2667e1fef58629eb44a333b782ac12ea44b02de1f5e1b4677c620f5e10a98590

General

Target

2667e1fef58629eb44a333b782ac12ea44b02de1f5e1b4677c620f5e10a98590_NeikiAnalytics.exe
Size

12KB
MD5

13666a1eea9e94fbee3f93ae5e9afcf0
SHA1

ca83258670fc60ac51bd59a9c6496e95f5033b69
SHA256

2667e1fef58629eb44a333b782ac12ea44b02de1f5e1b4677c620f5e10a98590
SHA512

02accac2d5f56cb547582dc60767428ee8d963386c8bbb646f3bf5b06735971aa237be3a27362d460303573d824b93b63509fd1013c95954aee09abd47314f80
SSDEEP

384:kL7li/2zpq2DcEQvdhcJKLTp/NK9xa4Zr:yZM/Q9c4Zr

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	2667e1fef58629eb44a333b782ac12ea44b02de1f5e1b4677c620f5e10a98590_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
3216	tmp5312.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3216	tmp5312.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5100	2667e1fef58629eb44a333b782ac12ea44b02de1f5e1b4677c620f5e10a98590_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 792	5100	2667e1fef58629eb44a333b782ac12ea44b02de1f5e1b4677c620f5e10a98590_NeikiAnalytics.exe	86
PID 5100 wrote to memory of 792	5100	2667e1fef58629eb44a333b782ac12ea44b02de1f5e1b4677c620f5e10a98590_NeikiAnalytics.exe	86
PID 5100 wrote to memory of 792	5100	2667e1fef58629eb44a333b782ac12ea44b02de1f5e1b4677c620f5e10a98590_NeikiAnalytics.exe	86
PID 792 wrote to memory of 2060	792	vbc.exe	88
PID 792 wrote to memory of 2060	792	vbc.exe	88
PID 792 wrote to memory of 2060	792	vbc.exe	88
PID 5100 wrote to memory of 3216	5100	2667e1fef58629eb44a333b782ac12ea44b02de1f5e1b4677c620f5e10a98590_NeikiAnalytics.exe	89
PID 5100 wrote to memory of 3216	5100	2667e1fef58629eb44a333b782ac12ea44b02de1f5e1b4677c620f5e10a98590_NeikiAnalytics.exe	89
PID 5100 wrote to memory of 3216	5100	2667e1fef58629eb44a333b782ac12ea44b02de1f5e1b4677c620f5e10a98590_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\2667e1fef58629eb44a333b782ac12ea44b02de1f5e1b4677c620f5e10a98590_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2667e1fef58629eb44a333b782ac12ea44b02de1f5e1b4677c620f5e10a98590_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lhll5cl4\lhll5cl4.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5505.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC9BD98C9B6964319994196D4FFC2FAA7.TMP"
    3⤵
    PID:2060
- C:\Users\Admin\AppData\Local\Temp\tmp5312.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5312.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2667e1fef58629eb44a333b782ac12ea44b02de1f5e1b4677c620f5e10a98590_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
1845be1777617380014d2af9dd50e562

SHA1
eabfa98d63776f8f6409ca476c28ebe9027e0717

SHA256
1bd0e775ebd460de84b8670f286eb7fa1d0637c5add95ba31736048b69b86d32

SHA512
2b08bbf4d54a6a6e61a3aca4d93ae19197a1c0447cd70d2a9336aeaf222173c9ffff7ba11ac1d05730e0b39927737c7c6d9bd64db81ab4529ca9b6bc978bcc6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5505.tmp

Filesize
1KB

MD5
12a40809c7dc1ccf65e2d42bc891e8ab

SHA1
e4456b931d860f4d9225aba3839bc4996a8bcb83

SHA256
375110140c8c43b2b2d9e92301dbae254e419ebaa91e66d9f9cc3c82c43a6a76

SHA512
5fb02624e84412949a58af0bf608a55b5f37fcdad1fd8c318472047c899f932a65b6a9491c4ea34f0a6b3135274862264ac119ce417ac3db39c0ddb727a62fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lhll5cl4\lhll5cl4.0.vb

Filesize
2KB

MD5
f37fd64b9f2a72c7da6254770295d793

SHA1
6211ce26d5f441ba94b30100334c9041495e98ae

SHA256
0a2d11fec9ed60acb3d812536f8dbb1b9bd07699bc54f539dc745d2141e81e8c

SHA512
3ea01dab9ba1fb359d236a0609f517d598ee7a9b9bd08a261d41f44d4d725a1f9a1df23885bae0b8ae83174a918af5236f08d6a05b4ef53335f5abf0b2aa6026

Download Submit
C:\Users\Admin\AppData\Local\Temp\lhll5cl4\lhll5cl4.cmdline

Filesize
273B

MD5
04d3ba56f063905b395835be5f2b1ea0

SHA1
11941a935dce130d81c7357f866a3edfe890afd8

SHA256
62485161673f1f5568d2db4c3678c3501583b6e052c60f3a507df100e1a7c7cc

SHA512
27bc43997f9b912cf817b32c2132101b72fe0733d8f48fcbc4e95afde11c3588d8dd6a1a53b08962674d8f78de087c3ec0de6da5f8e9ee58d12403817fca401a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5312.tmp.exe

Filesize
12KB

MD5
fcf7974b3647294d916d94b833f5825d

SHA1
4ecc3b620cb685f030d64573da0c5a94772dba09

SHA256
26f11f0c29e0df8d3baeaeae75616277744aad025c25585649bba1257844f0fb

SHA512
08007cd457c39d5312d5b03a578242d1422675078a05c5b7f63b403d38967564c9285fcf8d1e1878ef76ec8f78ef58beb1536d56c59083e3e1c463f4a32cff0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC9BD98C9B6964319994196D4FFC2FAA7.TMP

Filesize
1KB

MD5
7234d6fb652c14f2774fb521704771d3

SHA1
bd8ec3358ef0683fd6938e7e8866e8b1c694bf50

SHA256
14fb7aca6ae0b4ffe88d2dabcbca763e6e78c87f12b7bd001bf7d232f67608d3

SHA512
fc020a2d74e3c23bff5e4a0b7358385e20e902a8b985c92f5d6a361de21f365420183cc07c87fb9cf425d7faa3b581b6fe7a4fa399bcd15f8f89e2c2099a5706

Download Submit
memory/3216-24-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/3216-25-0x0000000000860000-0x000000000086A000-memory.dmp

Filesize
40KB

Download
memory/3216-27-0x0000000005760000-0x0000000005D04000-memory.dmp

Filesize
5.6MB

Download
memory/3216-28-0x00000000051B0000-0x0000000005242000-memory.dmp

Filesize
584KB

Download
memory/3216-30-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/5100-0-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/5100-8-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/5100-2-0x0000000005490000-0x000000000552C000-memory.dmp

Filesize
624KB

Download
memory/5100-1-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

Filesize
40KB

Download
memory/5100-26-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing