1f37bbee512c5d6192c46714e88f6f5ee1e4e7332f64986d92627f089a6d24cb

General

Target

bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe
Size

12KB
MD5

bce60d78d9a86deff1e49741e15ce740
SHA1

cf88457054cf906592e9e0c0ac5980f0e82f3b54
SHA256

1f37bbee512c5d6192c46714e88f6f5ee1e4e7332f64986d92627f089a6d24cb
SHA512

de34ddc946c853b0da2648d443a167436ebd1837e82036e05dd8d903b524f9ed02f16bf41a7ebad5e1755a380463e28202dd115bc966f10ccf312e1aab47c0df
SSDEEP

384:hL7li/2zeq2DcEQvdQcJKLTp/NK9xanx:BGMCQ9cnx

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2596	tmp1823.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2596	tmp1823.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
840	bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	840	bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 2076	840	bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe	28
PID 840 wrote to memory of 2076	840	bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe	28
PID 840 wrote to memory of 2076	840	bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe	28
PID 840 wrote to memory of 2076	840	bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe	28
PID 2076 wrote to memory of 2916	2076	vbc.exe	30
PID 2076 wrote to memory of 2916	2076	vbc.exe	30
PID 2076 wrote to memory of 2916	2076	vbc.exe	30
PID 2076 wrote to memory of 2916	2076	vbc.exe	30
PID 840 wrote to memory of 2596	840	bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe	31
PID 840 wrote to memory of 2596	840	bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe	31
PID 840 wrote to memory of 2596	840	bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe	31
PID 840 wrote to memory of 2596	840	bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\whk3m24z\whk3m24z.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES196A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc301B135FA3F94A8586255B1D464462D.TMP"
    3⤵
    PID:2916
- C:\Users\Admin\AppData\Local\Temp\tmp1823.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1823.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bce60d78d9a86deff1e49741e15ce740_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
0f70b8bedec2b2cf66f1595f6127a65a

SHA1
79b631f95d2c8578dee882b1ba70279424b6c74b

SHA256
886a60e684a0f2da10f0cb4e2103554c755755d65d7e3fa68c1cb9d96c0a6b60

SHA512
07d52cb41b3aa5d227c9c692a804ebae5be292b4137edb05ee6ffaa6c002c627a046c8a4ecf4a5df9c17f55c11c864b94f60b00e7ffffd49635329359fd20b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES196A.tmp

Filesize
1KB

MD5
5415697280540ed6aaef74d128f21bc4

SHA1
32f48dd7afcc743dc8f5d7bfa24e70737afd36fc

SHA256
33a266b17934bcd736301c5b4a9123f7b6ddbbaf62ead1b7ed9e08ca93b66b51

SHA512
43e0f4cbb4c75a4dadd0f3dbee2d75d974d1b9d5341b849491f0dd953a9de4e3c9d90207cbac2c4067439a446210aee11f5a507aea70bc91d2717e16abc6b3f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1823.tmp.exe

Filesize
12KB

MD5
673ae76f082c5dba046cd820057bc37b

SHA1
2582996aa2c606325b75096dfdcb2ccd09e579d3

SHA256
0523fb837fb944baa9beecfbf00ad442b13422b2739c7c53e9077b41df3b4cd2

SHA512
675e396b662bb8bd0ede384862c241bf917f4b4c30ebc27f7183b4246d89a6497917fe4785ff92e6e29d815500b007f779746c5199c338a65e1bdda8affe9ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc301B135FA3F94A8586255B1D464462D.TMP

Filesize
1KB

MD5
093a617fb2c2738f25f3b71bd89a57a5

SHA1
178202a99eb3d1f79b843fbaeeeb5f634a3590c6

SHA256
508b804f99012424bb42cba5f7cb5caf378f68b6db1d6eebfd81744f66173c5c

SHA512
5e9f159626b7633d0cc5f19ba81b12b343252c210e100ddcb1fd2982db084b17809f95a23f15ec7724b75a6998dc8a34ed46ddfdb5a70ea3f474fa317db697cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\whk3m24z\whk3m24z.0.vb

Filesize
2KB

MD5
b139963a27db4811c68a7a26b73c0e7e

SHA1
e0bcfb15e71abb3e243082fe8502c4f3ba24069f

SHA256
1dc3c90653a4beb73c27c58c0d84487eb6f4c92074e3043b4234607453582b4f

SHA512
0b19af71232df6985887d8cbc0507a16d0dad6f46c8350de4f568b552234a9fcdb84b5f26f4605e8f3290857097a9e5e60a8ccda830ef3ea5908d93a92718549

Download Submit
C:\Users\Admin\AppData\Local\Temp\whk3m24z\whk3m24z.cmdline

Filesize
273B

MD5
c7455356c1ff710f82fa67d50d5b8601

SHA1
fc591834e12131c719b447ecdb08423fc02b9cc3

SHA256
b03e55bed55b9f6ab33a5fc13bbda9bb9f3cd7b269102c12a53ed8887cca3426

SHA512
bf61a601eff4c8c1ff218f1479bed4c0b141e0f9117e5c2b89406e9bdeef89c55ba1686ae9820024d8c0afc61c210a8b6f8dc58d9553a95f4c63bf765c899eef

Download Submit
memory/840-0-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/840-1-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download
memory/840-8-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/840-24-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2596-23-0x00000000000A0000-0x00000000000AA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing