60ddf2a580aac8ff81f081e5242c6fe2c6608595218213e35887a2d2b1bfb286

General

Target

9e6df3129ba4575dd56efb641363cf70_NeikiAnalytics.exe
Size

12KB
MD5

9e6df3129ba4575dd56efb641363cf70
SHA1

fb0f62ab1aee4774b46bd47379bec248e05ab508
SHA256

60ddf2a580aac8ff81f081e5242c6fe2c6608595218213e35887a2d2b1bfb286
SHA512

49b0116a901943e476f6c3aae6ce842ad271c9743c3d09a716aa366c14bf98580e02693560a506219cbadbc3e0429708fd3084071fb9af80730330c984eb1cec
SSDEEP

384:uL7li/2z3q2DcEQvdhcJKLTp/NK9xaEY:4rM/Q9cEY

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp1739.tmp.exe

pid process

2748 tmp1739.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp1739.tmp.exe

pid process

2748 tmp1739.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

9e6df3129ba4575dd56efb641363cf70_NeikiAnalytics.exe

pid process

1648 9e6df3129ba4575dd56efb641363cf70_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9e6df3129ba4575dd56efb641363cf70_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 1648 9e6df3129ba4575dd56efb641363cf70_NeikiAnalytics.exe

pid	process
2748	tmp1739.tmp.exe

pid	process
2748	tmp1739.tmp.exe

pid	process
1648	9e6df3129ba4575dd56efb641363cf70_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	1648	9e6df3129ba4575dd56efb641363cf70_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9e6df3129ba4575dd56efb641363cf70_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 1648 wrote to memory of 2092	1648	9e6df3129ba4575dd56efb641363cf70_NeikiAnalytics.exe	vbc.exe
PID 1648 wrote to memory of 2092	1648	9e6df3129ba4575dd56efb641363cf70_NeikiAnalytics.exe	vbc.exe
PID 1648 wrote to memory of 2092	1648	9e6df3129ba4575dd56efb641363cf70_NeikiAnalytics.exe	vbc.exe
PID 1648 wrote to memory of 2092	1648	9e6df3129ba4575dd56efb641363cf70_NeikiAnalytics.exe	vbc.exe
PID 2092 wrote to memory of 2884	2092	vbc.exe	cvtres.exe
PID 2092 wrote to memory of 2884	2092	vbc.exe	cvtres.exe
PID 2092 wrote to memory of 2884	2092	vbc.exe	cvtres.exe
PID 2092 wrote to memory of 2884	2092	vbc.exe	cvtres.exe
PID 1648 wrote to memory of 2748	1648	9e6df3129ba4575dd56efb641363cf70_NeikiAnalytics.exe	tmp1739.tmp.exe
PID 1648 wrote to memory of 2748	1648	9e6df3129ba4575dd56efb641363cf70_NeikiAnalytics.exe	tmp1739.tmp.exe
PID 1648 wrote to memory of 2748	1648	9e6df3129ba4575dd56efb641363cf70_NeikiAnalytics.exe	tmp1739.tmp.exe
PID 1648 wrote to memory of 2748	1648	9e6df3129ba4575dd56efb641363cf70_NeikiAnalytics.exe	tmp1739.tmp.exe

C:\Users\Admin\AppData\Local\Temp\9e6df3129ba4575dd56efb641363cf70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9e6df3129ba4575dd56efb641363cf70_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m3rhul4m\m3rhul4m.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES18ED.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2EB9281E5B20433FA3D0116886EB2254.TMP"
    3⤵
    PID:2884
- C:\Users\Admin\AppData\Local\Temp\tmp1739.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1739.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9e6df3129ba4575dd56efb641363cf70_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
23ea14182f2afe8be2da412ea2057144

SHA1
919e6d15605293f3f6b709959c4a9cb31bb6c65f

SHA256
618dc89d47bd200357e56280faa0adfc2baa770bd5e62aed9d603b4bfd593a9a

SHA512
34893f29b9305f8100e9abb49c510d6d8c307b2531612b2923d1a0e95863e0588d54e30a14eb9460487fb8e737f606fa7886274a95deeb22e94f50612f649b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES18ED.tmp

Filesize
1KB

MD5
ed9088029c2855f4a3f47f09615a78bd

SHA1
852ad757e3d96ffec0c903db7f1eb99a2217fe43

SHA256
8a81c9c50a0d37e24836bed65d32ffec6ed0fcae24156529e8bfdeada02856c3

SHA512
0b8f59af824d802c13d1cd0e2a5e462b6e6c82ef1e825b429a47b0106dc4dac3d1f7345ad3ecdb9cc19010d9ef25cd03778b47046a35f4b2647e3cb55137248b

Download Submit
C:\Users\Admin\AppData\Local\Temp\m3rhul4m\m3rhul4m.0.vb

Filesize
2KB

MD5
4cbb48d15dd0015bb92ebe18807fe638

SHA1
b41b92c149f072228bf7e0ab504b0dd602447907

SHA256
43ce935567716263e74baecb39c66738f2b232ac86e572660529e60aee9a6680

SHA512
bb97920fbf23e1e277598110d5e4c9bd9748aec8a75b2313d9acfbca1a4acb007a024760b218d2f2cfaa36009d498ae0bcc0a568f31d328bdb9d7c36f90848ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\m3rhul4m\m3rhul4m.cmdline

Filesize
273B

MD5
44ac89fc7fba5fafe71b1650fc4d6051

SHA1
cdbecd13172d993180a2146f1899580c760cb2f6

SHA256
70dc32c34defea173d2524475ebc0dd9e67718baa7a7ac48b0f4439addea2271

SHA512
6c62a1e525fb43ba038691dcca1056a1da18374068db03285e917572fa1826022cc193d3d7c0ee04447253b453812f32deeaa84e96a3f66dd0e153efb45d2d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1739.tmp.exe

Filesize
12KB

MD5
5269ec49064eecf037404ec59fb73082

SHA1
35bf98acc44ac94455c87e7215073914ce4acb45

SHA256
d1a89f2b60a636a2115a57f918421d4a77fd7be945de40201f44cc3f73a00f71

SHA512
4d0d0815bbd369605b793bb75d56a9a82ee9b32ab60cac1fa24ae076829de09558fd1a43e9dc2bfa2333d02e18a38eece6da40d63ad6538fa80bdd21f5fba025

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2EB9281E5B20433FA3D0116886EB2254.TMP

Filesize
1KB

MD5
033c9e7916a577569dbd2c3600c3412d

SHA1
22761983fe7a7c06e9e584ba222ce3b3fa0ac333

SHA256
fd7141372f9d8a746ca26df924ddf6e78cca9ecbe27156dbbd8e86cd77c4e26a

SHA512
0feaabc7c9cde0dc44d6f5ee1122ff5c8de1d707078ab79eedc0a2ae1416bfba89369604013bb7704f1600a77eb09da857469f8a480c51dcd35984836cf6ef12

Download Submit
memory/1648-0-0x0000000073F8E000-0x0000000073F8F000-memory.dmp

Filesize
4KB

Download
memory/1648-1-0x0000000000D60000-0x0000000000D6A000-memory.dmp

Filesize
40KB

Download
memory/1648-7-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/1648-24-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/2748-23-0x0000000000EF0000-0x0000000000EFA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing