678a9e0f6907b201d89975a23139c7e9b56fa092e071e67fd1073d82e73730f9

General

Target

e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe
Size

12KB
MD5

e3d56cb8a1888a094bd62f0c55b20120
SHA1

1deb91560f6f2d9df5c1e554b14cfd4ab0081bf3
SHA256

678a9e0f6907b201d89975a23139c7e9b56fa092e071e67fd1073d82e73730f9
SHA512

323d46ca80409e87bb7b26ea0718749e2f0c3bbadc4a8ab413d37d50fade5d17958b38b54e450d16a0cbc47390bf48706edf6197d919dbf59f84a1edd481f4c5
SSDEEP

384:cL7li/2zTq2DcEQvdhcJKLTp/NK9xaqd:6fM/Q9cqd

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
872	tmp1F93.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
872	tmp1F93.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2724	e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2496	2724	e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe	28
PID 2724 wrote to memory of 2496	2724	e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe	28
PID 2724 wrote to memory of 2496	2724	e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe	28
PID 2724 wrote to memory of 2496	2724	e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe	28
PID 2496 wrote to memory of 2544	2496	vbc.exe	30
PID 2496 wrote to memory of 2544	2496	vbc.exe	30
PID 2496 wrote to memory of 2544	2496	vbc.exe	30
PID 2496 wrote to memory of 2544	2496	vbc.exe	30
PID 2724 wrote to memory of 872	2724	e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe	31
PID 2724 wrote to memory of 872	2724	e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe	31
PID 2724 wrote to memory of 872	2724	e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe	31
PID 2724 wrote to memory of 872	2724	e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4rzhffo1\4rzhffo1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc956E107DBECB414AACC93A5DA6394085.TMP"
    3⤵
    PID:2544
- C:\Users\Admin\AppData\Local\Temp\tmp1F93.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1F93.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4rzhffo1\4rzhffo1.0.vb

Filesize
2KB

MD5
1917ea283c54057cbfc470621710dcea

SHA1
bfcdd3c101e1086d0656e8a3e066df25c6aa4016

SHA256
5c975a00aa6e0f1f1899ea1699f1ade975264098bf433fc549c8944cd2c7ca67

SHA512
c95fb08df95d54738cfeaef974902d3b6e766a0317f8af73ce50393a4b68c426589a5352288edb9bee5dbf8c3fc90f4c15f5362e4bfa5545966bf03dc19c84cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\4rzhffo1\4rzhffo1.cmdline

Filesize
273B

MD5
f832be721751190d509d2e40b2d71e15

SHA1
92a0a70f804252e9b0b5c2de208ff5d8ef7c8518

SHA256
f569a13dc3de0a458fb03049a0bcc791cdd8444fb1f94835c355cf9abf434f0c

SHA512
1d9e161a48d63cc39f059cbd5140ddac88960118998f0a4e480fea936bc371de5e537bea5cd4b5cb451bb56f058bd8b72ec114df30f545dc4f9c29d57f246a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
72cfea5b9ab0d00615f9193af27751a9

SHA1
d0b99400510e2f4b280c9876047fa389ff660bef

SHA256
9f02c33cc7f6037aadff6820ae87e53c1fd6a362866536d48b0b2f2fcfc840f3

SHA512
a4bf2c20b383e86bdacf8e1cb877bdbc187c70d18dcdef9c4f064485563d108af35a727f72bf7735b7d96801980319e2a606c61d3639fef85033a74988409b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES20CA.tmp

Filesize
1KB

MD5
ab82738548c36bba9614b7835237e379

SHA1
88f96dd3d197a2ca24d4482bb500c659f84cb700

SHA256
2e3e8515f811950bd1557412748b33084556a857de84d633211d931718ca7d78

SHA512
ab93f9133d38983c07feabce7260d959045e909676d0681f36ec2ec870fac18fb2d84da367ea556b078291a073edda6ba91c4bbad42a662fd7dc8440454ca3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F93.tmp.exe

Filesize
12KB

MD5
fd86a4a2d3eb81ecca777e8a61a23acc

SHA1
ed490138594cea9104298db1f0d96c60c9b3a5a7

SHA256
4664dc467b64b2bda85949d14c8bd2dafe36385771a59d473238ba2627845e0d

SHA512
dda6a4917b8f504eca6536c6134f7e63166c046958a4e5fb4d8f2be047bc7590374d4588bdbd2d908fc6d595b41fafe3790b7e4aac57700084d49ba3a96b67b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc956E107DBECB414AACC93A5DA6394085.TMP

Filesize
1KB

MD5
92c4c18a585fdd7e5b5937629f632116

SHA1
0a229bd1e9d1b2be81217ec86cd7dcb4fc9a55f9

SHA256
01d05348d45bfa07f7b9db9f439956134e18c813302075da43751c10f0bddf31

SHA512
0f3687bd3e8070c1ddc49db2daaa912de437d126434bb4a543ca958fc70f538a41d0af0ea0e5cf99a36cf072450ed6d0abcc497af5233d3f95158ed662e552ad

Download Submit
memory/872-23-0x00000000008E0000-0x00000000008EA000-memory.dmp

Filesize
40KB

Download
memory/2724-0-0x000000007419E000-0x000000007419F000-memory.dmp

Filesize
4KB

Download
memory/2724-1-0x0000000000FE0000-0x0000000000FEA000-memory.dmp

Filesize
40KB

Download
memory/2724-8-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-24-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing