4d9727e5e3f23cb170c3b5ec7ca347bc777ae1e7cd6db5bb9a86c289c3444582

General

Target

449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe
Size

12KB
MD5

449485fa6478bcfbc3f74d4b56232370
SHA1

aee35932f650fd4ef65da22cc0b48dddabd03614
SHA256

4d9727e5e3f23cb170c3b5ec7ca347bc777ae1e7cd6db5bb9a86c289c3444582
SHA512

5cd4c08bdcf56bf745b63a79a96722ed29bf8631bab6c0d3e3145316a273e264408b08ad56dd2e7b3aca4757f01bb1f99c13fb5935b16092969205bc7eec34bf
SSDEEP

384:5L7li/2zgq2DcEQvdhcJKLTp/NK9xaIn:JMM/Q9cIn

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp18FE.tmp.exe

pid process

2600 tmp18FE.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp18FE.tmp.exe

pid process

2600 tmp18FE.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe

pid process

1740 449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 1740 449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe

pid	process
2600	tmp18FE.tmp.exe

pid	process
2600	tmp18FE.tmp.exe

pid	process
1740	449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	1740	449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 1740 wrote to memory of 2572	1740	449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe	vbc.exe
PID 1740 wrote to memory of 2572	1740	449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe	vbc.exe
PID 1740 wrote to memory of 2572	1740	449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe	vbc.exe
PID 1740 wrote to memory of 2572	1740	449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe	vbc.exe
PID 2572 wrote to memory of 2704	2572	vbc.exe	cvtres.exe
PID 2572 wrote to memory of 2704	2572	vbc.exe	cvtres.exe
PID 2572 wrote to memory of 2704	2572	vbc.exe	cvtres.exe
PID 2572 wrote to memory of 2704	2572	vbc.exe	cvtres.exe
PID 1740 wrote to memory of 2600	1740	449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe	tmp18FE.tmp.exe
PID 1740 wrote to memory of 2600	1740	449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe	tmp18FE.tmp.exe
PID 1740 wrote to memory of 2600	1740	449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe	tmp18FE.tmp.exe
PID 1740 wrote to memory of 2600	1740	449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe	tmp18FE.tmp.exe

C:\Users\Admin\AppData\Local\Temp\449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y52ns0il\y52ns0il.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A06.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1E5FC044D9E449C7B0307BA3E3D417B.TMP"
3⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\tmp18FE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp18FE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\449485fa6478bcfbc3f74d4b56232370_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
291ce671e59dd15cd582a80bf5f766c0

SHA1
90a82ccfed533d1fdbc118e9706bb8eac1c5cdd8

SHA256
a9226b442476c16fb6224c02d6e88578f4f415db61355381fcc12c702217e253

SHA512
c2c55b7501910dbf2af09a0e7e4349b40728709151c5e645b158e1d7ec9f29251cabd9ff71c62a6b79c8690c7bb73e2cb086d6f896f21a67a62bce293a590997

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1A06.tmp

Filesize
1KB

MD5
b701a39e2a972a7758e57b1d43b61bcb

SHA1
a12e74779b71abe5ae84598df85678707744f0fc

SHA256
1df5ed8444d6d12721435849a71507b4c150cd201f4dc356a4b6f50c9317791a

SHA512
f6d054108384e9c1317f23f0ceee800257f9d194b5656f63fa952112488186871f601951da24a0379510550675d5537694cb38a2b555b470debb640c4ec51150

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp18FE.tmp.exe

Filesize
12KB

MD5
06e81561f67cdcab95b0038fd4940f75

SHA1
8c3911752ac51497d773235f144e8974ca012e64

SHA256
0c868a55a0061669df948e8838f2aea3258993201b5285df96c1c308dd922d56

SHA512
b47090a0c53807f1b473f34e17486ebaa2fe33a1d40efee8cc8d4d58ac6e8097d30be3a54cde6a22992717732c29f4071b2ee39505000919c923b51177df2046

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1E5FC044D9E449C7B0307BA3E3D417B.TMP

Filesize
1KB

MD5
c442d141ece479337c9cfbb664ffa9e6

SHA1
43161035f4b7e1cc98b77a0c368d20e162fe7477

SHA256
2387da6f1a269a96f71dd99dc84fe7f2528e3df3bd7ed8cad32950d202e0253b

SHA512
1d77c165d25370fc539b06a49c3b79698c179349aeef15facf9b46836102dcae9664fd7df1808cb4c09fcbb0fcb6e973f230d0537faa5e1f932f7eb4d5702e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\y52ns0il\y52ns0il.0.vb

Filesize
2KB

MD5
c8dbd612fdbaf98e936d6940e4fb9d08

SHA1
187b6e0f04ce21596e707486b204ac489e26e785

SHA256
9a3b20fdedf220e1a40fe1fffb3ab1b37e1f19bd4b4fc08c363f86f7e328db04

SHA512
c5489088f399b2eba801c4efe85b4961dccf4b48fda22ea83a9edd80c6977f6e7899fa613a05d84f0b49b2ddfcbf1bc4244d1ebe0b0d1f3db69f782add606cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\y52ns0il\y52ns0il.cmdline

Filesize
273B

MD5
df0a5867a87dfadd114930dfa318724c

SHA1
af0383baf7febd8c88bfcc756d89bf61451283e6

SHA256
5e07e7934e91db7988ac52f82f057087820a30d5cee46e5f0a530cf2a31da826

SHA512
5de64e86a399c40d8bdccb257e61dc5b78d4fe924be16482a1b9680378543388911c0b87909f8b3ed3454456af06d3d776dbb9df094b5ec387e501f4053640f3

Download Submit
memory/1740-0-0x00000000744FE000-0x00000000744FF000-memory.dmp

Filesize
4KB

Download
memory/1740-1-0x0000000000E10000-0x0000000000E1A000-memory.dmp

Filesize
40KB

Download
memory/1740-7-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/1740-24-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2600-23-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing