d31ad3018fc3d309e862d5bdadd979716b030d414c0e593938e84c3fbf663096

General

Target

5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe
Size

12KB
MD5

5430912b5e0babca8426a2defbe5df30
SHA1

83097dbc256d389977ec4167f8349c13b1cc8796
SHA256

d31ad3018fc3d309e862d5bdadd979716b030d414c0e593938e84c3fbf663096
SHA512

00d1a16a5b6d346d63a9370b45ab16c7c0685efe4b14256d0ec05ea29c1f0bf1cb7d4f2d2f5e764fb5026cae7527be5ee4fce3034123e2e9e4f7e0aad8b330e7
SSDEEP

384:cL7li/2zKq2DcEQvdQcJKLTp/NK9xams:6aMCQ9cms

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp978F.tmp.exe

pid process

2512 tmp978F.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp978F.tmp.exe

pid process

2512 tmp978F.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe

pid process

2860 5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2860 5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe

pid	process
2512	tmp978F.tmp.exe

pid	process
2512	tmp978F.tmp.exe

pid	process
2860	5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2860	5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 2860 wrote to memory of 2680	2860	5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe	vbc.exe
PID 2860 wrote to memory of 2680	2860	5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe	vbc.exe
PID 2860 wrote to memory of 2680	2860	5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe	vbc.exe
PID 2860 wrote to memory of 2680	2860	5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe	vbc.exe
PID 2680 wrote to memory of 2616	2680	vbc.exe	cvtres.exe
PID 2680 wrote to memory of 2616	2680	vbc.exe	cvtres.exe
PID 2680 wrote to memory of 2616	2680	vbc.exe	cvtres.exe
PID 2680 wrote to memory of 2616	2680	vbc.exe	cvtres.exe
PID 2860 wrote to memory of 2512	2860	5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe	tmp978F.tmp.exe
PID 2860 wrote to memory of 2512	2860	5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe	tmp978F.tmp.exe
PID 2860 wrote to memory of 2512	2860	5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe	tmp978F.tmp.exe
PID 2860 wrote to memory of 2512	2860	5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe	tmp978F.tmp.exe

C:\Users\Admin\AppData\Local\Temp\5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q1hlu5qp\q1hlu5qp.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BC3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD873C4D98C9947F9882888D8425D61D2.TMP"
3⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\tmp978F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp978F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5430912b5e0babca8426a2defbe5df30_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
d07b71b6ee27d23d1681e50c86a5d730

SHA1
dd1b157f2392d89cbfbcfdb9c83a0236d4dc1296

SHA256
93fb1f7269603c544844f14948901ad3ea4485047cd31031ed52ccff401eac76

SHA512
d2c2f0102edc360883659da96895e5853ae70b68bc7bb0ede304a207973a8cb08d32da9b9dc600fd00f2336c270a42f18d6665701c531d1ed4c21eeae4796da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9BC3.tmp

Filesize
1KB

MD5
4e1bb0615462275f86811a0ffe9214af

SHA1
b4758871603cec6ae62f9cce27bf5f67d8be050d

SHA256
3a746f579e5a5c9a29b3eb4f376c11e24189d7d849b4452036c2954f5676276a

SHA512
b1275263e07560c34781bdcd60251b7016d50025e028fdbd60205d5f9fa3055cf4e39edac8edd9be4b073037f127cbd335882c8eaa2dcab69201a8db4c2b428d

Download Submit
C:\Users\Admin\AppData\Local\Temp\q1hlu5qp\q1hlu5qp.0.vb

Filesize
2KB

MD5
f9970bd1d41b753f444185b0cfc74791

SHA1
b93bf53d0f65a8e73dc0048d62a7b307b28827aa

SHA256
93cc35c0f37880dc367e35e686b3dcd146d6c80c5d36b3b76c9cb044fe904f51

SHA512
caaf0b69eeb750ff370bcd5939605c8f6b410e246d5a4c69ba3bb890627544ab24d86fe387b08319a8fcb46c891ca570813e7931c4966777338aa76a6709232c

Download Submit
C:\Users\Admin\AppData\Local\Temp\q1hlu5qp\q1hlu5qp.cmdline

Filesize
273B

MD5
cb7e900ffbde8d125a06769b1bb3ff4f

SHA1
fda53586d296b3a37ee94c07765b6d7af0afd00a

SHA256
daeccf53ebeebc91bec18a10499f162fe9f51de766fdcd86175d12446707b271

SHA512
9c338a8450a6ef069ef87b9ac87b124673abf1d296c95cc1c94e4883ac4049c13295e43160e7468c4707b28ad3c3ea46f9a78682114f6497e70e3173d5d344a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp978F.tmp.exe

Filesize
12KB

MD5
8bf6e8db5eba8890931593e5a38e31be

SHA1
d84128bf0ccaa69e2812aeb62209502edd830eb2

SHA256
920672d8969541d80ad0c8482ae7c4866e3af1fdf31cec0362e4c7941a023d80

SHA512
f551766d3e757b1a0cd78e23e774645e1145efa1ce0175dade735281d0fde109cc92fb5ee27c5387e955321d7c44ac0498bc3ccd5a9a94232c5f41340c12cce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD873C4D98C9947F9882888D8425D61D2.TMP

Filesize
1KB

MD5
764689ae467056fd43b6513975a7fead

SHA1
2be981c6d99cbc7013baa8cd3a89f8085a9e38c2

SHA256
12b93b0b3ce1817228f729f9972ca0f7e91d91816ae287da41ec2d3607b875d0

SHA512
1fbd791d2ae9d3fd1803248d130ab1d94dd3a935132c5070910e62086d211dd92ec16138269b9b87a49d1f548c92c3c89b1048bb268690fb73f6b73c30dc5163

Download Submit
memory/2512-23-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/2860-0-0x000000007434E000-0x000000007434F000-memory.dmp

Filesize
4KB

Download
memory/2860-1-0x0000000000040000-0x000000000004A000-memory.dmp

Filesize
40KB

Download
memory/2860-6-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2860-24-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing