e7e30d1529a9f67fdc329879a8cdb69ccc4e786bea4f1d381bfd5c14000fff0f

General

Target

5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe
Size

12KB
MD5

5327dba4c391612979b365b5879803e0
SHA1

c6932c7ca8601b7429d813e5987b786624df7de5
SHA256

e7e30d1529a9f67fdc329879a8cdb69ccc4e786bea4f1d381bfd5c14000fff0f
SHA512

6d64b8401d4f31a2d7ef9621b974a0f7f8b242a8ac78874db442ca7706953118a37c3b9d62f9ae94c0c32af01668e6c68074cdd7b4f2664855df4808359c242e
SSDEEP

384:9L7li/2zUq2DcEQvdQcJKLTp/NK9xaNv:tIMCQ9cNv

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp257C.tmp.exe

pid process

2748 tmp257C.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp257C.tmp.exe

pid process

2748 tmp257C.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe

pid process

2168 5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2168 5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe

pid	process
2748	tmp257C.tmp.exe

pid	process
2748	tmp257C.tmp.exe

pid	process
2168	5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2168	5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5327dba4c391612979b365b5879803e0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 2168 wrote to memory of 2060	2168	5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe	vbc.exe
PID 2168 wrote to memory of 2060	2168	5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe	vbc.exe
PID 2168 wrote to memory of 2060	2168	5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe	vbc.exe
PID 2168 wrote to memory of 2060	2168	5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe	vbc.exe
PID 2060 wrote to memory of 1388	2060	vbc.exe	cvtres.exe
PID 2060 wrote to memory of 1388	2060	vbc.exe	cvtres.exe
PID 2060 wrote to memory of 1388	2060	vbc.exe	cvtres.exe
PID 2060 wrote to memory of 1388	2060	vbc.exe	cvtres.exe
PID 2168 wrote to memory of 2748	2168	5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe	tmp257C.tmp.exe
PID 2168 wrote to memory of 2748	2168	5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe	tmp257C.tmp.exe
PID 2168 wrote to memory of 2748	2168	5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe	tmp257C.tmp.exe
PID 2168 wrote to memory of 2748	2168	5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe	tmp257C.tmp.exe

C:\Users\Admin\AppData\Local\Temp\5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0tcnktih\0tcnktih.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2720.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5F169DC725184B7491DA44ED8ED9C93A.TMP"
3⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\tmp257C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp257C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5327dba4c391612979b365b5879803e0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2748

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0tcnktih\0tcnktih.0.vb
Filesize
2KB

MD5
4a61f74322c6da35206b5e9c96d60eae

SHA1
66b5bd5a236df8e4424ac9bfbaeb683cd2854e1b

SHA256
873917bf98b6d6c3247878dc89bdb68629c4dcbe6bd95ad92e0948e156939c0d

SHA512
acea7a9cd31a61cba0d6ba41573b600a587c0719621beda6f300a619682fcb7d1a11732bfdafd3192b8893354fe383b4976c41817816c83774d7f379bfab17b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0tcnktih\0tcnktih.cmdline
Filesize
273B

MD5
b25c4a71095c8939618ea0b014e9ceb0

SHA1
423daec3a75a25b54f9491828aeebc916bf74288

SHA256
aa1654fd42e8ed72e160434d97737f1eb92f46cd93541e3d1d45230447809c82

SHA512
ff79d68474b615220643bda7fc5413c329c42367b8ace756056d520ccf5a060c874c9aa253656ed6df2d4518c2626e624e1681baf8add85bd39d8d6bd2322993

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
577006f5e892b8b764d1c064525429dc

SHA1
26eacad64e1d48b5a34c09d9541d7ef8cf8cc3fe

SHA256
5a7522d9a5e1075479afbea057e00a96032fc20151a570f6f6609b354cffa541

SHA512
b98b8b457deb3f298444a48247876b1b19872eb8db246e6847620406923aefd9ae94b951ae5a0013fac96f1e21c391c1a27b089dc782745a8b2f3ed810bf735c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2720.tmp
Filesize
1KB

MD5
ef6b250a2ba4151c6ba033577c68dcd9

SHA1
c4082470937a9c69179b158d802552d8bc163678

SHA256
415a15fc714dac64982ceb4b994d9d6c55e595cbb1b72f36de3eb3c4c9a52066

SHA512
c1d4b13ffe2d0899b088d9478c7452886da8983639a3f58258797780f6dbd2c9f6281fe84f68eb9e12da2e58d99c7e641d5954e158739f63e46dd22c2872c689

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp257C.tmp.exe
Filesize
12KB

MD5
2a0d9d73f96f515f4345e18dd41b563a

SHA1
f0929566dac66cdf8410908fff55d1783e5ac984

SHA256
a86e4633a74bd7c8253a6be51b64990a7b3cd79d4bf895781d238d6d030c4792

SHA512
11dca8fc2b534bd05ada2a42802b25b2deb7a82365978a6f783fbf936d8b764bbf803023837e9b964c29a00dc5408467057b6dd6918dbb66d2fbdcdbceb47637

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5F169DC725184B7491DA44ED8ED9C93A.TMP
Filesize
1KB

MD5
4f809518835204c753a567d0c611b2cc

SHA1
4644943671306b438bcc4ef8f2e5f33071c1831e

SHA256
7a86e7299165b9a79ecfd81a641f8a65f4f99812306e64b2962d0b568d5a0b17

SHA512
a63b319fe1fad05863d176802392370a9560e7071447bdc6ba003c9e2511f8d1408be631c7592d28f8a33ae2bfadbfab249c4d3758c2ca6902376f0655b9ebe2

Download Submit
memory/2168-0-0x00000000742EE000-0x00000000742EF000-memory.dmp

Filesize
4KB

Download
memory/2168-1-0x0000000000B90000-0x0000000000B9A000-memory.dmp

Filesize
40KB

Download
memory/2168-7-0x00000000742E0000-0x00000000749CE000-memory.dmp

Filesize
6.9MB

Download
memory/2168-24-0x00000000742E0000-0x00000000749CE000-memory.dmp

Filesize
6.9MB

Download
memory/2748-23-0x00000000011A0000-0x00000000011AA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing