97664cecd758e1a4a64ec2a4d91168884805c8921d13c7837090d4d4c5ec727d

General

Target

0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe
Size

12KB
MD5

0772bbcbf7c04c4c2279bebe015029f0
SHA1

a97ee7848579fd3acb2433b5d8b9bd371a26eb73
SHA256

97664cecd758e1a4a64ec2a4d91168884805c8921d13c7837090d4d4c5ec727d
SHA512

5985d5056ade14ac85dd7b1854bdcdb7bf37d46a0c230f00d77a9dd500d81580d6b433be6cb115ced97beb1937a09b8753d1bd0aab43d5258aede7ae99697ade
SSDEEP

384:jL7li/2zisq2DcEQvdhcJKLTp/NK9xaa9s:neMM/Q9ca9s

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2720	tmp8C1A.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2720	tmp8C1A.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1760	0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1760	0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 2528	1760	0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe	28
PID 1760 wrote to memory of 2528	1760	0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe	28
PID 1760 wrote to memory of 2528	1760	0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe	28
PID 1760 wrote to memory of 2528	1760	0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe	28
PID 2528 wrote to memory of 2780	2528	vbc.exe	30
PID 2528 wrote to memory of 2780	2528	vbc.exe	30
PID 2528 wrote to memory of 2780	2528	vbc.exe	30
PID 2528 wrote to memory of 2780	2528	vbc.exe	30
PID 1760 wrote to memory of 2720	1760	0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe	31
PID 1760 wrote to memory of 2720	1760	0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe	31
PID 1760 wrote to memory of 2720	1760	0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe	31
PID 1760 wrote to memory of 2720	1760	0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i1ukaire\i1ukaire.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8FE1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCAFD7AFCFBE9484EB59D8B8921E5D527.TMP"
    3⤵
    PID:2780
- C:\Users\Admin\AppData\Local\Temp\tmp8C1A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8C1A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0772bbcbf7c04c4c2279bebe015029f0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
45754cd8863b32262d8efd38d4dd19ce

SHA1
fecb45f3059726d729fed067d56f6d04a425d026

SHA256
f7a2b8737826f55bef00109ce2a5a19249a7ce68198d5aac638fece8fcb631f6

SHA512
a8e0aa12fbe6e5724789a89a295aa4f95529b5db0d359c8041b08218379fb3955923d3b9501e22dc099b0bf599df7ca8f18a73842eb51bbecf3ae829f653e043

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8FE1.tmp

Filesize
1KB

MD5
6dbb025a8789a99bc93a488c91e937e5

SHA1
1d7ba5e0355a9b757e8698940b77231ddd28ff26

SHA256
71d0b21c25499a754da512b82bd4362e7c53d338ebfcd29ae3419612c8d69857

SHA512
a83ac8ea98b789d855783dc4c2d6b40abc6ae6521b8764104b0f7215a0c989039835e01fcdc60230ac986e6a2fd8ae44acff07e50cddc8ece7b4a92c34d61a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\i1ukaire\i1ukaire.0.vb

Filesize
2KB

MD5
af258c7957a0cdf1dbfb648fc49a40d7

SHA1
0b99f74a38bbcc26c065fc63dca463fabfaf0d8b

SHA256
5f02ca8e99b305d83007b63dc4ef1dccc72ea0fcec28b61e7c288f337456ee7f

SHA512
cf2457b361beb7af52ee1be5b78f7c0e401e394ee1f6f096a0067262a69873de6c23754989a4e1a4a68418be92cfbd9a53c5b7c8c1f67f1b965bb8ac23e8d2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\i1ukaire\i1ukaire.cmdline

Filesize
273B

MD5
2198b0865d3d5035ffb0413da96caece

SHA1
5c075e062e991f1e68e36bbe1713db0deff63ac2

SHA256
a596a4c849aa75d66f5bd7b9c71a86470326f048b2f1be14cc78b57fa027fffc

SHA512
594371885c5ce1446f45b9fee1ac59308879df4b4880a5e0476a4736a6fe2236550b93c1d23afcee2ea0f076cbb8a77325d4444a054f24630d58edc0a707ec03

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8C1A.tmp.exe

Filesize
12KB

MD5
ce92ddc1702994fd6dc2ef4bd298ba89

SHA1
043192b730db2531a0f934b4971491a78519936d

SHA256
3ffe370ef201cac3b4e62b24bfde46fafbdbe4339d05a4efd382fe311f58328b

SHA512
f5c5108b89d470b599478f379a0327de318f115ba0b4a49abf1e52046235e4a69d8896bf2cfe9c1ac226bbd722b1b61161201949fda80d97f8aa9448f4e98137

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCAFD7AFCFBE9484EB59D8B8921E5D527.TMP

Filesize
1KB

MD5
7cb3e8a5db5fc9e67fcc354eddb55d8a

SHA1
534919bafad29904284326e8f676ab092295d7ad

SHA256
6588fc4aa24b4a811954d0cc43c95dfb58887f5931c67045f906c9d1b994394a

SHA512
2155d796d397c511b051803f76b14299e2c38644b05b2b1b5291040e0aeabf3dc9bb16aaa8457da3b8bb6b71be1aacc75c69d6c0dd103dcbe28e4a35e9ebd9cd

Download Submit
memory/1760-0-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

Filesize
4KB

Download
memory/1760-1-0x0000000001350000-0x000000000135A000-memory.dmp

Filesize
40KB

Download
memory/1760-7-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/1760-23-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/2720-24-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing