Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 06:21
Static task
static1
Behavioral task
behavioral1
Sample
652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe
-
Size
12KB
-
MD5
652132d22858cf85b4cbf387f759abf0
-
SHA1
f6f050cb751575ffbd04c43fb104f3776d05a49d
-
SHA256
2368452b449f64cc18419028e1c42ae095e4af3f3ff729d0600b4adf0b52c4e5
-
SHA512
efbe671dedc2d1e2000e03918f239a46cdb900700a83877b91692413d77e10d4cd62388437360dc09bb17ba3d44c295e177848d229afa50d52d1e4dd4bb344e8
-
SSDEEP
384:BL7li/2zAq2DcEQvd2cJKLTp/NK9xa1V:hMM8Q9c1V
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe -
Deletes itself 1 IoCs
pid Process 1016 tmp4F79.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 1016 tmp4F79.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4396 652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4396 wrote to memory of 3808 4396 652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe 85 PID 4396 wrote to memory of 3808 4396 652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe 85 PID 4396 wrote to memory of 3808 4396 652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe 85 PID 3808 wrote to memory of 4356 3808 vbc.exe 87 PID 3808 wrote to memory of 4356 3808 vbc.exe 87 PID 3808 wrote to memory of 4356 3808 vbc.exe 87 PID 4396 wrote to memory of 1016 4396 652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe 88 PID 4396 wrote to memory of 1016 4396 652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe 88 PID 4396 wrote to memory of 1016 4396 652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uhgkdyfg\uhgkdyfg.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES511D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3302DD3A9AEF4D5A888576C7D0AE9C71.TMP"3⤵PID:4356
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4F79.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4F79.tmp.exe" C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:1016
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD50da6623e576193254e58434a9edd0c6e
SHA1b5dbdde35bb55f3eaaa16b23f9674e8119772212
SHA256ee3e0e4c400bc1c6a4d5aae76e6d44b7b5ede8751d9a5d6203d3580bf3c374e3
SHA5127cf4c77bb35583ca52c33a528a2e04da2956832577436bb99fb676f81dbc3e8bcd2dcdce2ee1874c569d407b82ec6a72f1e5b6c5ad17b4c37a50433726f9b778
-
Filesize
1KB
MD50443f80cb452b7bfee29702ad29ab9df
SHA1d043175a1ecb6a3e9c78c1593c85364d9e020dbc
SHA256cea7b4596c41571d7bd84f9b91a330febc4dcecf15dab03214c8c44bf2cc8579
SHA512f584e6b005e31b1fd455ee153667abe26aaa7c872335d557b18e93be647de5ad94cff0d4ac41e4523d5fe037947caab643d989af9ce9c9fcb31ddc696d59b9de
-
Filesize
12KB
MD5eac923fad827b0c3c9987e60e8aaf886
SHA130e246cf0b74eb100d9b6957ad7c329620e9ecdb
SHA256d5e4e5a3c8a2968139952c22d1977720fb258f4a25c92ef48d2b2e3cd150fa99
SHA5126ceeb213de8011a77f747923a4f066a10c4e28485499a1691c6109c075f954bcac0b32c57871009aa5d5a6cff9e0333816fe78c4b93f34e480985b9f6e4f2a50
-
Filesize
2KB
MD5feea7bf0777d825ff6f463417ffe3118
SHA113b416c2bcaf75f47a53bdd01ef2b5bed716536c
SHA256349ed88a0cfdd7c5274f43c931c87c5cf6ed9fc9c032d660435155361ffebd5e
SHA512420f2676b52c2a331ebc9f2fc3a761a0429f421970646e8c968cc9b94fc1558d4bf614f42278a317826fdc78b51647ce3b430e135879b5ee2da471831d46d5e4
-
Filesize
273B
MD5d22863aaf5ad31c403bac486a6e6c5ab
SHA1b7922a86bd35eda8e91a8ca715faa40ac3afad8a
SHA256fb4a1044389b7afdbbba77c6fc2360aa540b8ab510ee29ed320e5d91ab86dddb
SHA51218f93035760745037f010597d166bd8ff7a006f0caade441889a9c3f9ef157c703647eedfe8cbe24cc97e1427104a814bfa56c4c921f7e1f7ac58db68e16ebb9
-
Filesize
1KB
MD5c76960012f2515a536796f8cf7bd7419
SHA10f850e5b1239f7bb43a5713a87a5d506910b798a
SHA25612f2ef52f8b696784df84eebd2e01e233fef4b1e6a04a7f65006f020cbd7e8cd
SHA51284cb375599de6ed03788220ab210bb48715f0d4f097f4487ce5bd2c0a7a3a5baeadad9e6b2968473b76a3c54f9cb781027ce99ee3d5660330bd3f37e9fc168a1