67480d640ca38edac6b75e61ec981055fbd0504fb1f96927c4266d28eb445c90

General

Target

d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe
Size

12KB
MD5

d84003982d335bb3fa71fe7933929600
SHA1

f3909e1bf91266169c87013d738c3c8d9bce8c5b
SHA256

67480d640ca38edac6b75e61ec981055fbd0504fb1f96927c4266d28eb445c90
SHA512

de237dc796f988c85d5a6ab3c20840900456fd78784dc9bc76af4a0346b7c112cb5199b5edfbe6f717bd9f2888138de516edb7cef66baf8f2e26d8e27cf5ba9d
SSDEEP

384:aL7li/2zKq2DcEQvdhcJKLTp/NK9xaZM:EaM/Q9cZM

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3052	tmp31FA.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3052	tmp31FA.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1736	d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1736	d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1760	1736	d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe	28
PID 1736 wrote to memory of 1760	1736	d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe	28
PID 1736 wrote to memory of 1760	1736	d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe	28
PID 1736 wrote to memory of 1760	1736	d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe	28
PID 1760 wrote to memory of 2712	1760	vbc.exe	30
PID 1760 wrote to memory of 2712	1760	vbc.exe	30
PID 1760 wrote to memory of 2712	1760	vbc.exe	30
PID 1760 wrote to memory of 2712	1760	vbc.exe	30
PID 1736 wrote to memory of 3052	1736	d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe	31
PID 1736 wrote to memory of 3052	1736	d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe	31
PID 1736 wrote to memory of 3052	1736	d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe	31
PID 1736 wrote to memory of 3052	1736	d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\diwfgmzo\diwfgmzo.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES33AE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB8011E355A34FCCBF2420272E59C62F.TMP"
    3⤵
    PID:2712
- C:\Users\Admin\AppData\Local\Temp\tmp31FA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp31FA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
1d3f11c643def34e7d4c8e4663f10077

SHA1
e565753e2edf2ddfbb5371f27c5a71be80b2f992

SHA256
42f660f95cfdc0ce6a35bea6407b05c61d1566b7a91018333bd80e662317a0c4

SHA512
bfc2d75da3bd7c4c23c89fa7787cc3242b6e1747c06e76bca0e7c93c1acf676e9b734ea8ac3f7e73daf5addbff2b533415b013bf6b58256151a171c54a1fccd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES33AE.tmp

Filesize
1KB

MD5
ac686837ea79d6ac8da76721ffc48121

SHA1
bf90e59d5282ffdd5d367c6ee5c89ce3de320c04

SHA256
3af2c4af9603d1147d6c439cc780caac243fd70f68b83a6243aec97308d925eb

SHA512
88a9d703d92ad9b69104e06b875bcf27c609fec474e10e9cc80305bb8eda5511782f83b6e7244ed300d7fc274c4d2804464f237eeb33bf0f7b77f0a6b84e4e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\diwfgmzo\diwfgmzo.0.vb

Filesize
2KB

MD5
e8eb8fce0625d85d1174e05aa91fbafa

SHA1
66bc46142bba3342397aec47404823643e290e31

SHA256
998f5baa833b49f0c0dc4f3cb7b5cfac4266f8068e2aab9328d56c74a9243cec

SHA512
c491e51ef04f6fde989254901fec12b9029529f0731cd74791488c1628f1c05a035cfa6324200e35625b1db3b9270b91ad4d9417ffcef32992f2046eb10d9816

Download Submit
C:\Users\Admin\AppData\Local\Temp\diwfgmzo\diwfgmzo.cmdline

Filesize
273B

MD5
9557dbc0b67a6b81fb10a2af578ec457

SHA1
3fc24319b1262dd910f17c15e555e6ee5387fafd

SHA256
4a4ccd64d1a1421bf0112c2fe582681c15d5d0c0e9b8934429e40788a2de3ec9

SHA512
3689d8549376b9836a1fc9cbfa85a6f5470c5344e8438c66e7ec98cdc679d6f84e58e9093be6af6812507f7dc55d7649e173525fa5197a0191f128fa3d004290

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp31FA.tmp.exe

Filesize
12KB

MD5
a24efd64d7e6543f2d7e1aa1afedd029

SHA1
d7ec32d4612b569fa6e733e9270050fd289db268

SHA256
ac8a81fcb05ad14fd8b33e35aa9aa44d877a0eb9b60ccdbc4a60417e6bd29360

SHA512
9a981349264fb7ba9f974656104ad5d14f09dd8ee0f4829b555fec3bab2bb6df65fe54fc533cf3ef55ee57101b677428f477f49476ad3783f40e1b11362263ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB8011E355A34FCCBF2420272E59C62F.TMP

Filesize
1KB

MD5
1aeaa13d14e7add5f97a7e287374fd84

SHA1
cae8bfcab890aad255d68640e62650fb31c2571e

SHA256
22ae0d7239857811edd7d112fac636f3d1dcb04c291994f1eafeadb114e30538

SHA512
2038dd521c0018b395c7796c7a2a5c3217cbdd5e9c8b0692dbb2014fa6fa690331eabd272a5f4f4aed3991336198b09325e34015c558c0433c4853e49a09173d

Download Submit
memory/1736-0-0x000000007442E000-0x000000007442F000-memory.dmp

Filesize
4KB

Download
memory/1736-1-0x0000000001140000-0x000000000114A000-memory.dmp

Filesize
40KB

Download
memory/1736-7-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/1736-23-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/3052-24-0x00000000008A0000-0x00000000008AA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing