492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054

General

Target

492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe
Size

12KB
MD5

18be8734f158add81a1d6123270c7e10
SHA1

33e6e05ec5f55c7945b8993dcb947ad4b3a6c165
SHA256

492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054
SHA512

a87de3c25201319c005c14a9328eada2640b220c8c618df3cf6e22dfcecd80b9deb240a87ed33f3e7a5ba2ab62a851003a8661187a52b931d3bc825d57f3ce47
SSDEEP

384:EL7li/2z8q2DcEQvdhcJKLTp/NK9xaet:S4M/Q9cet

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2716	tmp2618.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2716	tmp2618.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2268	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2268	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2244	2268	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe	28
PID 2268 wrote to memory of 2244	2268	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe	28
PID 2268 wrote to memory of 2244	2268	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe	28
PID 2268 wrote to memory of 2244	2268	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe	28
PID 2244 wrote to memory of 2604	2244	vbc.exe	30
PID 2244 wrote to memory of 2604	2244	vbc.exe	30
PID 2244 wrote to memory of 2604	2244	vbc.exe	30
PID 2244 wrote to memory of 2604	2244	vbc.exe	30
PID 2268 wrote to memory of 2716	2268	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe	31
PID 2268 wrote to memory of 2716	2268	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe	31
PID 2268 wrote to memory of 2716	2268	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe	31
PID 2268 wrote to memory of 2716	2268	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2y3fregl\2y3fregl.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2710.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C4846F97D424E55B2F6D7F8F2F9AF8F.TMP"
    3⤵
    PID:2604
- C:\Users\Admin\AppData\Local\Temp\tmp2618.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2618.tmp.exe" C:\Users\Admin\AppData\Local\Temp\492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2y3fregl\2y3fregl.0.vb

Filesize
2KB

MD5
76dd5118cae0ee6772bce2852ee9a49a

SHA1
3067f5badbf12320a3d6def782680f0eba5bbe0a

SHA256
0c071bef990d32964d3f8560bc83593c76697aebd0bae2ffadbd7135808cb973

SHA512
7e4d5c4b17033712685c79e432780d1841e91fc44c011755a57d2ec8c4d9317c46b749b3a38d6dd4cadcea99d74f2f2d4a9ea8e8638e441961866f1c75696540

Download Submit
C:\Users\Admin\AppData\Local\Temp\2y3fregl\2y3fregl.cmdline

Filesize
273B

MD5
6aa3affa2909823ce623893b20bfa9d4

SHA1
e94cb8e0f3113f6fb5e9bf9366063b16df9514b8

SHA256
bfdfc52ec0d01214deecfdd8bdd63ddad515e1ee3554ad86879b755f6ad1ab79

SHA512
abcfa77ea91f32c0df9652f50d9b94d1cdd946f914bc842d8d1331f56f11383987db807df48d7c8143e1478d4d31816c7f58f6afa5fe3b9f10cdb063db1b6241

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
1175978d3091e9bee5db76440b9bdaa4

SHA1
a6198a5d9d75b7e8ba076d97d5b88f59356cdcb6

SHA256
e523f5fa0a51cd9a6b171ce0f9628359431c8bafb36ee8dd840907a5a613ab33

SHA512
a2937b4a42ad7df2b83ddad1c3817432ac23214594ec1d08e2e3d1718f29c78ecd29c01bc072ec999b0d444bc0e2e029ff36ad70304c413a036d02169e23801b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2710.tmp

Filesize
1KB

MD5
8b384b82394bc7459d744907f7ce4dbf

SHA1
8ee51e42cead6455e07e6569558e404db943e487

SHA256
394097086ee1a2ed24295b7c51494e92f06f5741b32996fd9b085d09048536b7

SHA512
7fc56a2e944e1e3d77068de348f0b6b3ea43e2adf1783e4f4e185b55843b9c5fc350702d9fc9d23a7840c18c836b7b2af6c23bb591d4950886ded6672f3ab4d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2618.tmp.exe

Filesize
12KB

MD5
edfeae7f8900858a76ce2e7e025e3e04

SHA1
a6a3f15e7570812a99f920761b63b1f4e77a3c8e

SHA256
9c5982fc69a562f8bde8275774630e162930bd4b38ca22cf8c51195f71511a52

SHA512
264cc956be73f437867838714868aeece725e421bfeabab7f74af215d283a5db477007d20cde208345a76a5dc1954a47e159b504df301f0bf5a667ecb80c9f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4C4846F97D424E55B2F6D7F8F2F9AF8F.TMP

Filesize
1KB

MD5
cc4ed7a9c67f9c040f448abb29adc0bd

SHA1
b59b87a87259b032a07955a948b02f4ee8f6c27e

SHA256
ecdac5b87667b1d8d038a5f21d9837407bb2b4cfbb120093569cef98674c7468

SHA512
9846f306387e4cbff7246c17083fe8990488fb4c6742f5a67c1880a7134bb1ab4f6c8c9666f6fdac61e28a5e7fdd5b8d60af33e2fbeeb368f5b10c1e3c7ec077

Download Submit
memory/2268-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/2268-1-0x0000000000950000-0x000000000095A000-memory.dmp

Filesize
40KB

Download
memory/2268-7-0x0000000074CA0000-0x000000007538E000-memory.dmp

Filesize
6.9MB

Download
memory/2268-24-0x0000000074CA0000-0x000000007538E000-memory.dmp

Filesize
6.9MB

Download
memory/2716-23-0x00000000009C0000-0x00000000009CA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing