ba898f05f347722f00737f2e70d80daa934c102142154ff2a7208a5ae2f4000f

General

Target

8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe
Size

95KB
MD5

8a4010ab205b0d866e3569278dec80d0
SHA1

34feead405b1fd554fa826fd712bb1addc10c4e9
SHA256

ba898f05f347722f00737f2e70d80daa934c102142154ff2a7208a5ae2f4000f
SHA512

1b34ccf7377f778529d87ed57fb9b1be851d912a11e61f0c44f632781598eaff68fe61cacea2fa81a5baf808b7a356e0e81bf74b1441dc941ecf3c0767122e87
SSDEEP

1536:EGqRGbQHSgOTw1BFxnsUdsdBhMgxRFy2kckEUEVvccRPAAXLSYPph/ATvYSByU65:lbjgjXxdWBhMwRFy2Rk/kcIAebPph/AO

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	cmd.exe

Deletes itself 1 IoCs

pid	Process
4940	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
4544	rMX.exe
2920	rMX.exe.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\nk.txt	cmd.exe
File created	C:\WINDOWS\VWFLH\rMX.exe	8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe	8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe
File created	\??\c:\windows\rMX.exe.bat	rMX.exe
File created	C:\WINDOWS\VWFLH\rMX.exe.exe	rMX.exe
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe.exe	rMX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 4544	3952	8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe	81
PID 3952 wrote to memory of 4544	3952	8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe	81
PID 3952 wrote to memory of 4544	3952	8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe	81
PID 4544 wrote to memory of 5016	4544	rMX.exe	82
PID 4544 wrote to memory of 5016	4544	rMX.exe	82
PID 4544 wrote to memory of 5016	4544	rMX.exe	82
PID 4544 wrote to memory of 3120	4544	rMX.exe	83
PID 4544 wrote to memory of 3120	4544	rMX.exe	83
PID 4544 wrote to memory of 3120	4544	rMX.exe	83
PID 3952 wrote to memory of 2000	3952	8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe	84
PID 3952 wrote to memory of 2000	3952	8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe	84
PID 3952 wrote to memory of 2000	3952	8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe	84
PID 3120 wrote to memory of 2920	3120	cmd.exe	88
PID 3120 wrote to memory of 2920	3120	cmd.exe	88
PID 3120 wrote to memory of 2920	3120	cmd.exe	88
PID 2920 wrote to memory of 5056	2920	rMX.exe.exe	89
PID 2920 wrote to memory of 5056	2920	rMX.exe.exe	89
PID 2920 wrote to memory of 5056	2920	rMX.exe.exe	89
PID 2000 wrote to memory of 4940	2000	cmd.exe	91
PID 2000 wrote to memory of 4940	2000	cmd.exe	91
PID 2000 wrote to memory of 4940	2000	cmd.exe	91
PID 5056 wrote to memory of 440	5056	cmd.exe	92
PID 5056 wrote to memory of 440	5056	cmd.exe	92
PID 5056 wrote to memory of 440	5056	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3952
- C:\WINDOWS\VWFLH\rMX.exe
  C:\WINDOWS\VWFLH\rMX.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo 0>>c:\windows\nk.txt
    3⤵
    - Drops file in Windows directory
    PID:5016
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\WINDOWS\VWFLH\rMX.exe.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3120
  - - C:\WINDOWS\VWFLH\rMX.exe.exe
      C:\WINDOWS\VWFLH\rMX.exe.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\98.vbs
        5⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\98.vbs"
        6⤵
        
        PID:440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\90.vbs
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\90.vbs"
    3⤵
    - Deletes itself
    PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\90.vbs

Filesize
219B

MD5
5f4f6dd2b494fe449228b4d86ec04493

SHA1
33e2ba41c0ef6dfd11b4a95a2b64ad6bb5ae53cf

SHA256
51607b70e53a89d620d2f9e6f6c329eb7466c4c0f3fb0376fc759ed25f10ef57

SHA512
fa941716f875aa2128091891655a68c18596ee53979a615d34a0d7a1e5eac7dcd87064fab82a807b60a68d0f2cbe20594795e543a93a920964c2d3b182745930

Download Submit
C:\98.vbs

Filesize
162B

MD5
9f3751d95f7614ef778316696259756a

SHA1
7b629879bfbb01fae3b612ff304e5e5038e78931

SHA256
5e40312a83c32dc5fd40fb3b3385898b14d45eacbc49e2702cac8b25bc44e754

SHA512
5b91250c887061719db8c035718fa3b9059be69c3b7589752528691286d19a2f611eaf9cad44967a6feb2a272947e36eeb8e5d5e1fac110be10e089c7aafd8a1

Download Submit
C:\Windows\VWFLH\rMX.exe

Filesize
95KB

MD5
8a4010ab205b0d866e3569278dec80d0

SHA1
34feead405b1fd554fa826fd712bb1addc10c4e9

SHA256
ba898f05f347722f00737f2e70d80daa934c102142154ff2a7208a5ae2f4000f

SHA512
1b34ccf7377f778529d87ed57fb9b1be851d912a11e61f0c44f632781598eaff68fe61cacea2fa81a5baf808b7a356e0e81bf74b1441dc941ecf3c0767122e87

Download Submit
C:\Windows\VWFLH\rMX.exe.exe

Filesize
95KB

MD5
39c932a1ef77963e29cd40dde476de27

SHA1
a47ad082898a6002b39c2760a39bda6a230bef4d

SHA256
7057189dcdc6abee573f846d43616e7c52fb6cc599d7bb7801e70ca4123857b4

SHA512
a1170a7aca8953433cad2f1c199a2bf964fe637caffc0fa45a6ca4f948fdaf9a3ce4a001abb439ea7713d38f0496253a2220b60ee284238a59bda0405c0b3c11

Download Submit
memory/2920-15-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/3952-10-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/4544-9-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing