8947b42a2b82096d6f610b6d8576fe6cb5ca788340cb4973339c77ea3ca51555

General

Target

206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe
Size

12KB
MD5

206a64a5e4ff4159260d03a7b74e6f20
SHA1

a562d4744cdda7b4904ecb084cce75f47eee4263
SHA256

8947b42a2b82096d6f610b6d8576fe6cb5ca788340cb4973339c77ea3ca51555
SHA512

b656cf424fb913c2142a610dee5e62948577e75dd1affda129774adbe5c6739ef2eefc712c7322948a79a5a8b6c6874adeb65fdca878c791567816b44b41014d
SSDEEP

384:vL7li/2zsq2DcEQvdhcJKLTp/NK9xaQ9:DYM/Q9cQ9

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp147B.tmp.exe

pid process

2596 tmp147B.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp147B.tmp.exe

pid process

2596 tmp147B.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe

pid process

2044 206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2044 206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe

pid	process
2596	tmp147B.tmp.exe

pid	process
2596	tmp147B.tmp.exe

pid	process
2044	206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2044	206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 2044 wrote to memory of 2376	2044	206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe	vbc.exe
PID 2044 wrote to memory of 2376	2044	206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe	vbc.exe
PID 2044 wrote to memory of 2376	2044	206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe	vbc.exe
PID 2044 wrote to memory of 2376	2044	206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe	vbc.exe
PID 2376 wrote to memory of 2680	2376	vbc.exe	cvtres.exe
PID 2376 wrote to memory of 2680	2376	vbc.exe	cvtres.exe
PID 2376 wrote to memory of 2680	2376	vbc.exe	cvtres.exe
PID 2376 wrote to memory of 2680	2376	vbc.exe	cvtres.exe
PID 2044 wrote to memory of 2596	2044	206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe	tmp147B.tmp.exe
PID 2044 wrote to memory of 2596	2044	206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe	tmp147B.tmp.exe
PID 2044 wrote to memory of 2596	2044	206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe	tmp147B.tmp.exe
PID 2044 wrote to memory of 2596	2044	206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe	tmp147B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\savtkwp1\savtkwp1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES15F1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD13991585CA4A3085CC50E161201F29.TMP"
    3⤵
    PID:2680
- C:\Users\Admin\AppData\Local\Temp\tmp147B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp147B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\206a64a5e4ff4159260d03a7b74e6f20_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
b442b555ce41ff8d0f4332dc4b0acd60

SHA1
944a5337d6727bfe77347b3a435fdf465e0ca3d3

SHA256
0927e569dde8e322fddcebc13f2e5aa0310c9205023afe7d4ea3031656cc377a

SHA512
b0c3ccc766c1bbeb92ede2b1ad0a75871ef849c1bbb2f84603ae80567f1b71e2a7e520c1ee51e1b85ea25d5e2aa981b071206487eb14045b9048300b00f247a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES15F1.tmp

Filesize
1KB

MD5
2e47b4f3bd5b223f23482f8c71f51b2d

SHA1
456ce18d6b553d3112f2a5fb4ae1dc16ad515552

SHA256
2ca7cc6c5dbbd941522fd3048cccb0e3e6fbe0ce6c28ee87a15aed5da96274dd

SHA512
92bc3269797b95c50879af5edd1e0073dd20187ced7990b5d84c7fa28ac3795c203ec342e75ff9a84e9f9a67c167f1e376b7d4d448cc4ba80266150178095e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\savtkwp1\savtkwp1.0.vb

Filesize
2KB

MD5
e2410dcb55606c2ab9daed974c0a3b25

SHA1
4987d5be6fa95a51bad49c429a47ab716a8fde58

SHA256
e46c3b99614ed1a7f3ba48329581eb517543158e173803d637dd9bbb328ffdde

SHA512
3d90a8bc15ce65e03ea80341bcd810a46fff0cdb171d306849802ba0b24dc13a336fee7183a7d3b28d7bd620ec50f75a02851061fc0c1375d82015604208e4e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\savtkwp1\savtkwp1.cmdline

Filesize
273B

MD5
9e527ef1270f401d999b2982e4eff4cc

SHA1
ba7a210fcb7bc2ac6b676de7e3f1f07e45182890

SHA256
3661a313dbd53b6c8010837e909cf4a2c8b4edbe26c1a9e58a94889c4618bc7a

SHA512
1f0a9cff9ba14b7a25fc3422b3a9336a46f411a7cf5428b1f6f4f2a595d4b635a88bc813e712c8e319715c98a08a4bddfdea261598144eb83d51fe326c093aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp147B.tmp.exe

Filesize
12KB

MD5
17e93c6819f92cd6da1171fd894d1bc2

SHA1
7343ad34dc5b8ba2dbc1bd3fa30eed11b1ba38f7

SHA256
d534641ad5e147c03d50bd6072012d68e5c8f93e71a70346366763f1c7b4fa14

SHA512
970dae0ebd93ed6e1b867518a745ef3a05d279dd62d09d4a685d97e147479545109be4add808d3b0f7a14a0fe8485529b4e3db81448a1fa830a6faac64350fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD13991585CA4A3085CC50E161201F29.TMP

Filesize
1KB

MD5
d6884e9db796ef94f7cd44e56cb092d0

SHA1
0487f1e6c19a52b663bf725417a292fd8ed1b4f6

SHA256
665446e63653a07069024d7e6db01c55827b22d838140d0ebffb4b9e79c0fa6d

SHA512
d23b2c4d208caba429ab4be760ed899df803e4312485dc02c154cf8be171e475b6a379ce953302cb6eaa5bd86f1c44a060a9004e3bb740bf9f522542e2d49acd

Download Submit
memory/2044-0-0x000000007409E000-0x000000007409F000-memory.dmp

Filesize
4KB

Download
memory/2044-1-0x0000000001210000-0x000000000121A000-memory.dmp

Filesize
40KB

Download
memory/2044-6-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2044-24-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2596-23-0x0000000001230000-0x000000000123A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing