29b47c20ce2eda4ad9c

SHA1
a7eeb1df4beb85711d118eea6fbe34c5462247ea

SHA256
b16fdeae547c52fb50a3c782c0b4c0d72d3c5d53e39254a1c2b1f9de9aa9f69a

SHA512
76c7da948d4be3840f9ed109de996bdbdc79ca765640c6b48beb0a1f82fc2f48c7c303120a4893d53b5966d6e93bb08ef4d28816e80e3dab54b56dc2779b8e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2FCE7B4A94EA41CF806A244E6E854C54.TMP

Filesize
1KB

MD5
eeb9b2c8ed4d765ebd64f1fabea979d7

SHA1
d66c29e0722f7b68827ba96a16a4e82e22dc5230

SHA256
96d3d288f04be532b458ac1815e200bffe7e84ac9152da8bada5a62a904f7991

SHA512
92b866eefe2c76ebcbe38e846f2fcc782a9112edc2001d3246de1813a73395714ea923a6e90c0b6555fef7232c3feaed3dae86ced925fe3ab5b9fc35373bd9dc

Download Submit
memory/556-8-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/556-2-0x0000000004E10000-0x0000000004EAC000-memory.dmp

Filesize
624KB

Download
memory/556-1-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/556-0-0x000000007512E000-0x000000007512F000-memory.dmp

Filesize
4KB

Download
memory/556-24-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/2196-26-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/2196-25-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/2196-27-0x0000000005540000-0x0000000005AE4000-memory.dmp

Filesize
5.6MB

Download
memory/2196-28-0x0000000004F90000-0x0000000005022000-memory.dmp

Filesize
584KB

Download
memory/2196-30-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing