b5a10f8d385bb9c879dfed2d952439ca11cc9657afa81b2bf5063449754f0356

General

Target

89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe
Size

12KB
MD5

89cac77108584710e33661b9cd4c9cb0
SHA1

a9e3b4e6ccd7fef25316149cc9f3021b1caf686c
SHA256

b5a10f8d385bb9c879dfed2d952439ca11cc9657afa81b2bf5063449754f0356
SHA512

8202064c019e641d9ce85528bc62c5a8c05bbe7b36e3fbd68cc51ce6428675c7821e2023554d1257bcde1cd757d9eb9be08425036852d777cbbb385866f8eda1
SSDEEP

384:2L7li/2zcq2DcEQvdQcJKLTp/NK9xaPR:wYMCQ9cPR

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
2704	tmp5267.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2704	tmp5267.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4388	89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 2912	4388	89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe	86
PID 4388 wrote to memory of 2912	4388	89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe	86
PID 4388 wrote to memory of 2912	4388	89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe	86
PID 2912 wrote to memory of 4952	2912	vbc.exe	88
PID 2912 wrote to memory of 4952	2912	vbc.exe	88
PID 2912 wrote to memory of 4952	2912	vbc.exe	88
PID 4388 wrote to memory of 2704	4388	89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe	89
PID 4388 wrote to memory of 2704	4388	89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe	89
PID 4388 wrote to memory of 2704	4388	89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\545faqb5\545faqb5.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES537F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6449B3F499B440F9953672EBA75B93B.TMP"
    3⤵
    PID:4952
- C:\Users\Admin\AppData\Local\Temp\tmp5267.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5267.tmp.exe" C:\Users\Admin\AppData\Local\Temp\89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\545faqb5\545faqb5.0.vb

Filesize
2KB

MD5
a70992d43eb9d24eb87888a538686506

SHA1
804038391e87453695cfc70dd9f612b131124c2b

SHA256
3fcb4b7ebd4a02a827513c003786524bf7454d601890bd9760ed6e94bfbfd63e

SHA512
cd2b209217fddd941082d4b4cfad2e80e3906c91f87d2f68087bb147f06eaaf9e5153e4bb2b734f7f02afb85043426411661f570513a4e21f731c06ebb606553

Download Submit
C:\Users\Admin\AppData\Local\Temp\545faqb5\545faqb5.cmdline

Filesize
273B

MD5
5d7450faa6af4ae6b4e21e2917e6d58b

SHA1
676f69cf1e9c494a6e3214bd5b47dfe3087e8ab0

SHA256
eb7ef2d0d77c502f78c3b071b1dc98c1c73e8d38758d69752ba846a6e014b45d

SHA512
fde905a05a44c257ed64eeee71be6318c9e1ab2ce409fa58aa7b65f78eb15e5a5afd20682fa653ee4fa178a921083b370d88a22ede0a1a462012bd8ff7c32b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
eabb16ba774dceb67be50bc773cba4d3

SHA1
b97fe47de339b96cd4c507fd21a75196ed47dce2

SHA256
7da0c6486285f72685113c3a9233a125656b5fc6faca95551701f8d088e34abc

SHA512
f04e6943d33b9408b694b65402eb8a3dc6694cfee9ef354b643360d4f143eff1b5c25b9da0f19ecb0088a2579db35ea33de8bc112c0b41bb661fa3e43ec2b2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES537F.tmp

Filesize
1KB

MD5
0a7e3dcc242b90ba12165268e7a13e1d

SHA1
a5d90f27780c8b9642a597b95cf037139f7967a1

SHA256
08e98c814ac41492f3fad940d3bd19998d59b6230b0b874491ce4ca4d6a2bd2a

SHA512
45b980f9909b0af059bcdc5f2603aecdf22c0469e0b2e11e235da4ff9f2ef0a00735f93852b9b302e300b3f159f05b36833eed01ee67385b5b3e36cb9c637237

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5267.tmp.exe

Filesize
12KB

MD5
b4f4ce13491a6b216e938b7d1138a796

SHA1
69e02a17f2f085bb860501600c119889bf331ab3

SHA256
272987eae22758cd96353de077055a92327b50a13b211c16607227e95748dc10

SHA512
752e61ab54284b25268a707ba49086c304864d25b276c48ea2dbd717a5032ec273ef72fbde56a5234f25bcb48419f094bd883c99bab9aa74f7763194aa21897d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6449B3F499B440F9953672EBA75B93B.TMP

Filesize
1KB

MD5
863f24609a900a5bc6ceb79fd188c859

SHA1
2e4721c9fdfe10004d5acf2e3e6f2b1c78f1059e

SHA256
f0bfd9464de8e0d6403706a8f716be9a680bded14c8d67cb4501b846943a90c8

SHA512
5cf8080d1c56873702e501990797ebbdd09eaa3dfae01b77595e7d6bdb8c426bb34ad0d023ac31fa81faef6585ab15dd17c20c4e6b60a9b30b595a229455f4c8

Download Submit
memory/2704-26-0x0000000000550000-0x000000000055A000-memory.dmp

Filesize
40KB

Download
memory/2704-25-0x00000000751F0000-0x00000000759A0000-memory.dmp

Filesize
7.7MB

Download
memory/2704-27-0x0000000005470000-0x0000000005A14000-memory.dmp

Filesize
5.6MB

Download
memory/2704-28-0x0000000004EC0000-0x0000000004F52000-memory.dmp

Filesize
584KB

Download
memory/2704-30-0x00000000751F0000-0x00000000759A0000-memory.dmp

Filesize
7.7MB

Download
memory/4388-8-0x00000000751F0000-0x00000000759A0000-memory.dmp

Filesize
7.7MB

Download
memory/4388-2-0x00000000055A0000-0x000000000563C000-memory.dmp

Filesize
624KB

Download
memory/4388-1-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/4388-0-0x00000000751FE000-0x00000000751FF000-memory.dmp

Filesize
4KB

Download
memory/4388-24-0x00000000751F0000-0x00000000759A0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing