a6dab7902ff7cb81dd907b2a21a0a6c518c2471db75ef04f6568c0a095f7e060

General

Target

a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe
Size

12KB
MD5

a036b44bd7663a0bf4b8cf9c4e86fef0
SHA1

aa3e57265d54e04136e2035df4a18b9670b30340
SHA256

a6dab7902ff7cb81dd907b2a21a0a6c518c2471db75ef04f6568c0a095f7e060
SHA512

78067682d69519465717b468e7d6ac95184fde6435adaddd8dd931a2881435234ee37f5ef59dcd120a1c6de9f8115d10b37423f164f0510b885b4c590041f1ac
SSDEEP

384:lL7li/2zhq2DcEQvdhcJKLTp/NK9xaDj:lxM/Q9cDj

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2528	tmp2C3F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2528	tmp2C3F.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2868	a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2964	2868	a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe	28
PID 2868 wrote to memory of 2964	2868	a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe	28
PID 2868 wrote to memory of 2964	2868	a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe	28
PID 2868 wrote to memory of 2964	2868	a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe	28
PID 2964 wrote to memory of 2580	2964	vbc.exe	30
PID 2964 wrote to memory of 2580	2964	vbc.exe	30
PID 2964 wrote to memory of 2580	2964	vbc.exe	30
PID 2964 wrote to memory of 2580	2964	vbc.exe	30
PID 2868 wrote to memory of 2528	2868	a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe	31
PID 2868 wrote to memory of 2528	2868	a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe	31
PID 2868 wrote to memory of 2528	2868	a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe	31
PID 2868 wrote to memory of 2528	2868	a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xmf1htqo\xmf1htqo.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E41.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2879EB487404E85BCDD5FD9EC48D2F6.TMP"
    3⤵
    PID:2580
- C:\Users\Admin\AppData\Local\Temp\tmp2C3F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2C3F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
4e3c888040d9e4938adf4b5c73768a83

SHA1
56b50e053c1527f5cb0d13046582c13522147afa

SHA256
7b6e0a57d006e04d3f044e5932f6d8301f6ca39a92e4d05e941dca89aca8eb8e

SHA512
ae3d3c7cca3c7fc014eaa454c351f2ef340272d0a7b888cb7c18cd1a549033a54cd83fb38ed54cd0e2db9dabf561bb49e3642774d4e3ff16723d168dd89f90ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2E41.tmp

Filesize
1KB

MD5
8e3dfc302f77b251d9c42e5d1d47551c

SHA1
3899d44a50b8562e44b8d5e411764a0333a8ffa6

SHA256
689215695aa53ea7b67e6c56b4c3493268832225d23748e8491aff5c90aea871

SHA512
a5f6975895e08c5a031f2bde4d9307ff9aa9ca342547c2ee7c81802e06c732b313d3e30aebb8a480cc10610c841f0652a7637b14ea296d6708dfe91812f6615d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2C3F.tmp.exe

Filesize
12KB

MD5
10e2617546127f2ff0c0ee49704bb0d5

SHA1
c28f6723f560fd06221c6d483aa28c9235a1dc81

SHA256
66eb941a4455bf89c9dd791003be2d6ad7b8c582f99944eb97d9f3601fe23030

SHA512
1277f9fe9c39fe0244ff699fc677c739a9d72e623c1ad49e3cd587da45d4ff5e02ed3429d474793dc766102007e3d55f37efde4a1d3a61ec3e990599d1ca300c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2879EB487404E85BCDD5FD9EC48D2F6.TMP

Filesize
1KB

MD5
0f3cc67fa26196b1f6c86ee529648edd

SHA1
80d0c7f7128bd5b286282b859603adc23b8468c7

SHA256
683a436d6370ddabcec0918174499ce0aedb535e112b168ee71d320b021fe6cc

SHA512
09cb9816182dc81930df7473333a6fcd29e66e93e08e22f669fda6c593ecdea4719483f396037f9fcde5bd913826fa8387052e38b33944433050bd818c7cbfb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmf1htqo\xmf1htqo.0.vb

Filesize
2KB

MD5
37d46eb47345d4a552f60a135585fc8b

SHA1
1634ef5d3c0199abd71a6664b325e622f56b124b

SHA256
be816d9639966acd8cbd8f6c3a751bfa5386a4117abd4feb626408506f653ba4

SHA512
dfeea68ef5697f6523581216b832299a2c3d555c00c138564c323f1369f4c518e06f9d427729d49e581d02fbbfd728775a51c97722b48572f1c1f6c3205b50e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmf1htqo\xmf1htqo.cmdline

Filesize
273B

MD5
4fb784810d57c95874c2db0447308757

SHA1
f40a126bafc5125ee16f9ead159f8abe6addf454

SHA256
e0314f10aad767e7148f479dcd192e995cb1b493db3f277727616980deacadbb

SHA512
a7d471fb6c0e24ec5173ae30ba5403867abb2f15485c03acfaf998af85cd7556c788aacc296d54cb5ce192c0dcc6f1ae29f5abd435ceccc88920e9b925c9567f

Download Submit
memory/2528-24-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

Filesize
40KB

Download
memory/2868-0-0x000000007469E000-0x000000007469F000-memory.dmp

Filesize
4KB

Download
memory/2868-1-0x0000000000940000-0x000000000094A000-memory.dmp

Filesize
40KB

Download
memory/2868-7-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2868-23-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing