c6b4502bc8d09c80c6938808900478b7a32dcc5830a41008811156cf39e36ea2

General

Target

6f9c1b148efa471868d58444fc950d00_NeikiAnalytics.exe
Size

12KB
MD5

6f9c1b148efa471868d58444fc950d00
SHA1

cb13ebc1884e22824c8fd75e06d05f062da3ab69
SHA256

c6b4502bc8d09c80c6938808900478b7a32dcc5830a41008811156cf39e36ea2
SHA512

9d0aae77a654bfd78f2f33e1b41696a95ad7b13ebfc26eb5551133d44e10bbc1796543624a40a9eb0edb3d2bfcd793984c877c4e6ea8d80621b73e5c36a1b18a
SSDEEP

384:iFL7li/2zpq2DcEQvdQcJKLTp/NK9xawc:iFxMCQ9cwc

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	6f9c1b148efa471868d58444fc950d00_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
3296	tmp6562.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3296	tmp6562.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4252	6f9c1b148efa471868d58444fc950d00_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 4236	4252	6f9c1b148efa471868d58444fc950d00_NeikiAnalytics.exe	81
PID 4252 wrote to memory of 4236	4252	6f9c1b148efa471868d58444fc950d00_NeikiAnalytics.exe	81
PID 4252 wrote to memory of 4236	4252	6f9c1b148efa471868d58444fc950d00_NeikiAnalytics.exe	81
PID 4236 wrote to memory of 3516	4236	vbc.exe	83
PID 4236 wrote to memory of 3516	4236	vbc.exe	83
PID 4236 wrote to memory of 3516	4236	vbc.exe	83
PID 4252 wrote to memory of 3296	4252	6f9c1b148efa471868d58444fc950d00_NeikiAnalytics.exe	84
PID 4252 wrote to memory of 3296	4252	6f9c1b148efa471868d58444fc950d00_NeikiAnalytics.exe	84
PID 4252 wrote to memory of 3296	4252	6f9c1b148efa471868d58444fc950d00_NeikiAnalytics.exe	84

C:\Users\Admin\AppData\Local\Temp\6f9c1b148efa471868d58444fc950d00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6f9c1b148efa471868d58444fc950d00_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\njx3qvxg\njx3qvxg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6707.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA80AC9961B1A4083AB66A8287E756F6.TMP"
    3⤵
    PID:3516
- C:\Users\Admin\AppData\Local\Temp\tmp6562.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6562.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6f9c1b148efa471868d58444fc950d00_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
644aba633cee0affc070df961d9465ad

SHA1
7bfc5aca04c9138ce918db85ad91cc0a41972521

SHA256
5b75319dfe403126715fcf2834314701c632f038f54c8c0aa5df9abaedf3aa67

SHA512
c635748e5ea3a26b273c9d27fdd68291d1868d6f6df10396b3e287e510f0e0536d2f1384cf073aaa41415a7414385d9aef030eef39138244b38b43b2f5b698a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6707.tmp

Filesize
1KB

MD5
2dff81d8cbccb22de75c3adce2bc9e53

SHA1
89d6e3350adf2172fc07e5745a5a2c0463b311be

SHA256
8e5df460e573010c1c0b1b1e718264cb1a48a09cc34c1bcc5a0d914b185cbce3

SHA512
0be4e12b8bc01789c2214d6d349c674ae55c7e55a15a87e7f5f60a718ecab5a037c67a3e706168d9bbe16ddf6e39d0c41799e1a71e3131598244b98cb688d7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\njx3qvxg\njx3qvxg.0.vb

Filesize
2KB

MD5
5faccdbce98e3a9164bafe77cc032801

SHA1
9ad84c37fc31aa9335c37b352fb9546c3c0ab658

SHA256
6c4b9c5ddb126fee4563252387fb31ad573dd7faccbec9ac1aa8b035fd6268db

SHA512
98da22b46d75fc04ac34b2802f8ea0f2013d9049ce0eaec56092f43549996d43cf160a2a7579ff241b3b73e23bebcaa6889b16d3c9b3615fc91ed6149a8fea42

Download Submit
C:\Users\Admin\AppData\Local\Temp\njx3qvxg\njx3qvxg.cmdline

Filesize
273B

MD5
99ec20995e598294d558437445936675

SHA1
1c7bf401d5a1990473d2a4cc1e865cf3704a62ef

SHA256
258b574fc591710ab6fe7eadb23c778559f110ba991d6a00aa864dd93391659c

SHA512
ee1f3afe18b79415a138de8b1f5d65fca05ce00d4af19c7a40f038f67e3c34cfee6a93d7801468e8829303478985775d3838eed29e1e7359a502b7c1f7937c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6562.tmp.exe

Filesize
12KB

MD5
f57d451c7580b0adbedad00f5704833f

SHA1
a05687d11a0a6a66ba7dd37ef4529cc0bce36c6f

SHA256
0306cce228cd014a485e6d409e69c011291aa569ad67fa28422ddcf73c803b8f

SHA512
6748920516c30a81c89171f0af89f8cadd084b68e0d42c2cf625cfe6249c6a4aaa6589e17f36d28e36ad15d04dcd771b2e94e3661a23d692707a1434486c184d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA80AC9961B1A4083AB66A8287E756F6.TMP

Filesize
1KB

MD5
402d725eed447b66580c63c1b788d2f9

SHA1
0ab86138c4d97f6e3f544680a0d826ebeeb0e435

SHA256
664ee0f96eb2f62989eac9e1143af50efa9f21353b719909ffce4ff8ab2097ec

SHA512
b82771352ae1db2c90b13feaa4263a05620dd2a6d2fed8e71a9c9315f66b838c996cad8121a439e272271d7396c220534b725195d66d3f0fa59d53b922c08bb7

Download Submit
memory/3296-25-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/3296-26-0x0000000000970000-0x000000000097A000-memory.dmp

Filesize
40KB

Download
memory/3296-27-0x00000000058D0000-0x0000000005E74000-memory.dmp

Filesize
5.6MB

Download
memory/3296-28-0x0000000005320000-0x00000000053B2000-memory.dmp

Filesize
584KB

Download
memory/3296-30-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/4252-0-0x000000007487E000-0x000000007487F000-memory.dmp

Filesize
4KB

Download
memory/4252-8-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/4252-2-0x00000000057C0000-0x000000000585C000-memory.dmp

Filesize
624KB

Download
memory/4252-1-0x0000000000E20000-0x0000000000E2A000-memory.dmp

Filesize
40KB

Download
memory/4252-24-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing