64c922a3c65dd308d01f3645ae1130232977edf15cdb78161b6c970e75057e58

General

Target

6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe
Size

12KB
MD5

6bf774975ae31a31d05c2ef0fa287e60
SHA1

21339fdb144f33499be80b667ce8a0e601a64f2e
SHA256

64c922a3c65dd308d01f3645ae1130232977edf15cdb78161b6c970e75057e58
SHA512

e9ca6e7c5754b88c0bd89399496399f28f0eb0b6b59dab9d3aff34cb7b4139f16f5fb7207df44c8a0357050625674b03d085e55da2e6be21840d62ee04c7ed07
SSDEEP

384:8L7li/2zbq2DcEQvdQcJKLTp/NK9xasH:a3MCQ9csH

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
3800	tmp42F5.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3800	tmp42F5.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 3856	2520	6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe	80
PID 2520 wrote to memory of 3856	2520	6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe	80
PID 2520 wrote to memory of 3856	2520	6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe	80
PID 3856 wrote to memory of 928	3856	vbc.exe	82
PID 3856 wrote to memory of 928	3856	vbc.exe	82
PID 3856 wrote to memory of 928	3856	vbc.exe	82
PID 2520 wrote to memory of 3800	2520	6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe	83
PID 2520 wrote to memory of 3800	2520	6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe	83
PID 2520 wrote to memory of 3800	2520	6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe	83

C:\Users\Admin\AppData\Local\Temp\6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dl0xilly\dl0xilly.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES446B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc61CE10C4BE6B4FE19D584A98D63EA664.TMP"
    3⤵
    PID:928
- C:\Users\Admin\AppData\Local\Temp\tmp42F5.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp42F5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
6f63656b30980c181bf9785042c3df2e

SHA1
edad8c63d8619159d9f73b2aeb5417179b3583f4

SHA256
49add966096d03db707f8140e1d3aad928a7c6d5abfc84a2b1cbe48a702ca966

SHA512
cdc1cf8f05500b4431e4fd408c06e3ba50efc325652bf5df015204799e0f769511bdcd2f154923116486b501e6a60b7e0ca40d12e697abd0048e4614a1759cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES446B.tmp

Filesize
1KB

MD5
fe85ab8ef451ab1d9baa5cebd304b8cd

SHA1
b1f1fb8ee1fc98b7f7f12f9ccedb432c58d9d10c

SHA256
ec27a4c1654af4206d3e3eed4140cc98ea4b4041c6bb438812eed392911ac420

SHA512
9ddaba3e1b817616b9ed7a7aae9772f5d4f1a7cd7d2ec61802e34135d653cdc5ad41a86b840b1eb1b95753e67106d4ccc619435b33de2271e62065da14617221

Download Submit
C:\Users\Admin\AppData\Local\Temp\dl0xilly\dl0xilly.0.vb

Filesize
2KB

MD5
6d33df2791485bccef465d7c493a0486

SHA1
872b4dd299a2b446f67bd11924e27e5f3e7cd733

SHA256
57c0b4dd5a264b9843720b79fdd1f4653fede02ad9642e52c4e3ee453ef17716

SHA512
7e725fdbc2423a909d19be1d90a5e24ca28cf3be80b137784795799583775640deddb01a7395f21d6d405a591c8d7da5dc10e8067e2eaf4d763460867846c8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dl0xilly\dl0xilly.cmdline

Filesize
273B

MD5
1107fd429b23ecd201ceaaad63030e40

SHA1
532fe6d9978ac5466749cb2194178609d3ba001f

SHA256
d4572e803fba8f269f9bf681654007aa9b2daa53df5f5b79a1f529fa2a33d488

SHA512
37ddc9bfc876f8c3520634b69ffda6b1ac8cee64b13e00346245dbb65cb1570dd80417f7872f863e6b165947e6f7aa64fc15e08805cd0ac5ed2765e1ad424120

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp42F5.tmp.exe

Filesize
12KB

MD5
2cef22f4798e045cab22df62cd2f92ff

SHA1
a26af8d848fbc6ead2a742ef419138cbbd411778

SHA256
ac13764e7cb569cdb0dbfb1067785ab2e8204cdbdf5afff5cbbc39ad0c6f85e3

SHA512
51eae46f487dbfd78a9e5e068d61d4ca7aa334cbab67fba2672b6ea16b5d213a2b9de44ea7896238caa69af8bfe37e3c5fc76c33d12e9bf86f52f01dce53912d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc61CE10C4BE6B4FE19D584A98D63EA664.TMP

Filesize
1KB

MD5
eb44d2203c0e2fda727d3fd38a1fc24d

SHA1
9992432b73cc4f721d796a2d21b621f56f0b5816

SHA256
94500812889102e90ed08f57ffddcc770769eeb34791a2d9ba1d4554e1d98bca

SHA512
ded37761352385ee3daf050308392f96f96ae749beffb5dc65db31d78d208a366ef6fbdfd0a942263de7cdf40cf04234b984b47ed4e86b8123540c7b767b3a74

Download Submit
memory/2520-0-0x000000007473E000-0x000000007473F000-memory.dmp

Filesize
4KB

Download
memory/2520-8-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/2520-2-0x0000000004C50000-0x0000000004CEC000-memory.dmp

Filesize
624KB

Download
memory/2520-1-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2520-24-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/3800-26-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/3800-25-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/3800-27-0x00000000050E0000-0x0000000005684000-memory.dmp

Filesize
5.6MB

Download
memory/3800-28-0x0000000004BD0000-0x0000000004C62000-memory.dmp

Filesize
584KB

Download
memory/3800-30-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing