6cd60d249bf3bd93bfca7f77b1645ce6a5488e809a626959b9fe6983e5b62220

General

Target

c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe
Size

12KB
MD5

c8921cc603b0ef43c3f937402ec14fa0
SHA1

8dfcb6e2ec2d2ac031b8dfa5f9ca99cce9064cf6
SHA256

6cd60d249bf3bd93bfca7f77b1645ce6a5488e809a626959b9fe6983e5b62220
SHA512

4955ae38a8105cd2366544ebadf4c0fed87b1586b008a98bdf825e4c02de542deea388b4d1adfb1e7e951a1ba4568eca3e0ceb7f07af6d156f6f56a8976b0279
SSDEEP

384:vL7li/2zdq2DcEQvdhcJKLTp/NK9xaeo:DdM/Q9ceo

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2600	tmp1F83.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2600	tmp1F83.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2580	c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2232	2580	c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe	28
PID 2580 wrote to memory of 2232	2580	c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe	28
PID 2580 wrote to memory of 2232	2580	c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe	28
PID 2580 wrote to memory of 2232	2580	c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2700	2232	vbc.exe	30
PID 2232 wrote to memory of 2700	2232	vbc.exe	30
PID 2232 wrote to memory of 2700	2232	vbc.exe	30
PID 2232 wrote to memory of 2700	2232	vbc.exe	30
PID 2580 wrote to memory of 2600	2580	c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe	31
PID 2580 wrote to memory of 2600	2580	c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe	31
PID 2580 wrote to memory of 2600	2580	c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe	31
PID 2580 wrote to memory of 2600	2580	c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vu313poh\vu313poh.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21A4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4AE4562C7AE3474D81D9BFC7E0F049AC.TMP"
    3⤵
    PID:2700
- C:\Users\Admin\AppData\Local\Temp\tmp1F83.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1F83.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c8921cc603b0ef43c3f937402ec14fa0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
e6ff00a6a120be357b594be99212a0c9

SHA1
ce869a0a0d600bb3fc7227fb0acfe7f850dd4ff2

SHA256
a836edf2b96a57ff48d1b8b1a960386098ea958ce9b4cdacb7e1fe800945e2de

SHA512
f34394ab42ef650fc1a7169627b7aed154df7bc91daf024750a2f72ec769aa1f2d63969d3d2878e36c08b4992ba933852bf0d6689c705638e198ecf7668a0d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES21A4.tmp

Filesize
1KB

MD5
b1a8c684bba9f8793f1ea8cf10a7dfc6

SHA1
6678d72ffe07bc42774c27a1fbc887ac0ec35bf7

SHA256
28a004fa736ffa2dabb7ea53847f19589a0ccc325b82a02470500df959bbf1d0

SHA512
a0c970b177a8e302f42f2e623d5100363578c23d3c94dfc4cbfbd585ea0ad83207eb8c00644f3a634b35d5c32a7311aeb6097608a435e5cc1655dbd705adf9bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F83.tmp.exe

Filesize
12KB

MD5
e93b3a357908e198400373cbfb60dff0

SHA1
28bf41ab3c433e7380b6a4130e5b8bb20bbba397

SHA256
4fb196b7a8c6bc24395f829089497ff620f72392ebed980078ed019c7b450383

SHA512
3ac112b87298b8c1338390436c3eadf1271cbdfd7df6f1b0a2d76d58174f2586af8e97e1d6a6791fa64ffda3810acaa9ebd3a914303200375c1607eb1e12609b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4AE4562C7AE3474D81D9BFC7E0F049AC.TMP

Filesize
1KB

MD5
e48aeb70ecfa57c8fc839872eaf23a83

SHA1
d54603521d064fa2eb44a83c48d8607fa32242db

SHA256
5211b6440471b1105457dbfca201f66afaef7872d167b22b07d536ec9022dc7a

SHA512
576f5f13bde8b3b69e816de742c08c18d5dead53f9122b763bb4fe33d129baac5c4ee1272155a04413893895d8620681a626f33bea76c5524e0efcfbe472b5d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vu313poh\vu313poh.0.vb

Filesize
2KB

MD5
2b5127c82c081b314b84da97b5ebb860

SHA1
01248f3ab2416e8c4d5fff9b682ef4ab59373863

SHA256
feb469832965c9f0fd61dc9c7433b10fe060e02cb6e5cee6708f2bcd788a8039

SHA512
c2f5c1874d5a823d00f8fe6b8126b254ffde6d94c8f98c0538fe24ea9449086cbe36851b52737c4aed7e7a6e88952cdc569939dd852d7bb3d0b964db4ab32f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\vu313poh\vu313poh.cmdline

Filesize
273B

MD5
c0dcb9b70087be49a61a50e2c1097942

SHA1
c1a5adb0f9cd7148e2a8b06e241b87548ebb5b29

SHA256
758ad8f4cdedd703902d4ad6540dff6c2135b55c604b7f9cf06fd3eea5555310

SHA512
e4a77d162ed2277ddf046219165b8ab549debad07fdd70a6e518eccf07a7f64535dd7f1fd863074973d70767db1f16c3ed546e5c2cec322e803f85c5ac3a591f

Download Submit
memory/2580-0-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

Filesize
4KB

Download
memory/2580-1-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/2580-7-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/2580-24-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/2600-23-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing