7cd3647b0e93352d2cedd0103a16ef794b5618f20df6387eeabc8a013bdeb9a9

General

Target

10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe
Size

12KB
MD5

10e8917546bc43cd789a3135d5558830
SHA1

f45838965abc8b031970380cfe22361d0e796b50
SHA256

7cd3647b0e93352d2cedd0103a16ef794b5618f20df6387eeabc8a013bdeb9a9
SHA512

4282081c1bfb21bdb13b11bde62a5bfde9d9a8af86e3d84af3ef03ff8cae26e903f710f7a3057ed6cf67fc45d1edff484ed7bfb775b4d3df3333abfbd8436d52
SSDEEP

384:wL7li/2zDq2DcEQvdhcJKLTp/NK9xa+/:u/M/Q9c+/

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2652	tmp2711.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2652	tmp2711.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1704	10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1704	10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1800	1704	10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe	28
PID 1704 wrote to memory of 1800	1704	10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe	28
PID 1704 wrote to memory of 1800	1704	10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe	28
PID 1704 wrote to memory of 1800	1704	10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe	28
PID 1800 wrote to memory of 2576	1800	vbc.exe	30
PID 1800 wrote to memory of 2576	1800	vbc.exe	30
PID 1800 wrote to memory of 2576	1800	vbc.exe	30
PID 1800 wrote to memory of 2576	1800	vbc.exe	30
PID 1704 wrote to memory of 2652	1704	10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe	31
PID 1704 wrote to memory of 2652	1704	10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe	31
PID 1704 wrote to memory of 2652	1704	10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe	31
PID 1704 wrote to memory of 2652	1704	10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pyr10qzs\pyr10qzs.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES28B6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7423CF4F2D5C4491B8BFF7828B144B7E.TMP"
    3⤵
    PID:2576
- C:\Users\Admin\AppData\Local\Temp\tmp2711.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2711.tmp.exe" C:\Users\Admin\AppData\Local\Temp\10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
b30721bf350120da6abb907ecf5c4f8d

SHA1
2f1e4df02b055b2243422e3e8ee8cc7afbfd70a0

SHA256
a8d37aa41b633f8694e6bb74dd5cef9c6da95aa530017ddb02388946bceea050

SHA512
0426a14959b5e0bd1be90f3cf4f9aed8dcfa1b785dc7a69462d6e6325613b9da81051d43b2596f7408b1fd46e04154cd3152d2d726904c31de8c73d74b7eb6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES28B6.tmp

Filesize
1KB

MD5
21bba2b25a9606787818314415001026

SHA1
cde7968b8f41cc960a6458e441103b821d7c8499

SHA256
7893a0df6f12849117ecfdc75146fb1b74aefadd526fdaae566e6ee4a3b904e3

SHA512
85c5ae6031ec183b05097b6e6dca307f1d4e75f80282dc8475a190a480569e7e75a401d39dc2ed29df233618b91aa06c6e0f57a4fb4673dd482de6e458c38d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyr10qzs\pyr10qzs.0.vb

Filesize
2KB

MD5
85b1d5fe383e6b56195cf2ecbc313fc2

SHA1
8080e430b593d6ad12ce15e67bcbb3f1188dbc69

SHA256
b8fbe58f0e3318a0e380f2f861ce0f4cc0659f0c711e56720f4637bebba2088b

SHA512
4fc026071536c616105035b8c1d74fdf2743d77b535d0f3429f42b2d83fb0c7bce30c9e9ad100c36e62f37db94016f49a40736ebd9e47037701250c6c8359fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyr10qzs\pyr10qzs.cmdline

Filesize
273B

MD5
1c5d19956933cc3127188c3723a91378

SHA1
e41a98f8cdf1bba29031aa706da85a83e96eb581

SHA256
9600aa5b961da4c050334e2d09d9aefe24205c1b24a2d251288ebd7cab9cda27

SHA512
34a67aef15516d8310c7c7887b045879a414dd16a33b64b468aacfdfc292689889e60c76587056950e5c66266a678ea3f1cce79c6db2e5707ad921782726fa13

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2711.tmp.exe

Filesize
12KB

MD5
0f23a4dbf80b40b0537e20aab3cf5251

SHA1
4ef9c87f22de5e8d4d89ce98ac5c9823295267ca

SHA256
3aba75afb7021d79ea713860c8cc95a5f832244d4d49bed57cae2cf049bc6d38

SHA512
a8942a29d7ef4a4200bc6e8527028c455ef335a4f650e015459e3c403621616cbb5043ada96bda9c018e186e4aae7f11c3d2104378b755f0ea3fa793443aaa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7423CF4F2D5C4491B8BFF7828B144B7E.TMP

Filesize
1KB

MD5
6c32ae789f4c2ff6dd0b6e5430ef8fa0

SHA1
460a5523d5138369f1b147fd33c9186dbaf669c4

SHA256
b663cf080ccdbc823c1b35c2a1fa05833e335c38f968b6563d28d51cdfe82838

SHA512
c60cf8c2e48b28c5892a8f6be3c942ad058a0d2698308cb248f37ed2d3a379bd14a4d0085e1c51f768429242b57af089292c096f4c2e8dcb6bed0b438b699511

Download Submit
memory/1704-0-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

Filesize
4KB

Download
memory/1704-1-0x0000000001170000-0x000000000117A000-memory.dmp

Filesize
40KB

Download
memory/1704-7-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/1704-24-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2652-23-0x0000000000E40000-0x0000000000E4A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing