971f27750c249eabe7728902f12c839dafd28fcb7ae53cdc4dd2ef0c6980d608

General

Target

071bb20830feaf9f1cfb7a9435a17190_NeikiAnalytics.exe
Size

12KB
MD5

071bb20830feaf9f1cfb7a9435a17190
SHA1

4630ce2c1c612bde4cf9688fed2be76af312d832
SHA256

971f27750c249eabe7728902f12c839dafd28fcb7ae53cdc4dd2ef0c6980d608
SHA512

d23ef030afb6348f157c340d9d4765157c43417741bd13c0ddcd1a357095e5cd7c6721e66018c33a19a920ea1c8a198f14e6997a1d799ab202d58bdee555758e
SSDEEP

384:IL7li/2zGq2DcEQvdhcJKLTp/NK9xa1Y:2GM/Q9c1Y

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2536	tmp1BAC.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2536	tmp1BAC.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2908	071bb20830feaf9f1cfb7a9435a17190_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	071bb20830feaf9f1cfb7a9435a17190_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2956	2908	071bb20830feaf9f1cfb7a9435a17190_NeikiAnalytics.exe	28
PID 2908 wrote to memory of 2956	2908	071bb20830feaf9f1cfb7a9435a17190_NeikiAnalytics.exe	28
PID 2908 wrote to memory of 2956	2908	071bb20830feaf9f1cfb7a9435a17190_NeikiAnalytics.exe	28
PID 2908 wrote to memory of 2956	2908	071bb20830feaf9f1cfb7a9435a17190_NeikiAnalytics.exe	28
PID 2956 wrote to memory of 2660	2956	vbc.exe	30
PID 2956 wrote to memory of 2660	2956	vbc.exe	30
PID 2956 wrote to memory of 2660	2956	vbc.exe	30
PID 2956 wrote to memory of 2660	2956	vbc.exe	30
PID 2908 wrote to memory of 2536	2908	071bb20830feaf9f1cfb7a9435a17190_NeikiAnalytics.exe	31
PID 2908 wrote to memory of 2536	2908	071bb20830feaf9f1cfb7a9435a17190_NeikiAnalytics.exe	31
PID 2908 wrote to memory of 2536	2908	071bb20830feaf9f1cfb7a9435a17190_NeikiAnalytics.exe	31
PID 2908 wrote to memory of 2536	2908	071bb20830feaf9f1cfb7a9435a17190_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\071bb20830feaf9f1cfb7a9435a17190_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\071bb20830feaf9f1cfb7a9435a17190_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r4h5as1z\r4h5as1z.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C95.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1D6CBDFCE6044B5BAD9774DF2168897.TMP"
    3⤵
    PID:2660
- C:\Users\Admin\AppData\Local\Temp\tmp1BAC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1BAC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\071bb20830feaf9f1cfb7a9435a17190_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
2518a153927e47e986a2f0dd5eee62f6

SHA1
fbbc113606117f9448bda9b413f8e80297e7fa41

SHA256
ce1e0bac37d34e52ac00111978abd3e2278801f0fb94d34abd4adb71b96d6bec

SHA512
6cf0d57c604824dc40716974667b386dba0f5c0acc8f5cddbfc4d1b7a01f5a8efc89baa453e2c53d92459987b76d40176adb94648026ffa97844fdb3e69e3c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1C95.tmp

Filesize
1KB

MD5
201f21409bf70f27e5bf5c52aa04ff6a

SHA1
11e112a356ab017feaaf7834b06c96d8d5b53aff

SHA256
62de1cb00392b9f8cb4fb8970be07f82499ec1cac5de8036e35b31153cba781c

SHA512
be0c3ff8630b626547fb3e1ba85e02fed7d1f5ccf5bd74a7ba3139bc2b0a7bcf011254a8d1648c0ebeaeee0cd16194db55514e20602bec0e7aea085c09634d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\r4h5as1z\r4h5as1z.0.vb

Filesize
2KB

MD5
d7e8291236d6abf4d738a67309d20693

SHA1
5477f57326ec10d7f9bd522ac8f4da3ea82c7da5

SHA256
04f792d3057f60a030239b6526df65be7c231edc31ccda421cfb77fdc3cffcbe

SHA512
702207f4dba7ae1b076a89b6dbbe0b3579ef48681dbb95e09fd54348b7f88a20aa4d8aa0f226195928c615842e697f8cb890736d3ace90be20c07ef9e660abec

Download Submit
C:\Users\Admin\AppData\Local\Temp\r4h5as1z\r4h5as1z.cmdline

Filesize
273B

MD5
584142d4f4c3364294060a7803c02cc3

SHA1
dbdc25b4b684cad0346cca3693ff229d785901ad

SHA256
1ae5d0347c4b21ee9413788157b8ff424973fa11594eb63c703bca702095e1a1

SHA512
5b07a63afcb80b161d2b0b591796deff8f3889172e9e9d2818e706038909a32032a5b3728993cd182726ba5cef8cc497b95fd686ce1f70e483c5ed18663ba1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1BAC.tmp.exe

Filesize
12KB

MD5
469024870144a685e50d4060b8889812

SHA1
32f0f793bb20e17721f8fc2de666a519a3e66347

SHA256
53482d94ab3f6734f050ce918bb05898c2ecaa0b35d13328900c1e840eb0157d

SHA512
fe72566c13a61fcb3f20112e861f43826f62255599d2a1fe1e6d5a146f3f241996edaad9c2d8cd6ab4ae79b16f59f53dce765298adabfb24257c60dce5784bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1D6CBDFCE6044B5BAD9774DF2168897.TMP

Filesize
1KB

MD5
1df848d4ccf8a999b4610dac720fe14c

SHA1
62f093e2c19ed6db39a134ef06a158bc580c2ea2

SHA256
cbea8a2038bcfd517dd4a31065b0cbab1129addf46921cd8ae52bc0dc740f0b1

SHA512
6c403418332d0d058afa310f885a4f6ec82c7e03ae9cc723ddb16e5a03cc2eb207227933c0b50e346ac3e3c1b00d0bbf8b9d6c09c049b2f76eec92417a3e297d

Download Submit
memory/2536-23-0x0000000000010000-0x000000000001A000-memory.dmp

Filesize
40KB

Download
memory/2908-0-0x000000007405E000-0x000000007405F000-memory.dmp

Filesize
4KB

Download
memory/2908-1-0x0000000001070000-0x000000000107A000-memory.dmp

Filesize
40KB

Download
memory/2908-7-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/2908-24-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing