3a4737785e60f00f786af8b9b0dc0ef9fedde0a7a899f6e3309dc86b99be33f4

General

Target

3a4737785e60f00f786af8b9b0dc0ef9fedde0a7a899f6e3309dc86b99be33f4_NeikiAnalytics.exe
Size

12KB
MD5

830d9bcf977cf5abd8e765110997bd80
SHA1

87bb1e1b4b73f1a083dc888f42b6bef7fafa67f9
SHA256

3a4737785e60f00f786af8b9b0dc0ef9fedde0a7a899f6e3309dc86b99be33f4
SHA512

8064acfcf5c1412c07a6d4ace053e651811fd5ba1320575f150277ed6c2921af17cfa41722b8b36a3bfe3996beb58e06df9c2785d059a6d44706fed7a16522b9
SSDEEP

384:gL7li/2zJq2DcEQvdhcJKLTp/NK9xaG3:+ZM/Q9cG3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	3a4737785e60f00f786af8b9b0dc0ef9fedde0a7a899f6e3309dc86b99be33f4_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
1612	tmp547A.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1612	tmp547A.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1576	3a4737785e60f00f786af8b9b0dc0ef9fedde0a7a899f6e3309dc86b99be33f4_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 520	1576	3a4737785e60f00f786af8b9b0dc0ef9fedde0a7a899f6e3309dc86b99be33f4_NeikiAnalytics.exe	81
PID 1576 wrote to memory of 520	1576	3a4737785e60f00f786af8b9b0dc0ef9fedde0a7a899f6e3309dc86b99be33f4_NeikiAnalytics.exe	81
PID 1576 wrote to memory of 520	1576	3a4737785e60f00f786af8b9b0dc0ef9fedde0a7a899f6e3309dc86b99be33f4_NeikiAnalytics.exe	81
PID 520 wrote to memory of 1636	520	vbc.exe	83
PID 520 wrote to memory of 1636	520	vbc.exe	83
PID 520 wrote to memory of 1636	520	vbc.exe	83
PID 1576 wrote to memory of 1612	1576	3a4737785e60f00f786af8b9b0dc0ef9fedde0a7a899f6e3309dc86b99be33f4_NeikiAnalytics.exe	84
PID 1576 wrote to memory of 1612	1576	3a4737785e60f00f786af8b9b0dc0ef9fedde0a7a899f6e3309dc86b99be33f4_NeikiAnalytics.exe	84
PID 1576 wrote to memory of 1612	1576	3a4737785e60f00f786af8b9b0dc0ef9fedde0a7a899f6e3309dc86b99be33f4_NeikiAnalytics.exe	84

C:\Users\Admin\AppData\Local\Temp\3a4737785e60f00f786af8b9b0dc0ef9fedde0a7a899f6e3309dc86b99be33f4_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3a4737785e60f00f786af8b9b0dc0ef9fedde0a7a899f6e3309dc86b99be33f4_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cjdnd2r3\cjdnd2r3.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES561F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6A4D5DD012E14EE69870A2FA933E834E.TMP"
    3⤵
    PID:1636
- C:\Users\Admin\AppData\Local\Temp\tmp547A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp547A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3a4737785e60f00f786af8b9b0dc0ef9fedde0a7a899f6e3309dc86b99be33f4_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
4a0ad59927914a24c2683d2e3d3d550c

SHA1
a8c0ef86d7b4abc8738a7aa1d7f3492811cf47c4

SHA256
cf78c81629dbbefbe8cb9940b3e1f5f88b97c7eb303613447be41c16e935e94e

SHA512
db454db9d8d8ba2fc1953f89b8b911c2cc16d54ee7752b34741754c882ade0753b07742f73fb154c9a7384146c4f40d4e0917af4be16fc06ba53805df63fecbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES561F.tmp

Filesize
1KB

MD5
23d1e1bc40079a4e69d3dce82b790801

SHA1
0304e96f64ef362ab912df346a6d7cf984f2f728

SHA256
c6deba7203c32f495173ddcd6b1ee907ed0c4726a6d027e4ed3abe067ab2fb4e

SHA512
604f3ecb373645bc8c27e82818f671e5d064dd6daa7ffd9821f6cd638c5e71b124a0e9126279154923796b77aeaf2db203308ac98cbdf597a318357e6c3a053a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cjdnd2r3\cjdnd2r3.0.vb

Filesize
2KB

MD5
951bbf616245ffe083632ae320104e82

SHA1
be2b84820b70a3740342309f6d6413c34256179c

SHA256
6f9aab0d12c289938ef61a7f8df1721981cc6276b7ae5f4185f00eddbafa4c8f

SHA512
6d19f9475cec1687260efb46e335eadc8c5e0bd61f60cb48563895d5ce18b062730b8f10512ce9204f76382c0dbedaf663c9420aefaf1efe8ebc87331c483e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\cjdnd2r3\cjdnd2r3.cmdline

Filesize
273B

MD5
7f01d950c4ed991bf077f310016f6cd7

SHA1
e869ef00e240cf87f340d252475402596bcb48b6

SHA256
f23111d239f53916aca186ff03bc98df722c62fac1565053f3f8267a97ecf776

SHA512
5f57028a63876c19afd742c1ece2a9f6dd9068617bffedd60c9bfd1718559adb8520cbd555994b22bb7371bbdb813ee095cd2b6bca0b5e02cac4f9f6fbfd9e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp547A.tmp.exe

Filesize
12KB

MD5
4c2b363ac516a9f4a59244d357b69103

SHA1
4c29d556c6748b40041c295d5b13e374d38ade8d

SHA256
29258a600480164dc0aaae207f7349a9755bd4b32123eb3a0c5da85a9afe000b

SHA512
19ea99333322a4e9cc3034878e87b4904744cc03eac8246162f333f61033af8271b4d05f5265f1b7a926271115bdf1fffcc909dc3bf3b956a3f5ebdf7d118565

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6A4D5DD012E14EE69870A2FA933E834E.TMP

Filesize
1KB

MD5
376b633a2152d5c97ad3a5a3cc24f17d

SHA1
a7e107693a868be58ff5d0da4b310655c93005ac

SHA256
4dea70ece13e1d8338745e9e3bbd2a4d086c521978b46bc13f51d46f8b533b6a

SHA512
3f5bb9f7aa0a2d66f80661b5c8bcea554f66499b145e0b12b6fe8297b5f495e884c6888cd679cbc210db2c65c4663e0acf97a83dc32fc2ecfc31122d905906ed

Download Submit
memory/1576-0-0x00000000751EE000-0x00000000751EF000-memory.dmp

Filesize
4KB

Download
memory/1576-8-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/1576-2-0x0000000005840000-0x00000000058DC000-memory.dmp

Filesize
624KB

Download
memory/1576-1-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

Filesize
40KB

Download
memory/1576-24-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/1612-25-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/1612-26-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download
memory/1612-27-0x0000000005980000-0x0000000005F24000-memory.dmp

Filesize
5.6MB

Download
memory/1612-28-0x0000000005470000-0x0000000005502000-memory.dmp

Filesize
584KB

Download
memory/1612-30-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing