221a703894aca3f76a0953017cc41d1a09c12a0ced37734fcc400c86abdbfc48

General

Target

c3e768122fdd295e2e99c49f685ee800_NeikiAnalytics.exe
Size

12KB
MD5

c3e768122fdd295e2e99c49f685ee800
SHA1

2d7cdb2e3565a983ef06022f8c866e801a1b7077
SHA256

221a703894aca3f76a0953017cc41d1a09c12a0ced37734fcc400c86abdbfc48
SHA512

162d4859c5f26c9b6ea2700acff4824b2ec1d28d961c0139045a8388610c25e77e04e286277afdcb77b3d544ce83dca27c2c8475ddde9aa446ae836b98b56815
SSDEEP

384:wL7li/2zUq2DcEQvdhcJKLTp/NK9xaUU:uIM/Q9cUU

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2856	tmp7E55.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2856	tmp7E55.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2020	c3e768122fdd295e2e99c49f685ee800_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	c3e768122fdd295e2e99c49f685ee800_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2064	2020	c3e768122fdd295e2e99c49f685ee800_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 2064	2020	c3e768122fdd295e2e99c49f685ee800_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 2064	2020	c3e768122fdd295e2e99c49f685ee800_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 2064	2020	c3e768122fdd295e2e99c49f685ee800_NeikiAnalytics.exe	28
PID 2064 wrote to memory of 2196	2064	vbc.exe	30
PID 2064 wrote to memory of 2196	2064	vbc.exe	30
PID 2064 wrote to memory of 2196	2064	vbc.exe	30
PID 2064 wrote to memory of 2196	2064	vbc.exe	30
PID 2020 wrote to memory of 2856	2020	c3e768122fdd295e2e99c49f685ee800_NeikiAnalytics.exe	31
PID 2020 wrote to memory of 2856	2020	c3e768122fdd295e2e99c49f685ee800_NeikiAnalytics.exe	31
PID 2020 wrote to memory of 2856	2020	c3e768122fdd295e2e99c49f685ee800_NeikiAnalytics.exe	31
PID 2020 wrote to memory of 2856	2020	c3e768122fdd295e2e99c49f685ee800_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\c3e768122fdd295e2e99c49f685ee800_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c3e768122fdd295e2e99c49f685ee800_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\trrz5jj3\trrz5jj3.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8343.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB7AD465D681D4DF886541718A75FC7D.TMP"
    3⤵
    PID:2196
- C:\Users\Admin\AppData\Local\Temp\tmp7E55.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7E55.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c3e768122fdd295e2e99c49f685ee800_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
7e300c5cb88a1c29ec3fc8ba0e8d7bfe

SHA1
1cc2759eb8caf1f896f380620e2c2af6c8d5590e

SHA256
6c6ef912b5f2b0ba7d7b58496f8ac867071f89311ff866836b7d9f0e96f73344

SHA512
8627fddd17dd8cee4d7f524d8a77993e947d113c97f4e36e8f445cfbe6f3ae755987556918a8b07feae1574fd1ce02a96162cd8b3ccfa15032d36d1b9d7bb5fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8343.tmp

Filesize
1KB

MD5
44a132ed2d1160908902df5717cf3760

SHA1
9c5919b814d411cd9274f86d9da42123b0649a02

SHA256
5fe3b26334149b29043d3478c30d4a0d31f8fa0e0c0376ab4393b30190462ed1

SHA512
d67996afa32f67e66d2969bfe340d7d4e58170cf714fafb151794b027a38db95d3791b5d4c3baef509f4dcacf98b7bc6bd5e9d5ee186befed74b772e7a04f9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7E55.tmp.exe

Filesize
12KB

MD5
c1dc03933f01286722c1b88e714e8ad9

SHA1
dbc33a8c700463441909727e69b086ae49a5b758

SHA256
4e7c93e5a2195db19033f7d63fe85b7619428239063051c999da90db6f52b185

SHA512
0e8130392df9e70c6eb79fd0e8fea3299c46a703bea35bed2b7cdb8e1f56378144849dbd9c988422b24e7f62492514cadb5f031830f6b60d2f0a86ebc753c23c

Download Submit
C:\Users\Admin\AppData\Local\Temp\trrz5jj3\trrz5jj3.0.vb

Filesize
2KB

MD5
efd8641fbef385c829fdd92e54ae8446

SHA1
10b3ba7a8364971d0bd34398995e7d934e54bae1

SHA256
54beb3d8ffc9d58b90a46411c3aae7fa6deb80ec5c4aebb47bfe8584e4c1be2c

SHA512
4ce4e1dc3fb14db6183bb940ea91279bfdcf1266303b1caa407f91c239f659e2c3bb9ddddacd47adf6634b7f23f8ed0f73695b26eb96d48e432ee1279ef7e2f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\trrz5jj3\trrz5jj3.cmdline

Filesize
273B

MD5
20f0fc3c82560f1d52e72018d799714f

SHA1
fa2f696613915a29183a508ffb28d952d9799146

SHA256
911304a604d5f0775523ce2d4b043b8af5516d000e4a4180f6dddd6c065fba07

SHA512
0f2c425d128e943b95f28c6eea2336e6770e92c548437d4534c397b16dee40757f689ab02051e750576cee2541c60afed28fe0abf59b0d28f719693aa5bf77e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB7AD465D681D4DF886541718A75FC7D.TMP

Filesize
1KB

MD5
46b916e5c1efa1a612c9fc0664a93a55

SHA1
31f28e837fed675018699e8c86145e4207565b9d

SHA256
360cc9171cc15324b33415361f1bee3c1e08f82fea5dfa3fc77ded58638bbc8a

SHA512
345ce665a48ce1daf9c4d49cb00d6748d3f0bf75edc3f80891ca322362e70a3e9145c95a85ae842fb9cb41be5c71f534f6eb772d94764986e060faa4e159efe7

Download Submit
memory/2020-0-0x00000000745CE000-0x00000000745CF000-memory.dmp

Filesize
4KB

Download
memory/2020-1-0x0000000001060000-0x000000000106A000-memory.dmp

Filesize
40KB

Download
memory/2020-7-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download
memory/2020-24-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download
memory/2856-23-0x0000000000F50000-0x0000000000F5A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing