42b841392f7517a0a0ade88f3252a6b210f89c12a64789bea4beac6ea10c48bc

General

Target

132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe
Size

12KB
MD5

132e5db6d0fc8a805c901a29d4a237f0
SHA1

1b152941db92bdf154d830d0202711f421a2f519
SHA256

42b841392f7517a0a0ade88f3252a6b210f89c12a64789bea4beac6ea10c48bc
SHA512

04bf7bac50ee74ee104208e58388cf421d26868a6adbd2e97716cf8da1827cf25ec7a365b0c1dd62451e5858e158d4502c4e519d59025e40a4059b25815f1f91
SSDEEP

384:jL7li/2zpq2DcEQvdhcJKLTp/NK9xalA:nxM/Q9clA

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp1B10.tmp.exe

pid process

2904 tmp1B10.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp1B10.tmp.exe

pid process

2904 tmp1B10.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe

pid process

1984 132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 1984 132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe

pid	process
2904	tmp1B10.tmp.exe

pid	process
2904	tmp1B10.tmp.exe

pid	process
1984	132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	1984	132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 1984 wrote to memory of 2884	1984	132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe	vbc.exe
PID 1984 wrote to memory of 2884	1984	132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe	vbc.exe
PID 1984 wrote to memory of 2884	1984	132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe	vbc.exe
PID 1984 wrote to memory of 2884	1984	132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe	vbc.exe
PID 2884 wrote to memory of 2620	2884	vbc.exe	cvtres.exe
PID 2884 wrote to memory of 2620	2884	vbc.exe	cvtres.exe
PID 2884 wrote to memory of 2620	2884	vbc.exe	cvtres.exe
PID 2884 wrote to memory of 2620	2884	vbc.exe	cvtres.exe
PID 1984 wrote to memory of 2904	1984	132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe	tmp1B10.tmp.exe
PID 1984 wrote to memory of 2904	1984	132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe	tmp1B10.tmp.exe
PID 1984 wrote to memory of 2904	1984	132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe	tmp1B10.tmp.exe
PID 1984 wrote to memory of 2904	1984	132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe	tmp1B10.tmp.exe

C:\Users\Admin\AppData\Local\Temp\132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qbpkw5zy\qbpkw5zy.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C66.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA3472D93FBA4F10B1E81BC494C199EB.TMP"
3⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\tmp1B10.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1B10.tmp.exe" C:\Users\Admin\AppData\Local\Temp\132e5db6d0fc8a805c901a29d4a237f0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2904

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
f19f5ce9c87c70da42142ed0b679042b

SHA1
e45cc034e49bad4d5ab4c224136f91bd4e7e68f9

SHA256
f52ca886b0683401e9e64c379f0a951c615ed5feedecc7f92088b7d5e08cc139

SHA512
5e87d087a4d1c8591107c58d93d47ec79d3221622ca48011204259c020f1b08d61e799014f87f7cc218d0b5fd9cb5128da93d04ddd3f3c7d04ad9c695a743a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1C66.tmp
Filesize
1KB

MD5
f7c4e937e49690797c73db43f51dc77f

SHA1
7d6284ae60ff33206c8e7a7051e4bc165c2df60a

SHA256
6ec966695a302a2dd2841457a16d252532ef9dba1fab2566575607e51c2e4081

SHA512
86b8779a3091dff97123c7606e82d001a7a362ee82a07192277cf06e79c6cf9928134413aa7c6dbfc14bb8e3fd38260005df8660662bccc7aeac2fc06f43079a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbpkw5zy\qbpkw5zy.0.vb
Filesize
2KB

MD5
14cf0578bdd5ab16e00aa9431b9c6145

SHA1
aaf1a6a727cbece21ea6c278a76c06d9ec74a769

SHA256
2fa3f44b89dfa38717126180b73ae6a75cfd001b21dfb4b4e68caa0a366823ba

SHA512
6e639029e304ca696c5c168b8c770b1b2477b0b36f40925c01b8c2e91f6ccbd22ae0c412364f46a2c41b6f5cd9cf559732a695f188a1dfb3a6b358946dc4cc43

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbpkw5zy\qbpkw5zy.cmdline
Filesize
273B

MD5
ab96380c634c5ffbdf03dc476fe9df9d

SHA1
0aea01564aa71bbbfe4b406923811d4340f50efc

SHA256
81cbbd0328541bedcb3560107ee7b3e3b1a59f8e5415bc504ffae187f9361964

SHA512
ca2f162d793a8e62233640c023b5845ffb359517f972359f4bd6d36d2ef7d7181c4ce9a47ed17a018e74b454ea23ba8f071bf242275634724a5b97690d5a5be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1B10.tmp.exe
Filesize
12KB

MD5
0e63b62d96d6fef80150084160479d9f

SHA1
edc916ec7e8e1e3187e2f81db11d13a93a4878a3

SHA256
2db57a20e80a8ea9bb721fc66ed7866bab2ff6b61960c48b2bbaf3cbe78c3eba

SHA512
bb960fdfdc1d307665de91102263073047ed948cdcbe6bd8f2c15f2ea5fc892fe431bc09de94e02bce16efd36836f4f6a7d6e9f5f0aedd68bdab858557443080

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAA3472D93FBA4F10B1E81BC494C199EB.TMP
Filesize
1KB

MD5
fb2a6778b5d4c99e57e711c9cfe50401

SHA1
2f007e3f23a166547849386ce5d70130a93dec54

SHA256
895820354b89f47845a3f53ab9e3c25743dbc1340e78016f2ea8b5fceb53a44a

SHA512
4ad1f6ea2b8cb3a98dda7f67b5d7b0cb6a3280514532cfa73a7af9019ac5b1ef971da765257dfb188b2b0caf53650fa1f6732b7bbc0488e3a63f2114f06d2a55

Download Submit
memory/1984-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/1984-1-0x0000000000D60000-0x0000000000D6A000-memory.dmp

Filesize
40KB

Download
memory/1984-8-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/1984-24-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2904-23-0x0000000001200000-0x000000000120A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing