243bd42b2a883ba51b44cd90d5648ed4b149f58ff1ba4d8eb5df2bbc5721e379

General

Target

1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe
Size

12KB
MD5

1bab34f9317220f9877519d8f32b3600
SHA1

2c1e7b8835d1654811ccbcbe3c82df237364ffad
SHA256

243bd42b2a883ba51b44cd90d5648ed4b149f58ff1ba4d8eb5df2bbc5721e379
SHA512

c4c2c48aa360db23d1d4e2efbebd84f778d2da3f34c909626ad0afa1209a14286d3c653dd0a3d217d81a9b8ab4dcac83c7b58f9a322c78c08824ad7c9cd21666
SSDEEP

384:PL7li/2zBq2DcEQvdhcJKLTp/NK9xaG7:jpM/Q9cG7

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
4760	tmp45A5.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4760	tmp45A5.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3660	1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 4828	3660	1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe	81
PID 3660 wrote to memory of 4828	3660	1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe	81
PID 3660 wrote to memory of 4828	3660	1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe	81
PID 4828 wrote to memory of 940	4828	vbc.exe	83
PID 4828 wrote to memory of 940	4828	vbc.exe	83
PID 4828 wrote to memory of 940	4828	vbc.exe	83
PID 3660 wrote to memory of 4760	3660	1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe	84
PID 3660 wrote to memory of 4760	3660	1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe	84
PID 3660 wrote to memory of 4760	3660	1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe	84

C:\Users\Admin\AppData\Local\Temp\1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m0ouaukn\m0ouaukn.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES471B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc98CAF8E49854416E92E8DD71788AA8.TMP"
    3⤵
    PID:940
- C:\Users\Admin\AppData\Local\Temp\tmp45A5.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp45A5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
2a3d4448aae24f7f73988bd942f816b3

SHA1
a89e523ebfe4b0f2d460d752da548e0fa8c3414e

SHA256
f4c019eb4cbbf3f193f827babdd7c1b5b16b176773e5d02e4fb4c287f3447a34

SHA512
4f05dc7ff0356f52a062e0b52f1c4623d4cfb14b6b1202977555473331cb7381ace4cc3703156ee1bbf4d54438d8fd7379b80185bc31b0ee6de3259387493e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES471B.tmp

Filesize
1KB

MD5
98bf16dfd1a75fad53f530611a389b14

SHA1
9f7adc7c0f5c7cc1489eb3dae199659deef2ae03

SHA256
a89ec2a9e9a0d807f65c9261e18c6dadd3a5b9400dcd903ea9242c12ba5c30d5

SHA512
1558261fb88452764bed05f54507818c69b22cc7fa5bb37d8d5b0940da1cc5c337cfd90f81e28b83b28f9d4fe95bb286c06c78426cbc2aa0364972bc1c11293d

Download Submit
C:\Users\Admin\AppData\Local\Temp\m0ouaukn\m0ouaukn.0.vb

Filesize
2KB

MD5
5d2b4305f9434c53437f6223ce6d690f

SHA1
d460cff960a1bfe1d1aef6bdbf9c730a11127750

SHA256
37f5832b2d78b10a24c768b693f537907a2f05a2453d47998a53bc8990aca466

SHA512
e365eeae6fa243329f8d82a789af26d2f40e9dbbb9da6405dbe0009d26a07f73674af645f0723079d319f35406aa189c5a0f2988c6ab4e079d6ba8b0dfa6066d

Download Submit
C:\Users\Admin\AppData\Local\Temp\m0ouaukn\m0ouaukn.cmdline

Filesize
273B

MD5
cff0753ca1232c7e6b7ceca5529f7121

SHA1
58a10730e1cb70ed2779a280492cbba7f313d4b3

SHA256
04dafcbc7397424a44d5ea41c0af481a09939e25fc953ce5b3f9a69647257a95

SHA512
417174b390b217805364ae3944c6a144cca0892cf42f4ee7747b4a111645ec17cb6e6085d89f3e13fedf316801340f3239587faaaecbcea96813c9151c164546

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp45A5.tmp.exe

Filesize
12KB

MD5
9fc88b3fa49e1bee59d00499b1689a86

SHA1
f89df8b26142df02f28c47b570579ea3ca428e30

SHA256
e92a09f40434dcacd36f461bf722ee82908acfb1987b087ab0e8fdeab4e21b48

SHA512
291ce77742c8b98cc84078f40c8e58fe046cbfd57f662556fac0151f15cde89fb55d10d315f26384eb8b1b46aa87bfdf5ccbfff8b3ac0b35f25b6e4bcc03c466

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc98CAF8E49854416E92E8DD71788AA8.TMP

Filesize
1KB

MD5
8d750265c439a6bb98954c1dad5f4ed4

SHA1
3338f8e4f4e370ffd780737d1c840b80c145cf9e

SHA256
58cc3a47697ced74103b416b21cd03d68f83278eb26b5aca836ea7a4039af67e

SHA512
f25ae00ee21abbaac0d2282f6663df8f8785aae49e5d61f5a3c65923eff261710903f17072feaffc304451cd4b1c689259c9edec9cf4a2083c4fd590f5360935

Download Submit
memory/3660-0-0x0000000074CEE000-0x0000000074CEF000-memory.dmp

Filesize
4KB

Download
memory/3660-8-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/3660-2-0x00000000049D0000-0x0000000004A6C000-memory.dmp

Filesize
624KB

Download
memory/3660-1-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/3660-24-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/4760-25-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/4760-26-0x00000000006D0000-0x00000000006DA000-memory.dmp

Filesize
40KB

Download
memory/4760-27-0x00000000055B0000-0x0000000005B54000-memory.dmp

Filesize
5.6MB

Download
memory/4760-28-0x00000000050A0000-0x0000000005132000-memory.dmp

Filesize
584KB

Download
memory/4760-30-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing