bf4df26c501657e16c92921fa9ffa226fe4b1fd5ef5fc4c5cd15c278b379dd9f

General

Target

23b7fc79cdcb58ac973ab2d521a896c0_NeikiAnalytics.exe
Size

12KB
MD5

23b7fc79cdcb58ac973ab2d521a896c0
SHA1

fbbee1660853733d99e236f7b63e82a9e4f711b6
SHA256

bf4df26c501657e16c92921fa9ffa226fe4b1fd5ef5fc4c5cd15c278b379dd9f
SHA512

d6688dd76d347f438426f36ff95e4a7c32d1dc010ec05660ab09a626df097856918135bb088f80b2390cbe629a6786ac1a0514e928fdfd4a97c4c32c00a82726
SSDEEP

384:aL7li/2zcq2DcEQvdQcJKLTp/NK9xagj:EwMCQ9cgj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	23b7fc79cdcb58ac973ab2d521a896c0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
4948	tmp47C8.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4948	tmp47C8.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4540	23b7fc79cdcb58ac973ab2d521a896c0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 4784	4540	23b7fc79cdcb58ac973ab2d521a896c0_NeikiAnalytics.exe	81
PID 4540 wrote to memory of 4784	4540	23b7fc79cdcb58ac973ab2d521a896c0_NeikiAnalytics.exe	81
PID 4540 wrote to memory of 4784	4540	23b7fc79cdcb58ac973ab2d521a896c0_NeikiAnalytics.exe	81
PID 4784 wrote to memory of 2536	4784	vbc.exe	83
PID 4784 wrote to memory of 2536	4784	vbc.exe	83
PID 4784 wrote to memory of 2536	4784	vbc.exe	83
PID 4540 wrote to memory of 4948	4540	23b7fc79cdcb58ac973ab2d521a896c0_NeikiAnalytics.exe	84
PID 4540 wrote to memory of 4948	4540	23b7fc79cdcb58ac973ab2d521a896c0_NeikiAnalytics.exe	84
PID 4540 wrote to memory of 4948	4540	23b7fc79cdcb58ac973ab2d521a896c0_NeikiAnalytics.exe	84

C:\Users\Admin\AppData\Local\Temp\23b7fc79cdcb58ac973ab2d521a896c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\23b7fc79cdcb58ac973ab2d521a896c0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w3xxgrpy\w3xxgrpy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES494D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc900F2A768ACB46D497A0DE1ABA65E549.TMP"
    3⤵
    PID:2536
- C:\Users\Admin\AppData\Local\Temp\tmp47C8.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp47C8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\23b7fc79cdcb58ac973ab2d521a896c0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
5e9c20adfe36b65d3a5ca8a756033ef5

SHA1
63c1a0857868ce68b1108ae2af1b6943f7197b0a

SHA256
4284cd13db1a9e571a369c063c0a65f8ebda5d961bc480091b34d3f6f9a48bc8

SHA512
9e9efad5dc3e8fa366025bf2fcd7918b6a68f01fb0ff0e82ebcd6663b6c29e52089b75f1faf6864ff1a163989654f1438c3897d05446eddf4f056acf56cb02a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES494D.tmp

Filesize
1KB

MD5
9174de48cf48ff38b9818d7f8cf5fbdf

SHA1
27e2c469c4d112f44bd1aaeab21667587f6e2040

SHA256
85ee47877791b8a6ac8ac34ec46652341d8ab2cb2c0d140e1c72e06cef5a73fd

SHA512
b6f5723028e3f945ccb7896b83191bcd7fbb2d16a0a53383518361a6b0ca00474c0008dfef303cc0ef2dea8715987af7bd5add200ae1b3ddab0c358ac7f2bfaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp47C8.tmp.exe

Filesize
12KB

MD5
56717d0220545eedfd165a8d28022ac6

SHA1
27a4148ee1c2daa6e7e35256fd087a8e75213385

SHA256
650b5e9c03a179cc2ce1b402d2971378fe00536c5e05315de5f040a35cd3bdcd

SHA512
55c602aedc80d4b096616612cbb752554539250edd2f3b3c72a5cd0797b7120ba6f00e240a3cc6b978265cef4f4926be4618e9c6c6081485f0d89667c7c60f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc900F2A768ACB46D497A0DE1ABA65E549.TMP

Filesize
1KB

MD5
7160630ac5322431101cfebe2db3307c

SHA1
c91b1a6295e594c84bb890d0f81c906d95c00b42

SHA256
3b5e363ad0d9d0faf1e560ec0cb90f212ab62ac72d0776fbd4acff6aa16718d5

SHA512
f2b818db2379f1cdddfe04a0516dffd520ab05f4246465ee0d69538546f8e24a6281a294af0061785c3bbd69c45ebe1094507240817e6f2442d527d745b712ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\w3xxgrpy\w3xxgrpy.0.vb

Filesize
2KB

MD5
69faa0cbe05d0862b200d88ebf252321

SHA1
bea08be44c571bc83fd31b14c7486c50c5aeca33

SHA256
8359654d508964f0422b8436ffb6f05750341e2a942084721aae8b0855f59249

SHA512
d7137e526c3d2e45680befb884a1c28f8d50ecc263aafff6fa4b9ae0de22e6222fd4bfe4605eeae05b3731fe0048b7f077f7c7f2342bda4c0b73929121218d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\w3xxgrpy\w3xxgrpy.cmdline

Filesize
273B

MD5
1fc708969b89326b55fcdd8321737e77

SHA1
9c62050654b4bb75636216f6c04ecbd3b10e2733

SHA256
716bbc68122452c512a6d2241fcfab60ae28ae4f2ce3cc12933e1c1f6537d887

SHA512
e316a91059a4d76e1988568095afdfbd698e402cb93d684482ea4383f66df65ef92ec071442c8227ef09af22d37b338d0abb8e75bdbc98f99bf01cd85b4fe4b3

Download Submit
memory/4540-0-0x000000007501E000-0x000000007501F000-memory.dmp

Filesize
4KB

Download
memory/4540-8-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/4540-2-0x0000000005150000-0x00000000051EC000-memory.dmp

Filesize
624KB

Download
memory/4540-1-0x0000000000780000-0x000000000078A000-memory.dmp

Filesize
40KB

Download
memory/4540-26-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/4948-24-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/4948-25-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/4948-27-0x0000000005370000-0x0000000005914000-memory.dmp

Filesize
5.6MB

Download
memory/4948-28-0x0000000004E60000-0x0000000004EF2000-memory.dmp

Filesize
584KB

Download
memory/4948-30-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing