8e8ec620c9d54c70f3c6e8529e06496b3595fe11d3ff65faab8ca1f081a488e9

General

Target

5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe
Size

12KB
MD5

5d8b5b577a3e502a41c81bb3fa0ec520
SHA1

f40dfeaf876e329194d691bec858b5295fa84e18
SHA256

8e8ec620c9d54c70f3c6e8529e06496b3595fe11d3ff65faab8ca1f081a488e9
SHA512

9980f120922ab8386cb6f1db583af32378acaecd2df40e93eb4ffda68da97b9108a63b349c366cd9ac1e146a214c4df35c3ccf4a90d83ff53ca4f8385d7ff7fb
SSDEEP

384:3L7li/2zzq2DcEQvdQcJKLTp/NK9xalY:7fMCQ9clY

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp1F35.tmp.exe

pid process

2664 tmp1F35.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp1F35.tmp.exe

pid process

2664 tmp1F35.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe

pid process

2016 5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2016 5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe

pid	process
2664	tmp1F35.tmp.exe

pid	process
2664	tmp1F35.tmp.exe

pid	process
2016	5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2016	5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 2016 wrote to memory of 1936	2016	5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe	vbc.exe
PID 2016 wrote to memory of 1936	2016	5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe	vbc.exe
PID 2016 wrote to memory of 1936	2016	5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe	vbc.exe
PID 2016 wrote to memory of 1936	2016	5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe	vbc.exe
PID 1936 wrote to memory of 2580	1936	vbc.exe	cvtres.exe
PID 1936 wrote to memory of 2580	1936	vbc.exe	cvtres.exe
PID 1936 wrote to memory of 2580	1936	vbc.exe	cvtres.exe
PID 1936 wrote to memory of 2580	1936	vbc.exe	cvtres.exe
PID 2016 wrote to memory of 2664	2016	5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe	tmp1F35.tmp.exe
PID 2016 wrote to memory of 2664	2016	5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe	tmp1F35.tmp.exe
PID 2016 wrote to memory of 2664	2016	5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe	tmp1F35.tmp.exe
PID 2016 wrote to memory of 2664	2016	5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe	tmp1F35.tmp.exe

C:\Users\Admin\AppData\Local\Temp\5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1hvz5p0z\1hvz5p0z.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20BA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1E8D94ED51444A4689BDB5D62897B3F3.TMP"
3⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\tmp1F35.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1F35.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5d8b5b577a3e502a41c81bb3fa0ec520_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1hvz5p0z\1hvz5p0z.0.vb

Filesize
2KB

MD5
da48af82a4f696f786467aa4ad976f15

SHA1
fd2e529fa28eb558db64e48922a5de5860830650

SHA256
8591665482f1a77a64d434cb67a3b7a572267cee7fa701447a90761eee2993d3

SHA512
63be531fd199ae83811f2b53dbe2868a0e4e58da9a096afa6625d8713127ca00f489733b3033906c353b63a142a697b0f1928ba65f8a75264fa2346b37d930e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1hvz5p0z\1hvz5p0z.cmdline

Filesize
273B

MD5
511272a84ae9a562a45d34c5e6734158

SHA1
f100962562468bd806466c0425c70c82ea3fe1ea

SHA256
2e31220ee4f2b96d20477308873bc1f3a91addeaa39377f95ac54cd4a661a3d5

SHA512
68c1fd4cddfc7b56b81c790205b0d1816a7596f3618928ed886bb185e49c4578a5812d65f5b0375c5f88faa356a312d935f094f62a4f8f8f88bd8ce92d4c03e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
09b9a90111eb3bb76c206d4b03b48fe1

SHA1
789fe784cd548786cc8b93f33bdab0386b6fc75e

SHA256
4262ca4c46f87e840fdcd735b9686b1ead3187af137bb11ebbabecb5bb2a8946

SHA512
024966e583383e42296c100e148dfd71314cd728d8a0a61ab63fe4f9836b06d58fba8d271ada12dee2f0fc6defa5a47021ec050aa52b8d7b1490132bd4cabdb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES20BA.tmp

Filesize
1KB

MD5
b1e9bd2c722942aa83186c9855a50954

SHA1
f7f6bc80855e2bcfa922bfea95fa155af79ee64f

SHA256
ab466daa49c222715beeb5863321b83569822d8e1a4b3baea5927a3eb4ea02d0

SHA512
7c912183a36d5b712f000582b9cc9724fb7bea535faf7c429c7b22ffa9a7d1ab682501ff08d79eb7a1332bcbc4bce1bb47af126134ea5346772e68fcd0dc5fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F35.tmp.exe

Filesize
12KB

MD5
d6231ea26b6bc5394b4ca8c59e41476a

SHA1
91a1fb8810505ecc90900460f25c89c7b7422b32

SHA256
1802f3855591b24aadb8410190cfb04f7339bebdcbf7049ec12999ced1e3962e

SHA512
746fa93f2f2c81a18abf7619700364c4cb0e7369b60582fa02572b9f2b0edcc01ac4e49dfa588d402f13227ac83b0c263bde11440ba967aabe72152fb8f276b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1E8D94ED51444A4689BDB5D62897B3F3.TMP

Filesize
1KB

MD5
0c72af1fae1433d9b875346b210ed07d

SHA1
8eb9ca4254723aa7c59171afc0d04d0125cf47bd

SHA256
a796953a1fa496a7ffea1a46f791cb874c200be06a162bb3b915556caa167148

SHA512
8651b9d533428b6bc4f31f6edaafd581022ceb354746ec961d6b784387c2de2f436096b8479efccd167d49a05395f075ac914a3c0624de0a3e863ec279ca8b9e

Download Submit
memory/2016-0-0x000000007493E000-0x000000007493F000-memory.dmp

Filesize
4KB

Download
memory/2016-1-0x0000000000D70000-0x0000000000D7A000-memory.dmp

Filesize
40KB

Download
memory/2016-7-0x0000000074930000-0x000000007501E000-memory.dmp

Filesize
6.9MB

Download
memory/2016-24-0x0000000074930000-0x000000007501E000-memory.dmp

Filesize
6.9MB

Download
memory/2664-23-0x00000000010C0000-0x00000000010CA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing