c66b3ec7224d80972b38b689e85c4fb395fbfbfcfe6dd5018bbd04bc17787979

General

Target

81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe
Size

12KB
MD5

81f16f0ac610e0b01dc4e21b61ce9b20
SHA1

6927214c52526f0df4ca146c11d02cf3665b1350
SHA256

c66b3ec7224d80972b38b689e85c4fb395fbfbfcfe6dd5018bbd04bc17787979
SHA512

13b24cdd20b5d83769cec343716337b3399bee00e1a8734b981a00f8562fba0e9be012b36b8c79a85a72c4deb20995ebe61fcd3d6eab98765d58d929934b31e6
SSDEEP

384:qL7li/2zhq2DcEQvdQcJKLTp/NK9xawr:0xMCQ9cwr

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2800	tmp1298.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2800	tmp1298.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2784	81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2944	2784	81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe	28
PID 2784 wrote to memory of 2944	2784	81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe	28
PID 2784 wrote to memory of 2944	2784	81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe	28
PID 2784 wrote to memory of 2944	2784	81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe	28
PID 2944 wrote to memory of 2592	2944	vbc.exe	30
PID 2944 wrote to memory of 2592	2944	vbc.exe	30
PID 2944 wrote to memory of 2592	2944	vbc.exe	30
PID 2944 wrote to memory of 2592	2944	vbc.exe	30
PID 2784 wrote to memory of 2800	2784	81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe	31
PID 2784 wrote to memory of 2800	2784	81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe	31
PID 2784 wrote to memory of 2800	2784	81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe	31
PID 2784 wrote to memory of 2800	2784	81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lvmsik4q\lvmsik4q.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13CF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE5E1C6EE4BB4459A265CABE341BDA47.TMP"
    3⤵
    PID:2592
- C:\Users\Admin\AppData\Local\Temp\tmp1298.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1298.tmp.exe" C:\Users\Admin\AppData\Local\Temp\81f16f0ac610e0b01dc4e21b61ce9b20_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
b1a6baa2ab93f6182489c587ad5b85f7

SHA1
899fbe461073fdb623d45617725f20634646e766

SHA256
f905f03a51f2a4a8946f75f43dbae8d2035a28a18ba57bc029218f98e8d59edb

SHA512
1cc94bfb08959566aae168c1334beb2062b282c8418690569f3044e49b57901f27e2b0d2e4b9dc8162a04dd10dba32ae5c22a8268101345810c07cf833791829

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES13CF.tmp

Filesize
1KB

MD5
1d63f5278a935ae570bbdf181e28293a

SHA1
bf5ad4e0389babab6c1ee173a16e40f1abb1e635

SHA256
3e77fb2e4e4bb4c52078b118d804019f122657bb99e7f0042abca85b0b45e651

SHA512
4205fa81de48df33249012d88fdf3263a79e6f2ae660ac262214aaae0c65d12f44255e8de7af7f84ee7f8e6fabd0baab62c354df9cc89032de0b5f92595d6e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lvmsik4q\lvmsik4q.0.vb

Filesize
2KB

MD5
9731b8d9e752d194f5353523287b36b5

SHA1
3a9615b7fe365d58acb7204726ec2255b1e57468

SHA256
9a70250c47675fc82ae38935e2b29932234e9ea3caf524d9917db7866587e6e8

SHA512
ff877b29d2dbffeea070fc40f6abc2946a8ca049d26d31b6c020aa48bc2c9477a918d56effce3be1920d664b6a1054e55784b4d56f462f5cafd6c4d9ff17b75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lvmsik4q\lvmsik4q.cmdline

Filesize
273B

MD5
d1cd0117ed703cd897517424430bd3c1

SHA1
fbce4106048d18ee4c6888a83f22f8a92f179b06

SHA256
018b5d7a809d592a54bb0cd2277beed3c8bbd4d74b56fe495b1a051dd99a7568

SHA512
ecb7d667709baa8881ec0fbf175ec8082689dd4a7fbcf78ca96cf222b218b1f768a0d22050e7e4ac0896e9e20df2ecc370057b60fed097d5ee2b70caaa2a0fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1298.tmp.exe

Filesize
12KB

MD5
e69c98f7d552ad44ff493e9424e4a25c

SHA1
092274f872d71d9ce3f6b0088670df56cd95bfa1

SHA256
db66d1e0f3e4b7808004236dfbab1d11dec79bf9e3c320e0f9fe6d7df755fb97

SHA512
095461d43c4a65c6d8f2862e5d691a323f3832cca5be69c095945cbd6bc8a99f33b7cd34e4faee6bbb8af4512bb75bceab6b83c72507a463730fee49fd775bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCE5E1C6EE4BB4459A265CABE341BDA47.TMP

Filesize
1KB

MD5
4bd0b99dd4e4c3e573ae067df47fec06

SHA1
2ef64602fc3532871d4a858a26a7e4b86320e4a3

SHA256
8feae2edb58bea34afcd054dc0a4f13931a0eca18eae4fd34937e59b863fb45f

SHA512
a65e3449cc4240f362e6efda6f0dab5191ec592809326c698670c1c9576f4578986783809be5410840eff17c1629adf5392e27284909802ec073356e9867da60

Download Submit
memory/2784-0-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download
memory/2784-1-0x0000000000FA0000-0x0000000000FAA000-memory.dmp

Filesize
40KB

Download
memory/2784-7-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/2784-24-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/2800-23-0x0000000000A50000-0x0000000000A5A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing