6d4e4bcfd34b449a766d554b7c31c6837ac0ce731e50a506ad7dea4fc73a3a1b

General

Target

458ae041720c256b9997391e28819310_NeikiAnalytics.exe
Size

12KB
MD5

458ae041720c256b9997391e28819310
SHA1

0f001e3a37d8f528e0d5548996cd18829c707c15
SHA256

6d4e4bcfd34b449a766d554b7c31c6837ac0ce731e50a506ad7dea4fc73a3a1b
SHA512

5178dc2144115fb8f9f7359127d923fe12bd45e692fff46c5a023293ee1bd3ce340e31bf489a5bb4a6841ef50c73f569036fcb738544f0ce27e9453a332b7bec
SSDEEP

384:aL7li/2zuq2DcEQvdQcJKLTp/NK9xaU4:EuMCQ9cU4

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp2E61.tmp.exe

pid process

2592 tmp2E61.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp2E61.tmp.exe

pid process

2592 tmp2E61.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

458ae041720c256b9997391e28819310_NeikiAnalytics.exe

pid process

2556 458ae041720c256b9997391e28819310_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

458ae041720c256b9997391e28819310_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2556 458ae041720c256b9997391e28819310_NeikiAnalytics.exe

pid	process
2592	tmp2E61.tmp.exe

pid	process
2592	tmp2E61.tmp.exe

pid	process
2556	458ae041720c256b9997391e28819310_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2556	458ae041720c256b9997391e28819310_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

458ae041720c256b9997391e28819310_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 2556 wrote to memory of 2992	2556	458ae041720c256b9997391e28819310_NeikiAnalytics.exe	vbc.exe
PID 2556 wrote to memory of 2992	2556	458ae041720c256b9997391e28819310_NeikiAnalytics.exe	vbc.exe
PID 2556 wrote to memory of 2992	2556	458ae041720c256b9997391e28819310_NeikiAnalytics.exe	vbc.exe
PID 2556 wrote to memory of 2992	2556	458ae041720c256b9997391e28819310_NeikiAnalytics.exe	vbc.exe
PID 2992 wrote to memory of 2676	2992	vbc.exe	cvtres.exe
PID 2992 wrote to memory of 2676	2992	vbc.exe	cvtres.exe
PID 2992 wrote to memory of 2676	2992	vbc.exe	cvtres.exe
PID 2992 wrote to memory of 2676	2992	vbc.exe	cvtres.exe
PID 2556 wrote to memory of 2592	2556	458ae041720c256b9997391e28819310_NeikiAnalytics.exe	tmp2E61.tmp.exe
PID 2556 wrote to memory of 2592	2556	458ae041720c256b9997391e28819310_NeikiAnalytics.exe	tmp2E61.tmp.exe
PID 2556 wrote to memory of 2592	2556	458ae041720c256b9997391e28819310_NeikiAnalytics.exe	tmp2E61.tmp.exe
PID 2556 wrote to memory of 2592	2556	458ae041720c256b9997391e28819310_NeikiAnalytics.exe	tmp2E61.tmp.exe

C:\Users\Admin\AppData\Local\Temp\458ae041720c256b9997391e28819310_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\458ae041720c256b9997391e28819310_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tfm0zed1\tfm0zed1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3015.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAAE70FB96D6B463BB687258719786558.TMP"
    3⤵
    PID:2676
- C:\Users\Admin\AppData\Local\Temp\tmp2E61.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2E61.tmp.exe" C:\Users\Admin\AppData\Local\Temp\458ae041720c256b9997391e28819310_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
6b66478dfacd242cf925ffc21bf388bf

SHA1
c0b5933d3a669662bcae0047736fe232202bbbce

SHA256
ac518c479c8b83a6e8b88d43cfa583b37525d56a185dd5cd5438fb3441c88e6a

SHA512
3d35707caf4d13ebbf2cfa3223688c4b78a1aec9f761553269e3667ec59440fcd32048babc9098d7278ccf8106046070f28b11e4e37944684458d958f0892f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3015.tmp

Filesize
1KB

MD5
3c92f966cbea7861c5d3ecd0725c09d4

SHA1
0f5ddb5ee220521259937c630e3a6016dd824f53

SHA256
f5d356159c4aaa617bdcc07378b81c68b139f365067dec7b9f6ac04b8f1e0866

SHA512
b3f27f9ea68bc56d8fc6b8c7827155df6a3db1632714a9e3b9ed0ec9a0a0b2d65ec53efce1df7e9fcd6bf6e9db9bb66831e443fba3bc340c4de410209afb99fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfm0zed1\tfm0zed1.0.vb

Filesize
2KB

MD5
f6fa345ca3d3d7022b62bb7b1b74a6d6

SHA1
66fd5ac99692fec3d6bdf76516410763cc4e4bd6

SHA256
8e161c86c6dc79c365604c8b3e02583a1978f084cdf3da9b8f243821f197d58b

SHA512
d67511f1d305aa203bff31a9323ea2291c7b5729a71f6874cc04f2e88f1109a4bd833dd95459b9d8fa3da963d5539de3d5b54f5b655c3f41bc44d59091302bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfm0zed1\tfm0zed1.cmdline

Filesize
273B

MD5
b725ba5f114f5d6940597e189c8ad7f3

SHA1
ae0268fadbc3e6315a22d2060492e940bfb30089

SHA256
2b9a4f605850e7e1711d0a098dc7a8571a5565c5d342b4bd598869b9909e8c33

SHA512
07bdb07be80e4340139d7d361d632c82a2adaeb64902bf846125a272efe45fdea3c935da6aa7b05cdf6d75f8bf89df16edb8ae5431288490f71ebcfe686b95d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2E61.tmp.exe

Filesize
12KB

MD5
61544e7724ce4de8ddd196b89f6f3e6e

SHA1
8e42b33a3c7f34c948db71981f606ebc810916c4

SHA256
aea5ab7c5743127ec71ee7872934a9c103b98231c31bcdae035830abe5273c45

SHA512
45ee9a1afbf89e0800f960be1d61b45971bfeb997760ce403d5345612906ce924682fefacfe5a0b4dc7fca9f3004fda7e03aa6ae98ce663ce3be4a225614028e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAAE70FB96D6B463BB687258719786558.TMP

Filesize
1KB

MD5
b349a96d84248a3b41144e695d6a25b2

SHA1
c78155c1f5b1bab5d0d01e0d34688b539fda00a1

SHA256
30d65e116e9b8286831da00b3851cada0c14ea5111b2bcdcdfadcfe85a798d37

SHA512
4d67f277d8e76252de8ca40cf1a924b613c0325b2ffa24090a4182bfcbc1ec44d3b1734372552802c2098c6badce973a56b5fd0b37e473b7b557bcd86e7d4100

Download Submit
memory/2556-0-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/2556-1-0x0000000000100000-0x000000000010A000-memory.dmp

Filesize
40KB

Download
memory/2556-7-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2556-24-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2592-23-0x0000000000F80000-0x0000000000F8A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing