197771b0c468783ef5eb8c6d0662a8294773d6d890869ce1dedabd298f674377

General

Target

05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe
Size

12KB
MD5

05d5f3b522bedac3f1ce6543b32868f0
SHA1

f2e788b623b9a0ec0b83a5b1c92d5293fa85dc3f
SHA256

197771b0c468783ef5eb8c6d0662a8294773d6d890869ce1dedabd298f674377
SHA512

cbed6b69f30455677ab3dca7a2cdf28769c50bf0e03f3c7085163e8a502bcc381a63be6940264314872881c6943975376b878e66b88f938fcbd2b0cd4c2a1985
SSDEEP

384:qL7li/2z9q2DcEQvdhcJKLTp/NK9xaYp:0lM/Q9cYp

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp1881.tmp.exe

pid process

2684 tmp1881.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp1881.tmp.exe

pid process

2684 tmp1881.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe

pid process

1304 05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 1304 05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe

pid	process
2684	tmp1881.tmp.exe

pid	process
2684	tmp1881.tmp.exe

pid	process
1304	05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	1304	05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 1304 wrote to memory of 628	1304	05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe	vbc.exe
PID 1304 wrote to memory of 628	1304	05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe	vbc.exe
PID 1304 wrote to memory of 628	1304	05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe	vbc.exe
PID 1304 wrote to memory of 628	1304	05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe	vbc.exe
PID 628 wrote to memory of 2980	628	vbc.exe	cvtres.exe
PID 628 wrote to memory of 2980	628	vbc.exe	cvtres.exe
PID 628 wrote to memory of 2980	628	vbc.exe	cvtres.exe
PID 628 wrote to memory of 2980	628	vbc.exe	cvtres.exe
PID 1304 wrote to memory of 2684	1304	05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe	tmp1881.tmp.exe
PID 1304 wrote to memory of 2684	1304	05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe	tmp1881.tmp.exe
PID 1304 wrote to memory of 2684	1304	05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe	tmp1881.tmp.exe
PID 1304 wrote to memory of 2684	1304	05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe	tmp1881.tmp.exe

C:\Users\Admin\AppData\Local\Temp\05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0hcgxd5n\0hcgxd5n.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A16.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc87FF31EEE24B4D56852598FD6F7ADC0.TMP"
3⤵
PID:2980

C:\Users\Admin\AppData\Local\Temp\tmp1881.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1881.tmp.exe" C:\Users\Admin\AppData\Local\Temp\05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0hcgxd5n\0hcgxd5n.0.vb

Filesize
2KB

MD5
7847dd7a814446cc6a3aad61eacd3c4c

SHA1
1153b559b9bfb78ab5a5201b733d0893981de9ee

SHA256
fa95261f1e33384aa24eaa5bbd6709ad6968fee524a53f11a674e7b8ab502a88

SHA512
f1ee25d73e4a10a23e012ecce00f7b175d78144cf287324cbb84a9869e9e04b4c95a0edb4891f9978aa09c6ab0f7f1b140339e007a227da2d12225a491bc418a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0hcgxd5n\0hcgxd5n.cmdline

Filesize
273B

MD5
ed2717de14e3b6aa773a3dc0b53c3054

SHA1
767d28feb32e1e926be3e2345f877dab9843bbc2

SHA256
5a768c833a4afc43374aad2e6fc1d79a6543c1b8d69046cb9389e27f5b4171ce

SHA512
e3066dbe7982e98f9db547d91893eaaea14678eca7cca7263f45e8376fe85c3405a95f1ff58380e1790f7c49b2d261bfe0eb87616cd64836bfcbb2b96bb466bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
98d732423d296f81fb4602070fa68cdc

SHA1
854d9d253e6f999f34e09fbddb3594cb95c13066

SHA256
18563f65f790169ac6fb77466f59390a6077e9cb16c051c23266d9b1d6ef07a4

SHA512
a232fa0d6cfec6314581e462968a95ece75db25b83820662c5722bf5e88818a5e0cd2e7e4016e823a9f456c6bde1271afc560b30638f63ce0b9e97cf7cef1461

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1A16.tmp

Filesize
1KB

MD5
8d4ac34155983fd16dcb2d7710951254

SHA1
b70ce4b9f3c71a32740f0a9d17fd2cbb7f795534

SHA256
ae01bcb9a00e3855cabf48e400bee69f785376d90e4562cde63fa1e8d59b2c3b

SHA512
e19d3e51d072c77d752c72085d200571e674c193ad10d87a8225c3660564e0b0d690e7c1089f2bef289ba127a463cb847ef02e386b3fbacc57032dfe134ca5a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1881.tmp.exe

Filesize
12KB

MD5
57a8cc1856c9f5faa14b7e503490907f

SHA1
e792ee57370ceb05e26f286b65539254eeec8613

SHA256
2abcef51c01c90138578e6f3579ffeedbd4be295112d0f7281467daa5d55dc9d

SHA512
23d472b30af233b70340a2ea203265c3bff2ce88aa19e229b1fea277bd74bbd7597d9772871621a8d2346f39a64d8b093a137fe8fe1cd28f09dee2f472302f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc87FF31EEE24B4D56852598FD6F7ADC0.TMP

Filesize
1KB

MD5
544bc27ccc74c04fc739699e3b64b8ae

SHA1
029cd9741d5ebfd707f29ccf0904ce3d8409f3d9

SHA256
8fd4015568eebb08b12ad0b154d044cd5bc13c17eb48a6a9dc229b8b643560a2

SHA512
8d496fb9c8563d00a6f61ee04f999c418ffc17f52ddc934460c3e199a075944129b264a8cb4768dbff9ffcbab9859bf8b0b6333209093392f0f429803d271c5a

Download Submit
memory/1304-0-0x0000000074E2E000-0x0000000074E2F000-memory.dmp

Filesize
4KB

Download
memory/1304-1-0x0000000001140000-0x000000000114A000-memory.dmp

Filesize
40KB

Download
memory/1304-7-0x0000000074E20000-0x000000007550E000-memory.dmp

Filesize
6.9MB

Download
memory/1304-23-0x0000000074E20000-0x000000007550E000-memory.dmp

Filesize
6.9MB

Download
memory/2684-24-0x00000000002E0000-0x00000000002EA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing