84c7949f2d5e6e755d54dda67dda9650f709eafa3770b2081c7ddf228be36d14

General

Target

cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe
Size

12KB
MD5

cf7ddd1cb3e997744b015a897ed35e70
SHA1

69a09c2f2b42b804e78f702432c3fca7c7f52463
SHA256

84c7949f2d5e6e755d54dda67dda9650f709eafa3770b2081c7ddf228be36d14
SHA512

164d330414bd3aaff7b1d92d23326836830b7f161c6b4fb03e515fc026ca9ec6715b6500695c6ef4296f3f70c4c1f093bbeee478fed5ae465497de18f10ac862
SSDEEP

384:qL7li/2zAq2DcEQvdQcJKLTp/NK9xa90:0UMCQ9c90

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2588	tmpD0C.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2588	tmpD0C.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1860	cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1860	cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2264	1860	cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe	28
PID 1860 wrote to memory of 2264	1860	cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe	28
PID 1860 wrote to memory of 2264	1860	cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe	28
PID 1860 wrote to memory of 2264	1860	cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe	28
PID 2264 wrote to memory of 2720	2264	vbc.exe	30
PID 2264 wrote to memory of 2720	2264	vbc.exe	30
PID 2264 wrote to memory of 2720	2264	vbc.exe	30
PID 2264 wrote to memory of 2720	2264	vbc.exe	30
PID 1860 wrote to memory of 2588	1860	cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe	31
PID 1860 wrote to memory of 2588	1860	cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe	31
PID 1860 wrote to memory of 2588	1860	cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe	31
PID 1860 wrote to memory of 2588	1860	cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ptxv2fbo\ptxv2fbo.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc944D33B3611848768FB643D01027DD97.TMP"
    3⤵
    PID:2720
- C:\Users\Admin\AppData\Local\Temp\tmpD0C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD0C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cf7ddd1cb3e997744b015a897ed35e70_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
4b215f4feba3705e9405697ca014baef

SHA1
8f0cc10ae1d95eab867a75d2b56d9b30d0137d8f

SHA256
26833e90459c4580b15d84df1224b34d779abcde045f1fd6c14382879111070e

SHA512
bf5928475db9cf3f16c93c6891e01d7074a170ef7e48cf0603f5fba93598d6f65869e8173ca275a70fd5a2ce2505a49b8eb5bdab962619605c1505dcd6d32a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEA1.tmp

Filesize
1KB

MD5
c50073a302df1e103d39167c2da09f13

SHA1
26c7cc8f683bd3e4b6c20d13fd9a97463b771c49

SHA256
97527f0b2709fc11c4990f288e12eb8f6bfb0034996c7988faf92f76188be664

SHA512
22a2ce8cb9f93f45e5b291deacfecf0a21c4fcd0b5f83b7a5c1e35358282897dee09a384fc8bfbb8adeddbca3a6f1064892893b1b3138359eb4d37cc7825fd83

Download Submit
C:\Users\Admin\AppData\Local\Temp\ptxv2fbo\ptxv2fbo.0.vb

Filesize
2KB

MD5
06db6c094be9241427eaa19ae1767077

SHA1
ffa7d6765d7df2bc06b695789ad16b86ec159be0

SHA256
26c60bffcfa069721089f41a08be0ed869e544e68ce3fac625139128023cadc9

SHA512
80798aaeb55af2991918e500316869de1b9a63f9a8b052b68ddad54df292176f528a12c081e9ebd45644b4dda1138264d83104bf3a92f1fb532ffea5ab14953b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ptxv2fbo\ptxv2fbo.cmdline

Filesize
272B

MD5
6871e59956b523b326013c8f672c10b3

SHA1
8051ae919ca9e16af3c9a4582263645a849f6c1f

SHA256
cf38aaf7dfe30f93bb2e30df8c0fb18de2d11fe75d2d61b34ba0166c290b0736

SHA512
ea45d837182f25dc2b07b825669fc54ed761a5903dd23964f382462917dade32fac72a1d2c4db2a14c82b7e7da0ca49e2b8a14d464bdf3143dee702ac132e4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD0C.tmp.exe

Filesize
12KB

MD5
05d2eb02acf5e44de6cd1853fe77c3f3

SHA1
6950db304476348ebfae722872f19e3b8cd92f97

SHA256
9073715b38f54cc200ec7ed5baed5bfd21c499637a6dfe02cb5b0587c7e61177

SHA512
ca87871acc300c66fc63a4df50d99aa1fdecfbfd68d2a5084c8c4bcedf714aebbc9a7bfaebef210a4e042743a681b2853abaff5f2e99d82f86e760ea8fdb76dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc944D33B3611848768FB643D01027DD97.TMP

Filesize
1KB

MD5
625447e84d36e340655a24cfecbdde70

SHA1
00dd9de501d54063172b5e8e3962031715e29933

SHA256
f88d717453d004c0557ca3a73711b619c82b59b3c516898d01dc76269689b9b7

SHA512
0460f4820be8be2aaa28aa5ef70a645ec7bb7abe80b109a1c6e8ee4492b4ad40fd08c4a07036d402ddf2d6d70ccece33aa0b7ad1230da9b5c8d66d9179444cac

Download Submit
memory/1860-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/1860-1-0x0000000000940000-0x000000000094A000-memory.dmp

Filesize
40KB

Download
memory/1860-7-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/1860-24-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2588-23-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing