01084cac1b32ed96f39659685faaf1f37cfaee0d204a361c3759c3ff0aa38389

General

Target

2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe
Size

383KB
MD5

2b0539ba691f98b1c255d082d7589570
SHA1

f228a998f9a2c0b1979e92f416603341d16ea86b
SHA256

01084cac1b32ed96f39659685faaf1f37cfaee0d204a361c3759c3ff0aa38389
SHA512

72965d8434a758a544b2868d26fb7b4ec708c285d0effd199c560393d703e7ce163757a67237ec61433498d6b883228388c8669e0c5e92dee4bfea0aded71617
SSDEEP

6144:7auq7YTzYh5LofcnWgHMMPl410Ngz7NlaUnQWNquQ0op6wRIIZZ2Mog:gYE5UfGWgVPl4aNgzBoUnQYiEIZvD

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2208 powershell.exe

Drops file in Windows directory 3 IoCs

Processes:

2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\Vulnerabilities\Navettes131.ini	2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe
File opened for modification	C:\Windows\resources\0409\sporeforming.bal	2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe
File opened for modification	C:\Windows\resources\stereotypery.teu	2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4536 2208 WerFault.exe powershell.exe

pid	pid_target	process	target process
4536	2208	WerFault.exe	powershell.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exe

pid	process
2208	powershell.exe
2208	powershell.exe
2208	powershell.exe
2208	powershell.exe
2208	powershell.exe
2208	powershell.exe
2208	powershell.exe
2208	powershell.exe
2208	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2208 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2208	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exepowershell.exe

description	pid	process	target process
PID 1344 wrote to memory of 2208	1344	2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe	powershell.exe
PID 1344 wrote to memory of 2208	1344	2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe	powershell.exe
PID 1344 wrote to memory of 2208	1344	2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe	powershell.exe
PID 2208 wrote to memory of 2080	2208	powershell.exe	cmd.exe
PID 2208 wrote to memory of 2080	2208	powershell.exe	cmd.exe
PID 2208 wrote to memory of 2080	2208	powershell.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Afspadserede225=Get-Content 'C:\Users\Admin\AppData\Local\Temp\Mediatrices238\udkikstaarnene\deflationer\Elverhj\Forskrivende.Udr';$Novelettish=$Afspadserede225.SubString(53200,3);.$Novelettish($Afspadserede225)"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
3⤵
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 2548
3⤵
- Program crash
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2208 -ip 2208
1⤵
PID:2536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mediatrices238\udkikstaarnene\deflationer\Elverhj\Forskrivende.Udr
Filesize
51KB

MD5
6b3ce49e30626debe4ebc638e79bfbc1

SHA1
f0941c7b2694735091249b1676e4ba7693e6ede9

SHA256
bebd427c3ece459de5fc091d4573f313ba55bf68bdad2dbaf9f8ec5637b4990e

SHA512
d1bd3fb17897cba3fa4e9bde3b7bc7b73c88edb72cb47bc439b866c45f77ae85d01c6d9941ebc574ef660c33395b804a441bf9cef370b0c5dedbd3a1ac604e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ljnm0o24.dou.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2208-13-0x00000000737C0000-0x0000000073F70000-memory.dmp

Filesize
7.7MB

Download
memory/2208-26-0x0000000006000000-0x000000000604C000-memory.dmp

Filesize
304KB

Download
memory/2208-11-0x0000000005010000-0x0000000005032000-memory.dmp

Filesize
136KB

Download
memory/2208-12-0x0000000005900000-0x0000000005966000-memory.dmp

Filesize
408KB

Download
memory/2208-14-0x0000000005970000-0x00000000059D6000-memory.dmp

Filesize
408KB

Download
memory/2208-10-0x00000000737C0000-0x0000000073F70000-memory.dmp

Filesize
7.7MB

Download
memory/2208-7-0x00000000737CE000-0x00000000737CF000-memory.dmp

Filesize
4KB

Download
memory/2208-24-0x00000000059E0000-0x0000000005D34000-memory.dmp

Filesize
3.3MB

Download
memory/2208-25-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

Filesize
120KB

Download
memory/2208-9-0x0000000005260000-0x0000000005888000-memory.dmp

Filesize
6.2MB

Download
memory/2208-28-0x0000000006500000-0x000000000651A000-memory.dmp

Filesize
104KB

Download
memory/2208-27-0x0000000006540000-0x00000000065D6000-memory.dmp

Filesize
600KB

Download
memory/2208-29-0x0000000006FB0000-0x0000000006FD2000-memory.dmp

Filesize
136KB

Download
memory/2208-30-0x0000000007590000-0x0000000007B34000-memory.dmp

Filesize
5.6MB

Download
memory/2208-8-0x00000000029D0000-0x0000000002A06000-memory.dmp

Filesize
216KB

Download
memory/2208-32-0x00000000081C0000-0x000000000883A000-memory.dmp

Filesize
6.5MB

Download
memory/2208-34-0x00000000737C0000-0x0000000073F70000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads