44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f

General

Target

44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe
Size

12KB
MD5

ddc67ba23fec835725342dd541961f40
SHA1

28b215b450110d1f9bb9b058f1536a8fcec61d81
SHA256

44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f
SHA512

9cc849d87bdc0e87f4f8e68114536f6dad7d2b0ac66ec09a5cf08347cd2ab4b5e2aa92a87ffa6608adcc1c67307dd59af4296c4b29d8c0b5d1c8d413d19db5ea
SSDEEP

384:qL7li/2zqq2DcEQvdQcJKLTp/NK9xaQC:0iMCQ9cQC

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2884	tmp1141.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2884	tmp1141.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2276	44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2540	2276	44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe	28
PID 2276 wrote to memory of 2540	2276	44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe	28
PID 2276 wrote to memory of 2540	2276	44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe	28
PID 2276 wrote to memory of 2540	2276	44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe	28
PID 2540 wrote to memory of 2600	2540	vbc.exe	30
PID 2540 wrote to memory of 2600	2540	vbc.exe	30
PID 2540 wrote to memory of 2600	2540	vbc.exe	30
PID 2540 wrote to memory of 2600	2540	vbc.exe	30
PID 2276 wrote to memory of 2884	2276	44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe	31
PID 2276 wrote to memory of 2884	2276	44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe	31
PID 2276 wrote to memory of 2884	2276	44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe	31
PID 2276 wrote to memory of 2884	2276	44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fbksnqa2\fbksnqa2.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1268.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD4673EDCB42444A2A6A2580BD36397.TMP"
    3⤵
    PID:2600
- C:\Users\Admin\AppData\Local\Temp\tmp1141.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1141.tmp.exe" C:\Users\Admin\AppData\Local\Temp\44351286e6f4dd2a7a55c0bbec4c047bf9dde1888fd9155debec610c3971ec6f_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
1da56c8b8046ab353de042420575f07a

SHA1
7dc00b110b96b0c4fb39c3086bacf15152eab5d2

SHA256
216ffd2688c03f2b1c3c8f5912c11b65796d9cf5ccf5d411f23cc48d72841e44

SHA512
a395fd690badf22ba660a8baf02c6612387115c24687ff65b2822765b1ff5b3711fd2bf0bd216c2893844489c40b553aaa7fa8aea7d543cc0b1201dd964457bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1268.tmp

Filesize
1KB

MD5
eb138fdf824c5c0a394f07e22aa1d02a

SHA1
cc04403f2a7578d55fb2bfaf949ef039f08244e3

SHA256
aab39e8e4a8c1656239232f0f42db3d7ef6001f92e5930834093e6a98a0aa6d2

SHA512
9d08f23a6af395e86d5017880f781adf0abdfa6e60336ac1dc65e6a4f54c1ba929676a477ef51dc283fa495c2b0597ff1bf71d5838dbc594e53f08ae73cd735f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbksnqa2\fbksnqa2.0.vb

Filesize
2KB

MD5
f16e446d6a7a4d06b282922ed54f1adb

SHA1
0fa929ff85cc4798dcbae06d3ec04f4503069c92

SHA256
062d0286cd5391d1061a494d08d9201e7b8120572f3a014802cfe0a5fc9e0128

SHA512
a557fd06b3b78160272a9415b8dc6ebb4e4173c129478b4b9a66a66a490402a34bf6d381a07eb84a64fa2beec0e1e0cc938805ea588de3a827d61dc44121ed16

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbksnqa2\fbksnqa2.cmdline

Filesize
273B

MD5
bdd3c53e54eeaca7fe0c6c28d1ee8d74

SHA1
814e6e8fe18861d82faf6380698db4c313fd8a31

SHA256
4d36aa83c84ad823a0889a6d25786b24cab0d3071d3e37599b67089cb05a61f4

SHA512
81f2e6c975d2b51d77e21fa091b3d30c000d3f9fdef33ded64a69ddc815d7a87510b339c5c472c1281ff64e8135cf40de164b6a6d9d1163b985a7d24abef04f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1141.tmp.exe

Filesize
12KB

MD5
53bc365de200a6bfca86b7ecda4d0165

SHA1
0e8a141c97050aafff024d307804aa2fdc2f56ca

SHA256
bc4dae8ee3d61033e995c852a5d580a1b9b923401b76d3ff2ffc33e7cfbbe2cf

SHA512
a8238feac7642ecd09885560ddf580f9e1985f1efd3ca0dc94874ca21abf168b28e7d9adc573310afb6754dffe046ab090db9a6d890163c5f2634c3293ff9a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD4673EDCB42444A2A6A2580BD36397.TMP

Filesize
1KB

MD5
6b161763b18b4ac6e9b933a35b54cea1

SHA1
1e00aa662d1cec27c61ec8be4534f674af1b8bfb

SHA256
af4bb87a31d8a4808b9e4c4d3d7ac8978c745d1f766ee18ae9b77a2f24728830

SHA512
7dcc4b00a27e1f6db847b0645c67cf259161f8b88cdff72223e117f96f115f5d0f6b07c5b9d47b0238114a91567753306297464f88165292c0255f94dd5ad128

Download Submit
memory/2276-0-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

Filesize
4KB

Download
memory/2276-1-0x0000000000D00000-0x0000000000D0A000-memory.dmp

Filesize
40KB

Download
memory/2276-7-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/2276-24-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/2884-23-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing