bf33cc062daa2e2d98a8357000519b6cbd72c27c2c137d8f58afd589fb9df3ae

General

Target

078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe
Size

12KB
MD5

078ca4ee8efd4d620b9d033fd678ce60
SHA1

e2caeb7efdf7334c7180242ac194a293e61822f4
SHA256

bf33cc062daa2e2d98a8357000519b6cbd72c27c2c137d8f58afd589fb9df3ae
SHA512

c524e918a5eb0103a2bf87b9615b8f488f5036e289d6ef8e8ecbf2938ec83266ed25100b6fadf892209a9083a7685b577c73eecf2ce46b4afbe575c61aaa088b
SSDEEP

384:zL7li/2zhq2DcEQvdQcJKLTp/NK9xari:XZMCQ9cri

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp24B1.tmp.exe

pid process

2716 tmp24B1.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp24B1.tmp.exe

pid process

2716 tmp24B1.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe

pid process

2108 078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2108 078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe

pid	process
2716	tmp24B1.tmp.exe

pid	process
2716	tmp24B1.tmp.exe

pid	process
2108	078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2108	078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 2108 wrote to memory of 1704	2108	078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe	vbc.exe
PID 2108 wrote to memory of 1704	2108	078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe	vbc.exe
PID 2108 wrote to memory of 1704	2108	078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe	vbc.exe
PID 2108 wrote to memory of 1704	2108	078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe	vbc.exe
PID 1704 wrote to memory of 2140	1704	vbc.exe	cvtres.exe
PID 1704 wrote to memory of 2140	1704	vbc.exe	cvtres.exe
PID 1704 wrote to memory of 2140	1704	vbc.exe	cvtres.exe
PID 1704 wrote to memory of 2140	1704	vbc.exe	cvtres.exe
PID 2108 wrote to memory of 2716	2108	078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe	tmp24B1.tmp.exe
PID 2108 wrote to memory of 2716	2108	078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe	tmp24B1.tmp.exe
PID 2108 wrote to memory of 2716	2108	078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe	tmp24B1.tmp.exe
PID 2108 wrote to memory of 2716	2108	078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe	tmp24B1.tmp.exe

C:\Users\Admin\AppData\Local\Temp\078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xjzghegt\xjzghegt.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2674.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7B1AFDE026C54087A41E9D868AA4074.TMP"
3⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\tmp24B1.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp24B1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\078ca4ee8efd4d620b9d033fd678ce60_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
0db70131037d9c6ababd5f2a66090789

SHA1
89f746774d09603c8078ed0a0fc3882555ac83e6

SHA256
6779597b4ed57a51cfde1553cdca8f306a6419a37ae0fdc5c6c0762ad5f2dfb2

SHA512
992db9a385c12d6e17acc5e3da38b2a659a1f59aa9c946306a28ffdcf3045669814f51817a081308bf1893c8eb653224ef3f2f96724c70c784d5626aa40bb668

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2674.tmp

Filesize
1KB

MD5
f63781f3c8dfa0b0e829e67a77fbbb4d

SHA1
246e496ccc56b8ddb0e67aed71ebc90dc7e3f617

SHA256
b4ca87406fea36f9894098dbbd65030fd1e931162042872e2ca3aff5f6158c8c

SHA512
cf9688182e5c2f816718044d67660d5a70c9d5b7616f3036f5721c91f93fa9db65a6cc5b9e053cb23f48a523a6fbbe72b835c6d0a53b8796cef95dc23285c161

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp24B1.tmp.exe

Filesize
12KB

MD5
a17f69f64d27c8f6d831560b25fbbe1f

SHA1
134aac38600bdc210556363e5ee526f4f5568b4f

SHA256
f0c60bdd7ad48c9f0d2ad672bba8b15e88267b57eb02d4e46bfd1c0b5a0bbf70

SHA512
e5571b9e5e202441c97e37cc331c0c9f94b9c0c18c917599dc41e37cd0aa545f07410cb83f7b2f55bc53b3459c017b2c765943d69be7bcc089114328e4ed30b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7B1AFDE026C54087A41E9D868AA4074.TMP

Filesize
1KB

MD5
e7552793fd27bcb4f2fa0235e71c1012

SHA1
fc59b7da9cfc2afd65da96b6350ad379a77d2fe6

SHA256
73a44f4f884791b1f6759961602d9ceec85a10477e2e1e3c09b133b78ee6d6a9

SHA512
d3ea89dbf4457d376dbd13f46d30ff0246cec8a5cc2e9f5d31b0654b939e530a65c821cdc3a8dc6f3a07e00f51e0cd2f2325293c63a3a17ef144d87340654f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjzghegt\xjzghegt.0.vb

Filesize
2KB

MD5
cb1c0c00563d0b9700f7b3d47c8f7532

SHA1
bc08c886eec4c55910337d7dc3077dc2a9193dae

SHA256
b5ec6c4bcd40db997bbcb0dc7ab9f1f21bc440a038d5491aeb7addc5f604720a

SHA512
eda63c54f1492a4c84ba369a476b1626c606fb92ae247d901a73d02681d80a05d75680a0c5325d8e6c004c630b63db2ea30b46d0880c0acb46aabd421f1a1afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjzghegt\xjzghegt.cmdline

Filesize
273B

MD5
bc11a1c812549bb7d70c7a9bbd3e4925

SHA1
7220de7d9209acb464d0aa069a246f767cb28ef3

SHA256
cb869f803fd93f3e8b3d58865b5e27b20df6e1bcc21d70266ecaf45b6d5b9736

SHA512
19c95cd6d166e0187acc9f60afd6fbe6ae566be5db258ad21805a2540bb0e92feee2fe5e5e89b3a2e8318ea9ef75020f5e2286840807bbf5f42a7fa7089f5287

Download Submit
memory/2108-0-0x000000007488E000-0x000000007488F000-memory.dmp

Filesize
4KB

Download
memory/2108-1-0x0000000000CD0000-0x0000000000CDA000-memory.dmp

Filesize
40KB

Download
memory/2108-7-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2108-23-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2716-24-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing