384787235065f529d81f53826c0f9d34ebd52c1643250e64d1911faea633cc3b

General

Target

4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe
Size

12KB
MD5

4edb786a77b0bab6829d8a6b570d60f0
SHA1

11f5d60f4acc562fcf145d9886cdcbd8539885a2
SHA256

384787235065f529d81f53826c0f9d34ebd52c1643250e64d1911faea633cc3b
SHA512

45230eee011f32f75ff775c83d92a219ac9576567e3254fc479385ec121dbd0caca1f04648dd7c5ff5def568971f97c38cfc328fd5074f98f9bd91ae3cdc3805
SSDEEP

384:GL7li/2zNq2DcEQvdQcJKLTp/NK9xaPA:g9MCQ9cPA

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
5032	tmp40C3.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
5032	tmp40C3.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 4740	2104	4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe	87
PID 2104 wrote to memory of 4740	2104	4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe	87
PID 2104 wrote to memory of 4740	2104	4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe	87
PID 4740 wrote to memory of 5008	4740	vbc.exe	89
PID 4740 wrote to memory of 5008	4740	vbc.exe	89
PID 4740 wrote to memory of 5008	4740	vbc.exe	89
PID 2104 wrote to memory of 5032	2104	4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe	90
PID 2104 wrote to memory of 5032	2104	4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe	90
PID 2104 wrote to memory of 5032	2104	4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gewrzlfr\gewrzlfr.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41DB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5DF3EAC966BC428DB02DC1725244492.TMP"
    3⤵
    PID:5008
- C:\Users\Admin\AppData\Local\Temp\tmp40C3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp40C3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
7665274363a0be54977172a3009859ed

SHA1
a56cdcd8bf95094f4bd0da74a600a9ae75d198bf

SHA256
3f8067875728b43b5b6325920d67c59a8228d309208851e1ef9d928ef4cd1243

SHA512
610821b24b1a68874563bcd997b9bec2811d6fdbede2cb86f773da142ccc14c30294f52c9a74c3e5c06f259a22189831388a2496507fc32ab4e043de13b3d1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES41DB.tmp

Filesize
1KB

MD5
e36c597863214be11400dd6cfed8e53e

SHA1
d2d2e1f059c52ae85ced5f6633b98cf23263c425

SHA256
548ba3ac7f217ef845d7271f30532a2971e6c6be8feff7f455ee63bae1e8492d

SHA512
dd00600f4459e3a5ebec3ca85da88620cc9777958804630586719a469c0377fd31563f5558081966747aec6b0830ac4f70377a5b06265d047c317ee4d7b612e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gewrzlfr\gewrzlfr.0.vb

Filesize
2KB

MD5
583d0003540c746f3a0bdf53d7165256

SHA1
ffe6abe3906c630b7e4c2bdacab8665b2d7fa97e

SHA256
f0355d615a41ed84cdc8f72a395038c1c4da76f4aa47a8df29f2cdd8384c3a53

SHA512
5e6ed0d1744c10ba499c40eb05741b1aae7d2a8ed4abd1a2251fa78a1da8f36ebf37df9d72ebfc8f55e6d2764403ce9e22d4e5179366d920071eddb4c112612f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gewrzlfr\gewrzlfr.cmdline

Filesize
273B

MD5
774c32d1e6b8b3f39717effe472f40c4

SHA1
f629990c03921a7aa7dfa1c651abc85aa9134c3d

SHA256
5b77c56ccef6dfa0964c5d5646d32f5a0e2aeaf57fc3dcce3f1c9007d6d4e0d5

SHA512
e5cbc45e29381131b39c54621ca88a8fe415ff8876b895390ee698cd89566e7ceb305991009b5400088e56cdbb260cc7d0d80a51206a647a0478a4af00561e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp40C3.tmp.exe

Filesize
12KB

MD5
3f2bcd0db5c4d81f345be3550755631b

SHA1
eaca9621df5045e0eaf762f6431111ae7a3d443f

SHA256
2fbf14d82e3bf6660f69f1b6434a14fe8fabc0294abee395707b3c0314fef864

SHA512
350c2a1d79bf33adf6f1d0d9c3c7dd4f18ff0c66f179db739915785f90b831255e416631bf3b6308fed5f3ed7cf08402fb0629d5423e60b8cb4c5e8433e8de90

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5DF3EAC966BC428DB02DC1725244492.TMP

Filesize
1KB

MD5
90b063e776c8f8555c2d9d0523bc6d7f

SHA1
d4e4a53425e27b47389465d437b23db4b487ae2a

SHA256
9c3b9987f24ed16543b52cf2b5c41bbb47a57db7954b901b688518abe30cc89b

SHA512
72a7bde739a8e974dec6e71bc1d1f53ca5145b438918a29e24d7a01bd04958d928a8b92c6e9497914ca93a7bb6aa822d9382aaf18c3dd9a1e19a5eb46af84e0b

Download Submit
memory/2104-8-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/2104-0-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/2104-2-0x0000000005030000-0x00000000050CC000-memory.dmp

Filesize
624KB

Download
memory/2104-1-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/2104-24-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/5032-25-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/5032-26-0x0000000000010000-0x000000000001A000-memory.dmp

Filesize
40KB

Download
memory/5032-27-0x0000000004EF0000-0x0000000005494000-memory.dmp

Filesize
5.6MB

Download
memory/5032-28-0x00000000049E0000-0x0000000004A72000-memory.dmp

Filesize
584KB

Download
memory/5032-30-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing