7f4e9f4e7aefcf89eddbbef85ab7f5a4c46282b4948beb5bc7f0049487cc216c

General

Target

4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe
Size

12KB
MD5

4f9ab3609afeb52e8bcae2bc075f3ba0
SHA1

aa570248055a1d813d6f120c3fea1e850413c4b3
SHA256

7f4e9f4e7aefcf89eddbbef85ab7f5a4c46282b4948beb5bc7f0049487cc216c
SHA512

f11e1d74f536312e4a9ed74caf311f4666609871a0e2c6c7f296fa9c7b9b5ee20888bbc09fd8eeb09b9b38ed4b0f29d4865531619842f2b9331ba437973c3f66
SSDEEP

384:aL7li/2zKq2DcEQvdhcJKLTp/NK9xa3v:EaM/Q9c3v

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2708	tmp26A4.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2708	tmp26A4.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
848	4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	848	4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 1788	848	4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe	28
PID 848 wrote to memory of 1788	848	4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe	28
PID 848 wrote to memory of 1788	848	4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe	28
PID 848 wrote to memory of 1788	848	4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe	28
PID 1788 wrote to memory of 2608	1788	vbc.exe	30
PID 1788 wrote to memory of 2608	1788	vbc.exe	30
PID 1788 wrote to memory of 2608	1788	vbc.exe	30
PID 1788 wrote to memory of 2608	1788	vbc.exe	30
PID 848 wrote to memory of 2708	848	4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe	31
PID 848 wrote to memory of 2708	848	4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe	31
PID 848 wrote to memory of 2708	848	4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe	31
PID 848 wrote to memory of 2708	848	4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0t5p002r\0t5p002r.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2868.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc161950CFF1B9400FA2328315DE7613F3.TMP"
    3⤵
    PID:2608
- C:\Users\Admin\AppData\Local\Temp\tmp26A4.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp26A4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4f9ab3609afeb52e8bcae2bc075f3ba0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0t5p002r\0t5p002r.0.vb

Filesize
2KB

MD5
b201ca00e3e7b1019cf2b1f757193412

SHA1
9bc338896caa1f39f29d2a4c50fbaf5ba5aae7fe

SHA256
94f946554a3a2acfc3ebac8956035c8a03847404d70b959b0fa4014bc9455e09

SHA512
cd7a3ca66b79b97bf0d356a859fdb3db52091327fa2d3685b2931f091ccab887c3b3ad2e2049da7772d7fc9ee7ab7a07a89b57811cd61b42e251673a1289fdb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\0t5p002r\0t5p002r.cmdline

Filesize
273B

MD5
371d8cfae5e0037efabf4b1e75adfbf8

SHA1
38adef352df070a67b6bbec548f1033a22e30039

SHA256
140ad0183d9224b43ce0d3707ad4a04b38f5496cb79993b0ac2fbdfad28ae3a4

SHA512
d72d331932337df861845fe2bd179ae1d8ae5f66de9d606b2e66a20ff781178171cb4e73286b296f41c38789cf05aad90ed95938ca683f1b175532fa684027a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
6dd82777df79f49e17f057de40212e0e

SHA1
628a017684155292fdc2e3344c041202a963274f

SHA256
3ec5b01fd472d87acbd1745f0c8fe1a38fb7f5da0afacb85c617f53fddb013bd

SHA512
7827d86a5948a2bcddb3eb8d9eaee89e20878fc21b200bef6e367e819c05a69d99a1b098f68f5367cdc9d7316bf45bdd06ee03c054a6307a63f05cf50e4ddf15

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2868.tmp

Filesize
1KB

MD5
f04114ac0ec662e65fdcbb388212c733

SHA1
6da6445ba05de953c3d0b1a85a5fe754e396d50d

SHA256
ba753765f89887dc673602fecfbd9a056435584f353a6ed535db8088a252d79b

SHA512
681eaa055227607b7dab43d3be6e9a6bb77dc6080b2423c147a21d4e06247292ea2c53226aeabdb1fb27475be402375ef3a310ab7e9512b52499bec5ea6d9a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp26A4.tmp.exe

Filesize
12KB

MD5
fa86f9575f9c393ada76d594d8c0db1f

SHA1
dd47070f7ed2eed653af3f8e76323988cab63e7e

SHA256
9f2c102de8e4c99d027f05c86f5575b9c8b3eaca4db09ddb2ca79ac2645e0a5e

SHA512
9ba87fb9514ed49ed5ac146a464574a1ec5bb7a88cb420f50740d7298bb2a9353d9efaaec7722e3991eef0671371ee2b4617208b500a9f0a4f7145b52bfde564

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc161950CFF1B9400FA2328315DE7613F3.TMP

Filesize
1KB

MD5
9b99bed0a4af85da0eca5510a3e7c881

SHA1
5ac6e6a5c46a28119615c88229fc8b7155f5d628

SHA256
b40dd188652127bf8861a937dd45e0d354d7b83f65f4959eb8e4d6365fa4c30c

SHA512
27c0f0393b273f3db0efe7bd2b4aae83172415bce59dff507811507f5befb953df2e8812c21ca89cf82b1f2822767b707fdcbb1626bf37de201de592afd57603

Download Submit
memory/848-0-0x000000007425E000-0x000000007425F000-memory.dmp

Filesize
4KB

Download
memory/848-1-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

Filesize
40KB

Download
memory/848-7-0x0000000074250000-0x000000007493E000-memory.dmp

Filesize
6.9MB

Download
memory/848-24-0x0000000074250000-0x000000007493E000-memory.dmp

Filesize
6.9MB

Download
memory/2708-23-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing