d5303e09735b0bda21cecd9df1efa7607bdaf8dc4508519732f11bb43e2d887c

General

Target

266848b0226df1b7af79edbaf4d0c3b0_NeikiAnalytics.exe
Size

12KB
MD5

266848b0226df1b7af79edbaf4d0c3b0
SHA1

11750ea6966c0659798d380d067c3b2a1165509c
SHA256

d5303e09735b0bda21cecd9df1efa7607bdaf8dc4508519732f11bb43e2d887c
SHA512

8f87cc9d304fa301cce5cf63107bf4ff021e9874ba534eff529f1511fa010c32c0f9a4e10e87329d702195a10b59471ba0a386997b96df544ba86d6b12dc8e9f
SSDEEP

384:vL7li/2zXq2DcEQvdhcJKLTp/NK9xa42:DjM/Q9c42

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2644	tmp280B.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2644	tmp280B.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
3000	266848b0226df1b7af79edbaf4d0c3b0_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3000	266848b0226df1b7af79edbaf4d0c3b0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2184	3000	266848b0226df1b7af79edbaf4d0c3b0_NeikiAnalytics.exe	28
PID 3000 wrote to memory of 2184	3000	266848b0226df1b7af79edbaf4d0c3b0_NeikiAnalytics.exe	28
PID 3000 wrote to memory of 2184	3000	266848b0226df1b7af79edbaf4d0c3b0_NeikiAnalytics.exe	28
PID 3000 wrote to memory of 2184	3000	266848b0226df1b7af79edbaf4d0c3b0_NeikiAnalytics.exe	28
PID 2184 wrote to memory of 2568	2184	vbc.exe	30
PID 2184 wrote to memory of 2568	2184	vbc.exe	30
PID 2184 wrote to memory of 2568	2184	vbc.exe	30
PID 2184 wrote to memory of 2568	2184	vbc.exe	30
PID 3000 wrote to memory of 2644	3000	266848b0226df1b7af79edbaf4d0c3b0_NeikiAnalytics.exe	31
PID 3000 wrote to memory of 2644	3000	266848b0226df1b7af79edbaf4d0c3b0_NeikiAnalytics.exe	31
PID 3000 wrote to memory of 2644	3000	266848b0226df1b7af79edbaf4d0c3b0_NeikiAnalytics.exe	31
PID 3000 wrote to memory of 2644	3000	266848b0226df1b7af79edbaf4d0c3b0_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\266848b0226df1b7af79edbaf4d0c3b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\266848b0226df1b7af79edbaf4d0c3b0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aj0fq3i4\aj0fq3i4.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A0D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc43539D58A7BD44C090AEB5BDFB59F162.TMP"
    3⤵
    PID:2568
- C:\Users\Admin\AppData\Local\Temp\tmp280B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp280B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\266848b0226df1b7af79edbaf4d0c3b0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
4b215f4feba3705e9405697ca014baef

SHA1
8f0cc10ae1d95eab867a75d2b56d9b30d0137d8f

SHA256
26833e90459c4580b15d84df1224b34d779abcde045f1fd6c14382879111070e

SHA512
bf5928475db9cf3f16c93c6891e01d7074a170ef7e48cf0603f5fba93598d6f65869e8173ca275a70fd5a2ce2505a49b8eb5bdab962619605c1505dcd6d32a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2A0D.tmp

Filesize
1KB

MD5
ddf75b9f17f6a2f05e5adde4419692fe

SHA1
eb0e885f406653330fd76dc155a10073463c67be

SHA256
7b2db25ac2ffaeca28d7a44ca9e57c487828ef88002f3cf0d01ad9a1925693c4

SHA512
a5a60a431b3a4fb5e5b4f7dcd129e5eab8f9d5d506cdbc65d5b427a0fb62f8c08cfd5d6342abf4056624438672ef7b6e38e100a3f273c38470d02c70e810accd

Download Submit
C:\Users\Admin\AppData\Local\Temp\aj0fq3i4\aj0fq3i4.0.vb

Filesize
2KB

MD5
06db6c094be9241427eaa19ae1767077

SHA1
ffa7d6765d7df2bc06b695789ad16b86ec159be0

SHA256
26c60bffcfa069721089f41a08be0ed869e544e68ce3fac625139128023cadc9

SHA512
80798aaeb55af2991918e500316869de1b9a63f9a8b052b68ddad54df292176f528a12c081e9ebd45644b4dda1138264d83104bf3a92f1fb532ffea5ab14953b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aj0fq3i4\aj0fq3i4.cmdline

Filesize
273B

MD5
bdfde0e305d1d09fab9530ee2bb10770

SHA1
ba320cb2a0e367f7460b51c56722178e833a6a8e

SHA256
58206511312397d4e279e19b1ece197c01ceca99bf790341161c3e080e92fd54

SHA512
c16af6bca34e2da25df650f2d362943ab719a34f48db9faeb9465bf63a447bf95074ae0204aa19243628734cc8693b2ec9d895e08a60e8a92e70079f775e7257

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp280B.tmp.exe

Filesize
12KB

MD5
fc4f4a1c388f08d470b49a89d9d56c2b

SHA1
cb7f83bb420b3706829bb6ac6212207554df79af

SHA256
4ca95ba20d7b44514468d3cc13e5c03a8683480c80980bb34ba37ab4652499d2

SHA512
3dbeb299b37d86ece7c87084b91799de10bf77375284f1e56344007e25c3700b6494ca4c741f1fc95cf116d9545161f7729d472b0e76ae1ab13ecde3fad4a144

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc43539D58A7BD44C090AEB5BDFB59F162.TMP

Filesize
1KB

MD5
379bb5736438251dbb11851755c883bd

SHA1
647523b8998bfb23409e08eb4819a080ef5ed47d

SHA256
e1166ead92c3c21a4ac8982defd3d20def7eb9027e6a86b2210e4248940b6e12

SHA512
fb205abee107aac34a9b902495c2397a68280b41f432a0dd7b8c14c0d6879c82e4070a0ffb1be667672ea907d215a893406bc8a26850789c6da60242a4f065fb

Download Submit
memory/2644-23-0x0000000000110000-0x000000000011A000-memory.dmp

Filesize
40KB

Download
memory/3000-0-0x00000000744EE000-0x00000000744EF000-memory.dmp

Filesize
4KB

Download
memory/3000-1-0x0000000000EF0000-0x0000000000EFA000-memory.dmp

Filesize
40KB

Download
memory/3000-7-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/3000-24-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing