45f069da4b1091b44d2053fa462dda9d661dcc08755c6e8d9bc75a8a083d2130

General

Target

135a581809e4c6524cd94c306d5e2ec0_NeikiAnalytics.exe
Size

12KB
MD5

135a581809e4c6524cd94c306d5e2ec0
SHA1

fb1cc9b35f7348810c4399d7919124b7cf628ad4
SHA256

45f069da4b1091b44d2053fa462dda9d661dcc08755c6e8d9bc75a8a083d2130
SHA512

dfc683c552e8c8eb2d101a2b900e4337f586bc78b653f7008119b4fa93149a827a7e7cb3391989ee0dbc1b289768a5a31b74b5abd99f58f1c3788b2b6bd915a2
SSDEEP

384:OL7li/2z7q2DcEQvdhcJKLTp/NK9xaWC:YXM/Q9cWC

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2552	tmpBD4.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2552	tmpBD4.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2332	135a581809e4c6524cd94c306d5e2ec0_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	135a581809e4c6524cd94c306d5e2ec0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2320	2332	135a581809e4c6524cd94c306d5e2ec0_NeikiAnalytics.exe	28
PID 2332 wrote to memory of 2320	2332	135a581809e4c6524cd94c306d5e2ec0_NeikiAnalytics.exe	28
PID 2332 wrote to memory of 2320	2332	135a581809e4c6524cd94c306d5e2ec0_NeikiAnalytics.exe	28
PID 2332 wrote to memory of 2320	2332	135a581809e4c6524cd94c306d5e2ec0_NeikiAnalytics.exe	28
PID 2320 wrote to memory of 1840	2320	vbc.exe	30
PID 2320 wrote to memory of 1840	2320	vbc.exe	30
PID 2320 wrote to memory of 1840	2320	vbc.exe	30
PID 2320 wrote to memory of 1840	2320	vbc.exe	30
PID 2332 wrote to memory of 2552	2332	135a581809e4c6524cd94c306d5e2ec0_NeikiAnalytics.exe	31
PID 2332 wrote to memory of 2552	2332	135a581809e4c6524cd94c306d5e2ec0_NeikiAnalytics.exe	31
PID 2332 wrote to memory of 2552	2332	135a581809e4c6524cd94c306d5e2ec0_NeikiAnalytics.exe	31
PID 2332 wrote to memory of 2552	2332	135a581809e4c6524cd94c306d5e2ec0_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\135a581809e4c6524cd94c306d5e2ec0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\135a581809e4c6524cd94c306d5e2ec0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zpyy25lr\zpyy25lr.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc640783AEE92A4EDD93CB8E339F2A9396.TMP"
    3⤵
    PID:1840
- C:\Users\Admin\AppData\Local\Temp\tmpBD4.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBD4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\135a581809e4c6524cd94c306d5e2ec0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
e069b756e3a5bae4594d604ab887e6d7

SHA1
e8fe1445db8b23a889876e52c309c1308fa2c287

SHA256
115c42c519345d0108659dd93bab1bbd1a51ed6e3c61f173a939c56ec4065763

SHA512
b0649006cad260b0c0938760a9a80f04af649d7bd5db29ead2c68c0a7fb50ec2a5eff3f6570805baf3b0cd53be35d7c140cf14a54d853a62d1398fad73c58f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCCD.tmp

Filesize
1KB

MD5
74fbf623bb7f02d87b21adbb6212668f

SHA1
02949ac211f68a6348342c4eeabee8a548a8a8c3

SHA256
9da94faca6e228839bc0aa545ac1491f01663a9941aef7b0117b4383f81833ca

SHA512
6a4c79ce97ca37fea5da32940c1f14f2709f8fda449f71579bb6b6b9c72984cd471544173d91988443db413af6b35386b948ea799708aa51d926d86ab86bc08e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD4.tmp.exe

Filesize
12KB

MD5
0f520137de13ac86cecc829ed0e7e943

SHA1
309b24b585d37e5134214e9f3ef9f766dd6cd1e9

SHA256
07cf8438cfec90dbd9f5174cc7799768c3cbf59e6e6c27e8255b7236aee6ed70

SHA512
852c21f04ead1e0a569e0e748ac2de9e1ef36a7793ec693d6773165ed69cf420c9169386132926cbeaa5f415325d8cf78f71a0d6a3fddec599419db9c60f9cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc640783AEE92A4EDD93CB8E339F2A9396.TMP

Filesize
1KB

MD5
4fbcd83bfeed6ce6b3d577e3c3cf0ed8

SHA1
92ee785280618bc9b6136679537a61158fe69be8

SHA256
1d8cffb63d98189ecf6de08a6f8ba1ec4fa228dfd974259812259aa835f5b431

SHA512
9d5a7b6f47f03159b76e32bc3cc7822e6504aaa8add58d96f96685a3b7f72f0897c2417e815198c3df3bc5f13da60e7b42957c54f42bd81d61afaecb2854effc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zpyy25lr\zpyy25lr.0.vb

Filesize
2KB

MD5
512a7811c39534dae24086b0415a2aac

SHA1
d0ed883d6d474f5460bb1a7fb9c71aed7d0430e7

SHA256
61c1d7566f41fb7b00a9cb6934716be68863d06cca722da4e93dd251d49697f0

SHA512
1d359c169eb68ba30b90f88fe5f1c2d2aab5333a28d1c7daceeb5b1f90ec5814084211fdacca23cdbce01cd6bec6ee81933c6d300dcee66c978b0f740614bc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\zpyy25lr\zpyy25lr.cmdline

Filesize
272B

MD5
9e81d8138c216833ce3ae8503339738b

SHA1
8a7009412a168f787bb893f6039ea40445ffba3a

SHA256
62533b0c98423966d8799049072ce7ba18a41db4676fd4a8d06c3b8fa50b66cb

SHA512
44fe45992766f8d11902050c8644e066a3553e836ef1d86d444c98df2517ac4b197eb3750fa0f1ea3e06d1b48a9e21c448b46d08a0a4ae89df8ddea1be54bf5a

Download Submit
memory/2332-0-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/2332-1-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/2332-7-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/2332-24-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/2552-23-0x0000000001280000-0x000000000128A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing