Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/06/2024, 03:41
Static task
static1
Behavioral task
behavioral1
Sample
5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe
-
Size
12KB
-
MD5
5b8124efa3870bf2ca1af51ca7bec250
-
SHA1
2997343e5d15fe6adb8fec6786dcb7cce1c59092
-
SHA256
556b8d92546fa667f592c958ec2575e2d4a9702faa7e480effe433fe92d06b53
-
SHA512
334b6ca2a7b6b6b66c8da58b8e545d1a902f3ac832735f3066843d9575776074ab65cb309344d9b2df298a0df5fab0da740e6a57902e3657140e820cfbaf9ea9
-
SSDEEP
384:BL7li/2zcq2DcEQvdQcJKLTp/NK9xaz1:hYMCQ9cz1
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe -
Deletes itself 1 IoCs
pid Process 4708 tmp1190.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 4708 tmp1190.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 372 5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 372 wrote to memory of 3468 372 5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe 91 PID 372 wrote to memory of 3468 372 5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe 91 PID 372 wrote to memory of 3468 372 5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe 91 PID 3468 wrote to memory of 1380 3468 vbc.exe 93 PID 3468 wrote to memory of 1380 3468 vbc.exe 93 PID 3468 wrote to memory of 1380 3468 vbc.exe 93 PID 372 wrote to memory of 4708 372 5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe 94 PID 372 wrote to memory of 4708 372 5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe 94 PID 372 wrote to memory of 4708 372 5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ayslngl1\ayslngl1.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES17B9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3DABE817A08B45D5B9FDAFC7F165D595.TMP"3⤵PID:1380
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1190.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1190.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:4708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3708 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:81⤵PID:4100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD55e7b2092c047dc49cf4a2216bba40e65
SHA1c9226dc61e01b2120637a883300b6a7df7fef372
SHA256e5c07295fbcf3c95f2571b4a0275583052fa34c05af8615ff2430f512536dacb
SHA512940015fa450737497944903d8495bf01c6f752deb5a4d07376caaabd6e82e3849d4588ed39ed2df4e1aa7aa7f82be0968dc96c0eaf664f576d6c2af27ede654c
-
Filesize
1KB
MD55a0ff236e006173b1f823044bb582543
SHA13076d375decede90d61eb0cac3f72a42305e7a14
SHA256e040b597dcc7029c3364014ed56644fce3b3f395bcb614d4a32d20b51e9e7a7f
SHA5129ab50427659842136c4f55c189ed88026db4ca11559ab0162ddaa5c7017f4e5fe07540c7034edc99da57718427654539bddf747256486581f3f4f111f0710772
-
Filesize
2KB
MD5364fab18b0986a8769ac6e83468b7fbd
SHA10e508b1cf540c99e855b5c6b460b2f958292833f
SHA2562f1204ab3bc91884c335a55e2d2fa8e0068d0b54b3c142d550426e32e354e91b
SHA5122e56ed62c9ff018c52e441f3fa8ac60034d2a33e41b17088f3a662669f7ebd859ed8b107bb3f1256aa8f344979ffe79b38f859fdf5d0b67be703577d435db3cc
-
Filesize
273B
MD5a495b5ba7062c1e954a7da069aed6f3b
SHA167fe669fc098312f43f76dcb7011d34142dd454d
SHA25638c1d0f1b925e824bc4730f1d04043654648ec27a9a604e5b84d177f24deafbf
SHA512f691912b8c5c5476359c29873ddf0061dc7caec108c0ebe05f5ba8aea1d603a43342ad9a772e1faa3e6af2b171c1ff3fe6206f2f56a018fe5e26558a4a46e52b
-
Filesize
12KB
MD5fd7cc7bb35bb4e7481a76eb94b7bc9de
SHA152f56906bc3ab79191905b6503217e044eb99862
SHA25684317ef067b4049074f9aec2d009730be10b3e8a6846b08e65ed49249c3d73f8
SHA5127205cb52cdba0a26abc6b3e7262823db7c04d5fc2cc32c1425a4e5355c0af4e924442f435a9101280f51b45fbc8c393d01584b9b9da76442a33a8b04fc5c48f2
-
Filesize
1KB
MD57fd5996809bce2f7e15fbd8150649ed1
SHA199a41231d6413c036122a620a8d7ab4272f8a1b5
SHA256bc1caee9e9e934b27422593e772ff423c4f007255dea3402e712b8ef4321f17d
SHA512a4d78a503355f23e883fd2bf9eb706439a32a26e823e79af57d260659620a2b4fe5b3f6d901896ad42f6596837d58ab4e15d59a53af7a360fd2cdaf41f012148