ae2036bd2a36b61a0a644ae1b22ccc7d47e911584bbab043f821dd10e6866181

General

Target

f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe
Size

12KB
MD5

f3b0ef89d1aae3162f183c6287a7bd90
SHA1

aa571d5d25bffa0da454d1440da6cebc57503ee8
SHA256

ae2036bd2a36b61a0a644ae1b22ccc7d47e911584bbab043f821dd10e6866181
SHA512

d766cc9631198e53d6cd985fa827fa59d3408c43f2bca64999406e1ab4a5764f77f96198bad55ba0ff96751496e494ba443d769c99d5e11aa10b76b88e22edd7
SSDEEP

384:UL7li/2zZq2DcEQvdQcJKLTp/NK9xawF:CxMCQ9cwF

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2792	tmpA18E.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2792	tmpA18E.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1772	f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1772	f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 2904	1772	f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe	28
PID 1772 wrote to memory of 2904	1772	f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe	28
PID 1772 wrote to memory of 2904	1772	f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe	28
PID 1772 wrote to memory of 2904	1772	f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe	28
PID 2904 wrote to memory of 2996	2904	vbc.exe	30
PID 2904 wrote to memory of 2996	2904	vbc.exe	30
PID 2904 wrote to memory of 2996	2904	vbc.exe	30
PID 2904 wrote to memory of 2996	2904	vbc.exe	30
PID 1772 wrote to memory of 2792	1772	f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe	31
PID 1772 wrote to memory of 2792	1772	f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe	31
PID 1772 wrote to memory of 2792	1772	f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe	31
PID 1772 wrote to memory of 2792	1772	f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ksfld4yb\ksfld4yb.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5F0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9F492C178634B208B37334D6B9FC658.TMP"
    3⤵
    PID:2996
- C:\Users\Admin\AppData\Local\Temp\tmpA18E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA18E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f3b0ef89d1aae3162f183c6287a7bd90_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
200a46afcf492e500802a346e2c08b4b

SHA1
a288f0a2f042145eeab1287d201b8402c6683ae5

SHA256
128edafd4495dbf61721572621f136be33496f0eb08c3bdae9b2cb2e62a293d9

SHA512
4a3f7675ad34f5fa1b1e0da3beace40579ce2e6932d29b8ede7643c95fc8bfe89b4a3d5dbfaf65c21cb4d9a8bc0acceb07d10313d5d740ddcbc9a987818dad76

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA5F0.tmp

Filesize
1KB

MD5
a777716d4406c91a7e179b038b1a7c6b

SHA1
1a617b7a8ef04732073f34aff6e979453bc1c1bf

SHA256
777a65fe3df68a93c8a736111cac3814bee12e7f8893d997274e43a0a6dfef80

SHA512
b14d03e33a07b23485e7f5a323863f81708dce2962be681e860c8e6c04fb08706ce0786f0eed2f5d2216b06f9b0578a5c15e58c79bbf52dee775311a0f93e7ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksfld4yb\ksfld4yb.0.vb

Filesize
2KB

MD5
7c85d898b21e09d97fde0d8cce51eb9d

SHA1
424aecbc859ad89e464ef3b91e054503e3b03292

SHA256
e812cd626caeba425fb67d88ab6ce8c3a1347d5124922de1771bb4dd458a480f

SHA512
191ba38a2253e093ea47ba897bc314a11ac6190dfe3ebfc49cff79873be8e0b9d61f473f96ccd0ce4ebf2423443a156b23c18bf2a7cb9494ec368dd54fb026d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksfld4yb\ksfld4yb.cmdline

Filesize
273B

MD5
2ec46027fae3cf704d58c0bd87693220

SHA1
6ad570123290b69ec002c30bdfb233e47b3809e2

SHA256
d7243048e0fa92405a9bfdab2c754cd6a265406b8bdd3e90897d10232f19fa41

SHA512
174f1697d62870dd1b1b3f0ba36539867fbc63b6fe0eb52c16efc44b5057e181a1ac767868017292c60a466b646c82a45207048454e7664033542974ae1ae359

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA18E.tmp.exe

Filesize
12KB

MD5
cc2cb90046569e603075db21c9cd15d7

SHA1
d49a93165f4d2d8e697e26d955e1a9e67715e867

SHA256
6a8b1ab06042782ddfc7f1c957fd787c10701096e18216baeba10c1e83096374

SHA512
c5ae5fb6a942dd0ec19abef1bf50a623a01413aa2475ba85c7c5941e9c00b02e161db86f5696541c3081efc35af872c9ae7437bec3f43aaf6e159fba51ad55fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9F492C178634B208B37334D6B9FC658.TMP

Filesize
1KB

MD5
94271498904c881f3f584c5db22bb6a7

SHA1
02265dd8f4197768c5af7b47f49934fe2fb5e4c3

SHA256
e55b41274af6bd601efca8c7199d1b9cc67c12959ba3707b477d2c7be1e3d5ab

SHA512
4ec91fb6178498552e6096b051b0c64710a6a2a5151c49d9150c5e86796121c6c13a0fb260d5623fc4d8072f5a207d517883f003075c0975e3331f673c1881e5

Download Submit
memory/1772-0-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

Filesize
4KB

Download
memory/1772-1-0x0000000000870000-0x000000000087A000-memory.dmp

Filesize
40KB

Download
memory/1772-7-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/1772-24-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-23-0x0000000000D00000-0x0000000000D0A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing