260b5defcae4c7a5056e4bf11fa92c4bbe56248eafecac0ec9b14b2b8e3fc1a7

General

Target

996c26f08233fac4284ed48ea7f3b160_NeikiAnalytics.exe
Size

12KB
MD5

996c26f08233fac4284ed48ea7f3b160
SHA1

94e48c17a748f7f7e8ef0818d2a0a65977415b16
SHA256

260b5defcae4c7a5056e4bf11fa92c4bbe56248eafecac0ec9b14b2b8e3fc1a7
SHA512

667aac65f964273a14145fa3a94dd7890ecb6279a4f0741e8de0595dbe8c7ea0f8e915aa277b98cdf11cd588d8538b8a5a40b955d5fd5d9d9dc013c4320fe631
SSDEEP

384:1L7li/2zJq2DcEQvdhcJKLTp/NK9xaA/:VpM/Q9cA/

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2064	tmp11AE.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2064	tmp11AE.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1904	996c26f08233fac4284ed48ea7f3b160_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1904	996c26f08233fac4284ed48ea7f3b160_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2168	1904	996c26f08233fac4284ed48ea7f3b160_NeikiAnalytics.exe	28
PID 1904 wrote to memory of 2168	1904	996c26f08233fac4284ed48ea7f3b160_NeikiAnalytics.exe	28
PID 1904 wrote to memory of 2168	1904	996c26f08233fac4284ed48ea7f3b160_NeikiAnalytics.exe	28
PID 1904 wrote to memory of 2168	1904	996c26f08233fac4284ed48ea7f3b160_NeikiAnalytics.exe	28
PID 2168 wrote to memory of 2600	2168	vbc.exe	30
PID 2168 wrote to memory of 2600	2168	vbc.exe	30
PID 2168 wrote to memory of 2600	2168	vbc.exe	30
PID 2168 wrote to memory of 2600	2168	vbc.exe	30
PID 1904 wrote to memory of 2064	1904	996c26f08233fac4284ed48ea7f3b160_NeikiAnalytics.exe	31
PID 1904 wrote to memory of 2064	1904	996c26f08233fac4284ed48ea7f3b160_NeikiAnalytics.exe	31
PID 1904 wrote to memory of 2064	1904	996c26f08233fac4284ed48ea7f3b160_NeikiAnalytics.exe	31
PID 1904 wrote to memory of 2064	1904	996c26f08233fac4284ed48ea7f3b160_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\996c26f08233fac4284ed48ea7f3b160_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\996c26f08233fac4284ed48ea7f3b160_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\csoy0ytv\csoy0ytv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES12D5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBD4BAAE753684F039D409CE029F6E863.TMP"
    3⤵
    PID:2600
- C:\Users\Admin\AppData\Local\Temp\tmp11AE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp11AE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\996c26f08233fac4284ed48ea7f3b160_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
4f6005f46c010c0dacf90526b36dc4ac

SHA1
c44f23af36385257ec32dc9d644f30b5c131e8e2

SHA256
f5e901aa0925f8700734d5ef54bcc629ab44eec0328c8cec075a9717aa794608

SHA512
0d3220e540f9f0f548f48c95e4c9f70fbb912f92edf998caa53ca6c5551f4b183681a37f0f86a24932d9c7052f70fab779fc0741f70b0b608aae7b707353ab05

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES12D5.tmp

Filesize
1KB

MD5
5dfd4d6f9203a54f8845e4e155fd839b

SHA1
c6c457505b40a00d7d33bc41c2af6a40e5b443d9

SHA256
ac019d2291912a5d8c40bb441cb16d20867587f4d615d2753eda9bcc604988ab

SHA512
a0f88c62af5788d67438c38f682b76d1023564056a30c9888f82699d90e844001d6611b7bb743da5fadc96485e135486a3d2cf8eafd10718a997099b91c223ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\csoy0ytv\csoy0ytv.0.vb

Filesize
2KB

MD5
e5d36ac005935c318d49215725061c2b

SHA1
bc80673d002c681d86f204ff24f3d0c4f9857fe5

SHA256
fb16d4af38a12e47a620192d0331afa6547df3ab6a45155b2fe3f2e98a2129d3

SHA512
b1bf1a21fa65d3b9bc2e2c67cdaef48074898bd051e970acbb68e504bd14c0044b24a3b414c76bf05d9698ae58324c46cc5a2224be1d30c0925dfb94eb5b0a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\csoy0ytv\csoy0ytv.cmdline

Filesize
273B

MD5
08b868ad6511d86defbdca5c380e198c

SHA1
1105ff0287c994c61c4f123d3502096e5a782b6b

SHA256
dc9bf8a882cb5e1903b888260d1d29dfc2b947b6936b85fa187a0250c0e8d3be

SHA512
6fb0b685f4e1826d80d2a10ecd90cdfa1ca66780f990df19cdb51a0dd38aff148a9cc5d31cfa3369f37296e91177f1a53f20626ec53540421fa9668cec59dc92

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp11AE.tmp.exe

Filesize
12KB

MD5
3fad50dec1c76fdf3fc2ccdff9d65105

SHA1
da6af10f006047b8765de32b1319d09fd7b1b75f

SHA256
9d7274128aa34bd5308db5a38f5601a20dbd319492dc74ee6b4e77faa9d82908

SHA512
9f0219212c0a828ab68260624c6f9fd068b6189a0803b9eb8f51bae4d58580349138f3b95e5f98adf5e4fd394554799277e34a6865214180f1ecb2256890270d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBD4BAAE753684F039D409CE029F6E863.TMP

Filesize
1KB

MD5
6babed89ccd1808f2945c26a84b7b5e0

SHA1
48083ebd75df8adc8ab9ec3274074dc4a9ff2286

SHA256
f7b0c4d8489eb7446318058efaecc6bbc533492273d136197cc12f486595b420

SHA512
d39bf9338039a53e818e022e0763b839180da28698ac766b6a5820e0d5399f1616297d3c59d0bbb4086b9f11cfee3b44cb91bd4c06d57e79f03158aa25a5a11b

Download Submit
memory/1904-0-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/1904-1-0x0000000001010000-0x000000000101A000-memory.dmp

Filesize
40KB

Download
memory/1904-8-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/1904-24-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2064-23-0x0000000000D70000-0x0000000000D7A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing