8a48a7111f63b5e96b09ba8f1b7e27b0ad7f3acd157b1a3bb9984c6d6c0c4500

General

Target

140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe
Size

12KB
MD5

140bb9e967f15182f0b6b4446615e790
SHA1

75f56daceed685ede96cd7eeb5d9409dff9db37e
SHA256

8a48a7111f63b5e96b09ba8f1b7e27b0ad7f3acd157b1a3bb9984c6d6c0c4500
SHA512

7a8b9e597086059efa5038a7f28d6d665d080602559da78775376a0849c72daa3a2c3cda5a6b1bfc4dd14bb198d2e4ec2012f167a3f11a37e9d937928d4c20ea
SSDEEP

384:BL7li/2zBq2DcEQvdhcJKLTp/NK9xayI:hhM/Q9cyI

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmpD6A.tmp.exe

pid process

2896 tmpD6A.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmpD6A.tmp.exe

pid process

2896 tmpD6A.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe

pid process

2956 140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2956 140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe

pid	process
2896	tmpD6A.tmp.exe

pid	process
2896	tmpD6A.tmp.exe

pid	process
2956	140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2956	140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 2956 wrote to memory of 2436	2956	140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe	vbc.exe
PID 2956 wrote to memory of 2436	2956	140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe	vbc.exe
PID 2956 wrote to memory of 2436	2956	140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe	vbc.exe
PID 2956 wrote to memory of 2436	2956	140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe	vbc.exe
PID 2436 wrote to memory of 2576	2436	vbc.exe	cvtres.exe
PID 2436 wrote to memory of 2576	2436	vbc.exe	cvtres.exe
PID 2436 wrote to memory of 2576	2436	vbc.exe	cvtres.exe
PID 2436 wrote to memory of 2576	2436	vbc.exe	cvtres.exe
PID 2956 wrote to memory of 2896	2956	140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe	tmpD6A.tmp.exe
PID 2956 wrote to memory of 2896	2956	140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe	tmpD6A.tmp.exe
PID 2956 wrote to memory of 2896	2956	140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe	tmpD6A.tmp.exe
PID 2956 wrote to memory of 2896	2956	140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe	tmpD6A.tmp.exe

C:\Users\Admin\AppData\Local\Temp\140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\25l3ep2d\25l3ep2d.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc728F2C044DD343F29BB431D76413CE8.TMP"
3⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\tmpD6A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD6A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\140bb9e967f15182f0b6b4446615e790_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\25l3ep2d\25l3ep2d.0.vb

Filesize
2KB

MD5
5fd5d763542f12291efe52c62657c864

SHA1
7d86f5ac144a3b76cd9003e501a4af1b5fdfd2ea

SHA256
97b16a6b172d4033946acc0a2b854e22e97b49a8fe940db0c5a1097fb4506414

SHA512
050d27235b653d1e5d9600a5323aa31dba6002db3883f56e447456aa1939d14cb118d2bdde051df0f8add12b5616f16c159643417134dbacd4613c8d63a58501

Download Submit
C:\Users\Admin\AppData\Local\Temp\25l3ep2d\25l3ep2d.cmdline

Filesize
272B

MD5
65b9e795fd30853db6a269d85a164faa

SHA1
e8a7bbb3eb0b99c8367ab9e97d68ad5fcdf6a52f

SHA256
46aa43c59fcb4c0870506a81677379c64dff352b5604a5e16a544d6db200b0bc

SHA512
a675991faaa53d348603210637d6fcb9d4d581e4bf9d3c200b8c7fe8c6b875b71b5ca75e17f7bace81e486fac71ce10bd3c8bb8b500d2c42c91368148e4ec9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
52d1a162ab45a192bda4e5a9faaaebf9

SHA1
e797384ad660f01e8b921928ebf4a213da6fb7da

SHA256
48cbdcc0367f5cd610c273c95fa0020b87311682bbb741664200be0896774ffe

SHA512
ff63fbfcce2a161a699ba4eb610e8cdce9a03f68c6064c717b5e81d58898f2245295477278301d5f5fdfbcd3afd7443b1684c5ec000a920846420a2d269cd2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEC0.tmp

Filesize
1KB

MD5
c451c7cacfe69270c7cce8cf1594e507

SHA1
8ea83bb3b205d97646fafb764669328a27c04b49

SHA256
822f281fc86853f012841b499b79ea36e79a6393d71349d594d6decf6f1e1022

SHA512
77238ab37ea5242c4b663315c6acef36ef9af59b74e5c3adffa1d1d57819f3e05edf4817229e9b8ececa126e20f9befdc8bd71b3f648c94df9035199820974f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD6A.tmp.exe

Filesize
12KB

MD5
4ea8fe8ddef89e91bfffd08372475468

SHA1
4e98b2e950339d887b90d274e2337e3e4da803f0

SHA256
f1fd69dd5b13d4faadc782d23ea983e83396adde2d4e61ae8b748e97e32d0e5f

SHA512
82bb2f091711cee57712a605bfcb61c59036163494f316351673c55fb8ccd0ca2b77c68bfbfa52677e479f769db8c2eae2847ee962c650db45812bac66970d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc728F2C044DD343F29BB431D76413CE8.TMP

Filesize
1KB

MD5
bf2fa26e998b9f88009f76d4a8ce8834

SHA1
4699cd0e87f21bc47f296504e681d64f457e38b9

SHA256
8f34b6dbfec7d9b235c36ab8627929549bbfb62e089d17d711db2b7a1bc692bc

SHA512
2040141dbfa2b03cf8c84cc696ee91b682ffe639febfc5c3eef42603977aeb0f311bc72791db1ce74f5c16dd24a5d22f33621ad79ef67fbdf7b40415229dcd49

Download Submit
memory/2896-23-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/2956-0-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/2956-1-0x0000000000840000-0x000000000084A000-memory.dmp

Filesize
40KB

Download
memory/2956-7-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2956-24-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing