bdb933b209cc5e49a4fb23989ad85865c321a420b257733829025205a9339a64

General

Target

3606377647f5fdbdc5bc5d1370318600_NeikiAnalytics.exe
Size

1.6MB
MD5

3606377647f5fdbdc5bc5d1370318600
SHA1

2def66458c5f9991eac82c806d39d4f0abec7ace
SHA256

bdb933b209cc5e49a4fb23989ad85865c321a420b257733829025205a9339a64
SHA512

4693163854dafa6dbdd0c16aa5adeefb5523409dbc0c6dee5f3a0b7dbf4aed418f0353d93cdc8bff2c2fe71862b627504b4b523e99b433afbf7caf57b73f395e
SSDEEP

12288:xHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:xDgINfAuBcgcZG2uG24MG4Y

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2440	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2220	dupulai.exe
2480	~DFA1A7.tmp
1092	rysihyi.exe

Loads dropped DLL 3 IoCs

pid	Process
2820	3606377647f5fdbdc5bc5d1370318600_NeikiAnalytics.exe
2220	dupulai.exe
2480	~DFA1A7.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1092	rysihyi.exe
1092	rysihyi.exe
1092	rysihyi.exe
1092	rysihyi.exe
1092	rysihyi.exe
1092	rysihyi.exe
1092	rysihyi.exe
1092	rysihyi.exe
1092	rysihyi.exe
1092	rysihyi.exe
1092	rysihyi.exe
1092	rysihyi.exe
1092	rysihyi.exe
1092	rysihyi.exe
1092	rysihyi.exe
1092	rysihyi.exe
1092	rysihyi.exe
1092	rysihyi.exe
1092	rysihyi.exe
1092	rysihyi.exe
1092	rysihyi.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	~DFA1A7.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2220	2820	3606377647f5fdbdc5bc5d1370318600_NeikiAnalytics.exe	28
PID 2820 wrote to memory of 2220	2820	3606377647f5fdbdc5bc5d1370318600_NeikiAnalytics.exe	28
PID 2820 wrote to memory of 2220	2820	3606377647f5fdbdc5bc5d1370318600_NeikiAnalytics.exe	28
PID 2820 wrote to memory of 2220	2820	3606377647f5fdbdc5bc5d1370318600_NeikiAnalytics.exe	28
PID 2820 wrote to memory of 2440	2820	3606377647f5fdbdc5bc5d1370318600_NeikiAnalytics.exe	29
PID 2820 wrote to memory of 2440	2820	3606377647f5fdbdc5bc5d1370318600_NeikiAnalytics.exe	29
PID 2820 wrote to memory of 2440	2820	3606377647f5fdbdc5bc5d1370318600_NeikiAnalytics.exe	29
PID 2820 wrote to memory of 2440	2820	3606377647f5fdbdc5bc5d1370318600_NeikiAnalytics.exe	29
PID 2220 wrote to memory of 2480	2220	dupulai.exe	31
PID 2220 wrote to memory of 2480	2220	dupulai.exe	31
PID 2220 wrote to memory of 2480	2220	dupulai.exe	31
PID 2220 wrote to memory of 2480	2220	dupulai.exe	31
PID 2480 wrote to memory of 1092	2480	~DFA1A7.tmp	34
PID 2480 wrote to memory of 1092	2480	~DFA1A7.tmp	34
PID 2480 wrote to memory of 1092	2480	~DFA1A7.tmp	34
PID 2480 wrote to memory of 1092	2480	~DFA1A7.tmp	34

C:\Users\Admin\AppData\Local\Temp\3606377647f5fdbdc5bc5d1370318600_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3606377647f5fdbdc5bc5d1370318600_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\dupulai.exe
  C:\Users\Admin\AppData\Local\Temp\dupulai.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Users\Admin\AppData\Local\Temp\~DFA1A7.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA1A7.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Users\Admin\AppData\Local\Temp\rysihyi.exe
      "C:\Users\Admin\AppData\Local\Temp\rysihyi.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
307B

MD5
d407c1925d9cca36e32def14e5ea54e7

SHA1
f4a152fe8d8314268f0cfe668bdf2cd13548f0e5

SHA256
76c9dcec6cd25b2428b8fc0a30aacefd3c76f0bda49653fefa22ea9983ca0b17

SHA512
c37cf38f5f6d460b1948b6a7fb99c11ecb312f34fb2cad2508c3477bc669097a7fbba93aa5a7f06bd9a313d8752ec3f30837d3fb21732cb5c8fec19e0177bdd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
469f9125e9c961eb6d2a42508244abf6

SHA1
cf5209b869cbd7f1678ac5a77634cb2aabdd225b

SHA256
a155e5c4824a223e763ddd14d1046baeb71e82f0bb06fb982cb9566145f113de

SHA512
b4f7a088efd41b34da4f1c38fc9130f8e648b46ca3a7c705ec9717a4675605d673400da00c00c1453b058735a7deeaf914f1d0e1e6827b5da6ea8fe0e7aac567

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA1A7.tmp

Filesize
1.6MB

MD5
d9e23c9d09f8add27a9541f7ffd0f287

SHA1
295070f97e8e0fb9ccbcc96cdc04ae0222841c56

SHA256
181253a9710eb9d8d00ff169d1aa755df10b5d015a1166d60f4ebbfca532d6ae

SHA512
f2f87e889508c19e3afae115ede392eb529235ee7b87e0b196d7c1e0c59d0d92204c1a00670f8ee9f8ed22edcd5e00b657b59aaede492feb6cb437f1074ca4d3

Download Submit
\Users\Admin\AppData\Local\Temp\dupulai.exe

Filesize
1.6MB

MD5
54c012fecc89b64ae2effa757cc8a361

SHA1
83253362eccc57dfc7cd73ca6bbd13d2ea0e4427

SHA256
5295f09470eadb983f8f36a746f03e5e8062c5baaa4459ece9e5dab5a4f6dc50

SHA512
4bdd7da9f350eeba053f1957f51f54e5e592e3cbf13f10dd0bbc24fb78300675951f51a2babb8412b1f2f13e5c55cbf5825bacc9549f1ad3bfacf6ee8a80601b

Download Submit
\Users\Admin\AppData\Local\Temp\rysihyi.exe

Filesize
398KB

MD5
54a6574a8381133db5153b9f505487a2

SHA1
b9919c748c847c19464a81556b27176eefba5082

SHA256
5aeeee6b3d81106588ce057c0b145c1e699899b43adb49dcec55fc23ce2bfe84

SHA512
ccbbe5b943647c21434b7ac45d78739e819903a65785e23cabbc1e987a57f5ce026031a62c51313c437550e8a34c9f5f5c8e2c4e4cff55c763730f9f91632026

Download Submit
memory/1092-43-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2220-10-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2220-28-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2480-29-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2480-39-0x0000000003720000-0x000000000385E000-memory.dmp

Filesize
1.2MB

Download
memory/2480-42-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2820-21-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2820-2-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing