cd4f6c1b6c434e5a36b52d0e10e7377ba234746433a0994d0d7cd43a2e27a90e

General

Target

a37e2653b9c59983481c06ac6ffc1096_NeikiAnalytics.exe
Size

1.5MB
MD5

a37e2653b9c59983481c06ac6ffc1096
SHA1

53059e9281356d91871db620329fc232b2dba1b8
SHA256

cd4f6c1b6c434e5a36b52d0e10e7377ba234746433a0994d0d7cd43a2e27a90e
SHA512

4e08db974c0ca2ead351bfba8e3b4a519ebfafc75ef126dacf2c4eff35e71d6fb3c50a6ca4870edb48d8b047e1fa5248f0e0581e14cbed72984ad474dd0b9fae
SSDEEP

12288:XwCXnLquXU99ICwj7xrcqPkePh+RvMaBlYJQCe2m9Or:AFn9pwjFMePh+RpBlU69Or

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2604	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2948	juufjev.exe
2552	~DFA1AB.tmp
1100	kuulrev.exe

Loads dropped DLL 3 IoCs

pid	Process
2212	a37e2653b9c59983481c06ac6ffc1096_NeikiAnalytics.exe
2948	juufjev.exe
2552	~DFA1AB.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1100	kuulrev.exe
1100	kuulrev.exe
1100	kuulrev.exe
1100	kuulrev.exe
1100	kuulrev.exe
1100	kuulrev.exe
1100	kuulrev.exe
1100	kuulrev.exe
1100	kuulrev.exe
1100	kuulrev.exe
1100	kuulrev.exe
1100	kuulrev.exe
1100	kuulrev.exe
1100	kuulrev.exe
1100	kuulrev.exe
1100	kuulrev.exe
1100	kuulrev.exe
1100	kuulrev.exe
1100	kuulrev.exe
1100	kuulrev.exe
1100	kuulrev.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	~DFA1AB.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2948	2212	a37e2653b9c59983481c06ac6ffc1096_NeikiAnalytics.exe	28
PID 2212 wrote to memory of 2948	2212	a37e2653b9c59983481c06ac6ffc1096_NeikiAnalytics.exe	28
PID 2212 wrote to memory of 2948	2212	a37e2653b9c59983481c06ac6ffc1096_NeikiAnalytics.exe	28
PID 2212 wrote to memory of 2948	2212	a37e2653b9c59983481c06ac6ffc1096_NeikiAnalytics.exe	28
PID 2948 wrote to memory of 2552	2948	juufjev.exe	29
PID 2948 wrote to memory of 2552	2948	juufjev.exe	29
PID 2948 wrote to memory of 2552	2948	juufjev.exe	29
PID 2948 wrote to memory of 2552	2948	juufjev.exe	29
PID 2212 wrote to memory of 2604	2212	a37e2653b9c59983481c06ac6ffc1096_NeikiAnalytics.exe	30
PID 2212 wrote to memory of 2604	2212	a37e2653b9c59983481c06ac6ffc1096_NeikiAnalytics.exe	30
PID 2212 wrote to memory of 2604	2212	a37e2653b9c59983481c06ac6ffc1096_NeikiAnalytics.exe	30
PID 2212 wrote to memory of 2604	2212	a37e2653b9c59983481c06ac6ffc1096_NeikiAnalytics.exe	30
PID 2552 wrote to memory of 1100	2552	~DFA1AB.tmp	34
PID 2552 wrote to memory of 1100	2552	~DFA1AB.tmp	34
PID 2552 wrote to memory of 1100	2552	~DFA1AB.tmp	34
PID 2552 wrote to memory of 1100	2552	~DFA1AB.tmp	34

C:\Users\Admin\AppData\Local\Temp\a37e2653b9c59983481c06ac6ffc1096_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a37e2653b9c59983481c06ac6ffc1096_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\juufjev.exe
  C:\Users\Admin\AppData\Local\Temp\juufjev.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\~DFA1AB.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA1AB.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\kuulrev.exe
      "C:\Users\Admin\AppData\Local\Temp\kuulrev.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
307B

MD5
3ee13b8cee0b825b9036f933dfa86fe1

SHA1
e8a0d316b1aa69ce09ba29b9ee6616c305ae16f1

SHA256
b1277a2a0af393178d0b8896abccad5a08a741253c1ec1cf16ad9abe24b283c2

SHA512
350c04aa1dfab741ed9b4774cb1cdc6a30f2f103e962930c0d65d8572256f48db19ecf01164ab7126d659e6ec6ecb05149f29ee25e8cd5c1e8f67970feeade10

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
4d35bf54cfa446cb22c15936c1a3b89a

SHA1
fe003c585d4a4fb6fec6e2e2b28d736b276da16c

SHA256
de828657acb6967ca2e0c68b0478ea10fe6f8dae418ea899d2553461171b7e1f

SHA512
a9aa856d03dea6d832ab556e470eba2a319f4d8fffcae1d6ac2a72f1988c3a32bedefd58e2d5319c5a69b942c2bce56a6bdbc2c17270c3716d7c1f638eb4cd11

Download Submit
\Users\Admin\AppData\Local\Temp\juufjev.exe

Filesize
1.5MB

MD5
b38150092222716750aa204ae164f712

SHA1
7ef293cf2d428dae00dedbe575720d27b51c5fdf

SHA256
ae216c50d41b82ac21deffaf455e785a173068b40e220d6da61b585dd021980a

SHA512
3d093dac39e66dc47b59ed31feb3e6b121fc123922d089e711752fc12e60d5d75ac9c4c93c358a96493d949cac4db0abcbc001cd7846704d3b10a8169e7d5ef4

Download Submit
\Users\Admin\AppData\Local\Temp\kuulrev.exe

Filesize
395KB

MD5
d2c06e608c08a4baafdaf3c74a30db51

SHA1
3a0ff1d4aa919164361064666f2e24edda75b8d6

SHA256
ce18c1b5866d5117fd539c7032c834cc98916901c5ff708d3ddaace9e174427d

SHA512
d19e7b717d9e42c2d35977c035da14579ee93ad47f551cb913c1fd8aa4ac058a9251767299fb21d467411b6498b75ed9cedc2e9d906da0c9ddd30da45ef928eb

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA1AB.tmp

Filesize
1.5MB

MD5
971941901686d16f33812fa09d43b3eb

SHA1
e3188bee445d150e5eb23d83310ea291672d8f9b

SHA256
f8e62120d5254503510ba9bdedc9269b4bbe215c5f6e6fc5c41a31001ea16dd5

SHA512
a851613cbee7d67be7e1046cbf6b0b86e57752925b46968bf776e3ab4383e0abd6613ed2f2c41332e1d2b59f75c738e4b3b47d757d9ec7d17b7db428b93ab50e

Download Submit
memory/1100-40-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1100-38-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2212-25-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2212-27-0x00000000004E0000-0x00000000005BF000-memory.dmp

Filesize
892KB

Download
memory/2212-0-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2552-29-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2552-36-0x0000000003590000-0x00000000036CE000-memory.dmp

Filesize
1.2MB

Download
memory/2948-26-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2948-16-0x0000000002C80000-0x0000000002D5F000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing