Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17/05/2024, 08:58 UTC

General

  • Target

    e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    e3d56cb8a1888a094bd62f0c55b20120

  • SHA1

    1deb91560f6f2d9df5c1e554b14cfd4ab0081bf3

  • SHA256

    678a9e0f6907b201d89975a23139c7e9b56fa092e071e67fd1073d82e73730f9

  • SHA512

    323d46ca80409e87bb7b26ea0718749e2f0c3bbadc4a8ab413d37d50fade5d17958b38b54e450d16a0cbc47390bf48706edf6197d919dbf59f84a1edd481f4c5

  • SSDEEP

    384:cL7li/2zTq2DcEQvdhcJKLTp/NK9xaqd:6fM/Q9cqd

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4rzhffo1\4rzhffo1.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc956E107DBECB414AACC93A5DA6394085.TMP"
        3⤵
          PID:2544
      • C:\Users\Admin\AppData\Local\Temp\tmp1F93.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp1F93.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:872

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\4rzhffo1\4rzhffo1.0.vb

      Filesize

      2KB

      MD5

      1917ea283c54057cbfc470621710dcea

      SHA1

      bfcdd3c101e1086d0656e8a3e066df25c6aa4016

      SHA256

      5c975a00aa6e0f1f1899ea1699f1ade975264098bf433fc549c8944cd2c7ca67

      SHA512

      c95fb08df95d54738cfeaef974902d3b6e766a0317f8af73ce50393a4b68c426589a5352288edb9bee5dbf8c3fc90f4c15f5362e4bfa5545966bf03dc19c84cf

    • C:\Users\Admin\AppData\Local\Temp\4rzhffo1\4rzhffo1.cmdline

      Filesize

      273B

      MD5

      f832be721751190d509d2e40b2d71e15

      SHA1

      92a0a70f804252e9b0b5c2de208ff5d8ef7c8518

      SHA256

      f569a13dc3de0a458fb03049a0bcc791cdd8444fb1f94835c355cf9abf434f0c

      SHA512

      1d9e161a48d63cc39f059cbd5140ddac88960118998f0a4e480fea936bc371de5e537bea5cd4b5cb451bb56f058bd8b72ec114df30f545dc4f9c29d57f246a16

    • C:\Users\Admin\AppData\Local\Temp\RE.resources

      Filesize

      2KB

      MD5

      72cfea5b9ab0d00615f9193af27751a9

      SHA1

      d0b99400510e2f4b280c9876047fa389ff660bef

      SHA256

      9f02c33cc7f6037aadff6820ae87e53c1fd6a362866536d48b0b2f2fcfc840f3

      SHA512

      a4bf2c20b383e86bdacf8e1cb877bdbc187c70d18dcdef9c4f064485563d108af35a727f72bf7735b7d96801980319e2a606c61d3639fef85033a74988409b22

    • C:\Users\Admin\AppData\Local\Temp\RES20CA.tmp

      Filesize

      1KB

      MD5

      ab82738548c36bba9614b7835237e379

      SHA1

      88f96dd3d197a2ca24d4482bb500c659f84cb700

      SHA256

      2e3e8515f811950bd1557412748b33084556a857de84d633211d931718ca7d78

      SHA512

      ab93f9133d38983c07feabce7260d959045e909676d0681f36ec2ec870fac18fb2d84da367ea556b078291a073edda6ba91c4bbad42a662fd7dc8440454ca3af

    • C:\Users\Admin\AppData\Local\Temp\tmp1F93.tmp.exe

      Filesize

      12KB

      MD5

      fd86a4a2d3eb81ecca777e8a61a23acc

      SHA1

      ed490138594cea9104298db1f0d96c60c9b3a5a7

      SHA256

      4664dc467b64b2bda85949d14c8bd2dafe36385771a59d473238ba2627845e0d

      SHA512

      dda6a4917b8f504eca6536c6134f7e63166c046958a4e5fb4d8f2be047bc7590374d4588bdbd2d908fc6d595b41fafe3790b7e4aac57700084d49ba3a96b67b2

    • C:\Users\Admin\AppData\Local\Temp\vbc956E107DBECB414AACC93A5DA6394085.TMP

      Filesize

      1KB

      MD5

      92c4c18a585fdd7e5b5937629f632116

      SHA1

      0a229bd1e9d1b2be81217ec86cd7dcb4fc9a55f9

      SHA256

      01d05348d45bfa07f7b9db9f439956134e18c813302075da43751c10f0bddf31

      SHA512

      0f3687bd3e8070c1ddc49db2daaa912de437d126434bb4a543ca958fc70f538a41d0af0ea0e5cf99a36cf072450ed6d0abcc497af5233d3f95158ed662e552ad

    • memory/872-23-0x00000000008E0000-0x00000000008EA000-memory.dmp

      Filesize

      40KB

    • memory/2724-0-0x000000007419E000-0x000000007419F000-memory.dmp

      Filesize

      4KB

    • memory/2724-1-0x0000000000FE0000-0x0000000000FEA000-memory.dmp

      Filesize

      40KB

    • memory/2724-8-0x0000000074190000-0x000000007487E000-memory.dmp

      Filesize

      6.9MB

    • memory/2724-24-0x0000000074190000-0x000000007487E000-memory.dmp

      Filesize

      6.9MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.