43d5c9066b3414a02dabf3a242a57fef7a419f92b859a6cc36df1457ca12ff4d

General

Target

50e0bac116fed8fde98c5a12c4c33150_NeikiAnalytics.exe
Size

12KB
MD5

50e0bac116fed8fde98c5a12c4c33150
SHA1

b71d5c2262546e6e2f09771a1eb903fe9d215099
SHA256

43d5c9066b3414a02dabf3a242a57fef7a419f92b859a6cc36df1457ca12ff4d
SHA512

462c2bd1d715b2c3edc3277e25f8ae4a837d3831825cf48e00cc58ebc14ba6f5a3f424b8cb761302385817ef808602a52cd2cd160e5eaa36220eb17a7ba58917
SSDEEP

384:XL7li/2zHq2DcEQvdQcJKLTp/NK9xa3y:bbMCQ9c3y

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	50e0bac116fed8fde98c5a12c4c33150_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
3488	tmp55A3.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3488	tmp55A3.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3720	50e0bac116fed8fde98c5a12c4c33150_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 636	3720	50e0bac116fed8fde98c5a12c4c33150_NeikiAnalytics.exe	85
PID 3720 wrote to memory of 636	3720	50e0bac116fed8fde98c5a12c4c33150_NeikiAnalytics.exe	85
PID 3720 wrote to memory of 636	3720	50e0bac116fed8fde98c5a12c4c33150_NeikiAnalytics.exe	85
PID 636 wrote to memory of 2068	636	vbc.exe	87
PID 636 wrote to memory of 2068	636	vbc.exe	87
PID 636 wrote to memory of 2068	636	vbc.exe	87
PID 3720 wrote to memory of 3488	3720	50e0bac116fed8fde98c5a12c4c33150_NeikiAnalytics.exe	88
PID 3720 wrote to memory of 3488	3720	50e0bac116fed8fde98c5a12c4c33150_NeikiAnalytics.exe	88
PID 3720 wrote to memory of 3488	3720	50e0bac116fed8fde98c5a12c4c33150_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\50e0bac116fed8fde98c5a12c4c33150_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\50e0bac116fed8fde98c5a12c4c33150_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bwgeb341\bwgeb341.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5767.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc74012E08BEB444718B31184E6F405CF.TMP"
    3⤵
    PID:2068
- C:\Users\Admin\AppData\Local\Temp\tmp55A3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp55A3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\50e0bac116fed8fde98c5a12c4c33150_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
2a091fc7e2962c4a87f5eb685f72c737

SHA1
10a4277f18b16bea1d2d24a491361bf7b3d88497

SHA256
6947509281d83fdebb77229cd46aa377fe2511d38ad7a5cf27984fae03be96a7

SHA512
aed1231acf625157fb767e968465312bd5a2f74deb983eff00411a5dce3dc9a23868cf82eea9bf2e1a73f8b79875591cf4dcb2af06f2a24ffb6f406931f26cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5767.tmp

Filesize
1KB

MD5
9903636c6bae088dbfa1fee7170b74a0

SHA1
7397d0a73ba2733aaf20f761c5148feb66e2e17d

SHA256
67c648b2651b087c04a47ab60b49bd0e381be8bc9e5de97fb8bca7f3f75f0651

SHA512
c20e92bccce55c9cbb065f478773463d99d554a04848a8bc2f015fcc6884648c7a20d839e12a2e6edfc94def396568228e5314f4cf10ca65fbcc05863de40445

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwgeb341\bwgeb341.0.vb

Filesize
2KB

MD5
f0490a7643b06b0972fe62ab4aa5eefc

SHA1
8d5f2b302143be3ee1575951eaad72e25672170d

SHA256
3a8d131ee29a30aa0ea769997f3749c660ee5e18160287253d95d508064097a6

SHA512
4ea467851f45beba49917cac1155cd606130c00c82b6222dbcd76a8fb18521007fafce0529760ec520b4bd8fdff77acb1d7dd35f692f4f2c37a41ffbd9c6f574

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwgeb341\bwgeb341.cmdline

Filesize
273B

MD5
bc1e101367ac3fe655a288336c0e7ae2

SHA1
d0d8fefa6a8abb75d1cf780d4db7374ae682d1ad

SHA256
288fa7c4b64cede25614d13f8e75ea766838d6680d70e796fdcd7ec43cc653dd

SHA512
86923a9c84e8fe4ad8d8e313a1972fae9b864a1e2c33b3dbf35e3ecc40f13381a55490bb617bbde07ed098d80574109ea3450d8e6f54b9542c2c8bb8e88e05cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp55A3.tmp.exe

Filesize
12KB

MD5
c5c597ef0024c778fca107b82f20e42f

SHA1
6be47e6ebdc18b91ac16681ad841f6c2339f8421

SHA256
7789f476cbd05fbfe0408a34d4e03e403ce9e296584ec56e12f92d7ac60a007f

SHA512
51426443a87eadf485215519a3773ec6262a69a485c2dd687d69135808c0d5459919363bd7e49bea2374d6817b10a9894065baee9823d3a760b3675b1b90ea9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc74012E08BEB444718B31184E6F405CF.TMP

Filesize
1KB

MD5
2002d826e5f741f007b7f62cb03d240f

SHA1
a7899451f948bd1b4dff58bdc99442c8b765f253

SHA256
28156d1c8c4dba0a1c623a0611eb156852713bb730c138120274538adac77549

SHA512
37ec3c7bb4a6cece6fd6a5961eec7b43ebb9822d970eb940b7cbb2e85dbec2ba9042432e95642576cd1214103b242b1ced497ff7c6d7726386967d7bd38257a5

Download Submit
memory/3488-24-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/3488-26-0x0000000000230000-0x000000000023A000-memory.dmp

Filesize
40KB

Download
memory/3488-27-0x0000000005160000-0x0000000005704000-memory.dmp

Filesize
5.6MB

Download
memory/3488-28-0x0000000004C50000-0x0000000004CE2000-memory.dmp

Filesize
584KB

Download
memory/3488-30-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/3720-0-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

Filesize
4KB

Download
memory/3720-8-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/3720-2-0x0000000005650000-0x00000000056EC000-memory.dmp

Filesize
624KB

Download
memory/3720-1-0x0000000000CD0000-0x0000000000CDA000-memory.dmp

Filesize
40KB

Download
memory/3720-25-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing