b9d50fec94d9cb0e803105bd68563bb2fe2153573c4de249ff24b76de269aaf5

General

Target

12910bea5b5fa1b585bf3ff457e93110_NeikiAnalytics.exe
Size

12KB
MD5

12910bea5b5fa1b585bf3ff457e93110
SHA1

2eb52d9a8ff34eea4e4abf0b988317d6c5974bd5
SHA256

b9d50fec94d9cb0e803105bd68563bb2fe2153573c4de249ff24b76de269aaf5
SHA512

6e329e730fead04821c556d9a22a6a96e2664307a8184309f222298dfe0105c3a72d9893688fdbf6bfcdfeb8047d1236ae494d2d9e139670645202a3f4391bcb
SSDEEP

384:1L7li/2zgq2DcEQvdhcJKLTp/NK9xaPyn:VMM/Q9can

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2668	tmp12D6.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2668	tmp12D6.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2512	12910bea5b5fa1b585bf3ff457e93110_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	12910bea5b5fa1b585bf3ff457e93110_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2192	2512	12910bea5b5fa1b585bf3ff457e93110_NeikiAnalytics.exe	28
PID 2512 wrote to memory of 2192	2512	12910bea5b5fa1b585bf3ff457e93110_NeikiAnalytics.exe	28
PID 2512 wrote to memory of 2192	2512	12910bea5b5fa1b585bf3ff457e93110_NeikiAnalytics.exe	28
PID 2512 wrote to memory of 2192	2512	12910bea5b5fa1b585bf3ff457e93110_NeikiAnalytics.exe	28
PID 2192 wrote to memory of 2572	2192	vbc.exe	30
PID 2192 wrote to memory of 2572	2192	vbc.exe	30
PID 2192 wrote to memory of 2572	2192	vbc.exe	30
PID 2192 wrote to memory of 2572	2192	vbc.exe	30
PID 2512 wrote to memory of 2668	2512	12910bea5b5fa1b585bf3ff457e93110_NeikiAnalytics.exe	31
PID 2512 wrote to memory of 2668	2512	12910bea5b5fa1b585bf3ff457e93110_NeikiAnalytics.exe	31
PID 2512 wrote to memory of 2668	2512	12910bea5b5fa1b585bf3ff457e93110_NeikiAnalytics.exe	31
PID 2512 wrote to memory of 2668	2512	12910bea5b5fa1b585bf3ff457e93110_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\12910bea5b5fa1b585bf3ff457e93110_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\12910bea5b5fa1b585bf3ff457e93110_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1xl22spm\1xl22spm.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES142C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F9CB489D7C941C58EFABA853F42B1F2.TMP"
    3⤵
    PID:2572
- C:\Users\Admin\AppData\Local\Temp\tmp12D6.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp12D6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\12910bea5b5fa1b585bf3ff457e93110_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1xl22spm\1xl22spm.0.vb

Filesize
2KB

MD5
7665a31104848186f2ac065733d3567f

SHA1
91732c6412096b73afa9c5c67ce20f681f8192a1

SHA256
b6082af33687a4b9e7472e4b57d30272a61545f1955110e39ac5a5fc4f80b4b2

SHA512
06e11e2b2dcfbb5a2098d1de482c477396b31d4c4b1e82be86eaae4b03a0e72ba2615222c77a549367a391ba7f92f1002cd4ee0c1d918a32ee6498d68b443908

Download Submit
C:\Users\Admin\AppData\Local\Temp\1xl22spm\1xl22spm.cmdline

Filesize
273B

MD5
21a99271494d9de56bbb5bfe597d8e5b

SHA1
abb74d5e9918c3a35f30617c7e9b6db721695208

SHA256
87aacdd22f97c5e61da1863ba0989dca59d97e1abfebd8aa1573b662b6f437b1

SHA512
61cfea5761797430c1802efd0702aa70ef5e4fb9c95662df9888eeab8651559acc63908c77104642b578076f9beb5751fc97ab42c62e59243c85ec587b328608

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
f36d3efdd9cebdb90b05194076675b28

SHA1
5a6b5e0efdf756dfcfcca96b58306ef5418ff653

SHA256
201d78ec3a1cf737501ed2053ecd46522f2569bccc3631a72c65d213cf562e2b

SHA512
4f93bc90fc0b6bbba6e6a246bf9f17807ecf1df2bbfc996b8c5acefbf6d3bf366cfe8d0a7af14f82ecc1aa92ae53a9038b35587ab6d277fb6435734fc19e4885

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES142C.tmp

Filesize
1KB

MD5
d219e6ccdf6f91f6afe36849ad227d2e

SHA1
3f14a104e8c561f1706cdd6ed31e89a8d8f45dec

SHA256
e4629cb35ea4d2fc80ccc30d305a7ea5ae52a5929f3629f8d6426f784bef8b9e

SHA512
37aa76a349da11eee04abfe9f42c45e697f5e87ccdd48117da7ea83aa13bb813f7aa51d8206fc306ccd67af9525d625b8d4c3756854c638462b0804d9dea7a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp12D6.tmp.exe

Filesize
12KB

MD5
a068a083ba7676c171c7995f5397ab39

SHA1
16284c002512a2449ef45df2cc8654dd8ff13734

SHA256
d0652c2163985ca1a405b964ec5e57357b2986aab9b49d4208a89394f460f54f

SHA512
4395bf9c7f872ca7dbf24cc0d059e578d6d0e915c58456deaeb000c647e33cee55297cf22d57304348992a0ad94b78e8fcb94c6ee77c297c00b5e448e6827d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2F9CB489D7C941C58EFABA853F42B1F2.TMP

Filesize
1KB

MD5
5d1201e6cff0618a1d0f8c058e989ded

SHA1
6035b1fd6290e9474a537137bb6f05cb89dd3d93

SHA256
bddea16259b74f44b8e3f3b57d388d0d0e9a2ecfebd7904e8d59ec61c1c11111

SHA512
ff98519867db59360e8fbcf5b50b774600d718750500c0342575f5993a8a8c04fa6843ae5ba427bd4797c5d9d213242e4d6fd743ec127ba79b8ca6f8d702cae1

Download Submit
memory/2512-0-0x00000000745CE000-0x00000000745CF000-memory.dmp

Filesize
4KB

Download
memory/2512-1-0x0000000000F30000-0x0000000000F3A000-memory.dmp

Filesize
40KB

Download
memory/2512-6-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download
memory/2512-24-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download
memory/2668-23-0x0000000000300000-0x000000000030A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing