Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 20:27
Static task
static1
Behavioral task
behavioral1
Sample
05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe
-
Size
12KB
-
MD5
05d5f3b522bedac3f1ce6543b32868f0
-
SHA1
f2e788b623b9a0ec0b83a5b1c92d5293fa85dc3f
-
SHA256
197771b0c468783ef5eb8c6d0662a8294773d6d890869ce1dedabd298f674377
-
SHA512
cbed6b69f30455677ab3dca7a2cdf28769c50bf0e03f3c7085163e8a502bcc381a63be6940264314872881c6943975376b878e66b88f938fcbd2b0cd4c2a1985
-
SSDEEP
384:qL7li/2z9q2DcEQvdhcJKLTp/NK9xaYp:0lM/Q9cYp
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
tmp1881.tmp.exepid process 2684 tmp1881.tmp.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp1881.tmp.exepid process 2684 tmp1881.tmp.exe -
Loads dropped DLL 1 IoCs
Processes:
05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exepid process 1304 05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exedescription pid process Token: SeDebugPrivilege 1304 05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exevbc.exedescription pid process target process PID 1304 wrote to memory of 628 1304 05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe vbc.exe PID 1304 wrote to memory of 628 1304 05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe vbc.exe PID 1304 wrote to memory of 628 1304 05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe vbc.exe PID 1304 wrote to memory of 628 1304 05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe vbc.exe PID 628 wrote to memory of 2980 628 vbc.exe cvtres.exe PID 628 wrote to memory of 2980 628 vbc.exe cvtres.exe PID 628 wrote to memory of 2980 628 vbc.exe cvtres.exe PID 628 wrote to memory of 2980 628 vbc.exe cvtres.exe PID 1304 wrote to memory of 2684 1304 05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe tmp1881.tmp.exe PID 1304 wrote to memory of 2684 1304 05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe tmp1881.tmp.exe PID 1304 wrote to memory of 2684 1304 05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe tmp1881.tmp.exe PID 1304 wrote to memory of 2684 1304 05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe tmp1881.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0hcgxd5n\0hcgxd5n.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A16.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc87FF31EEE24B4D56852598FD6F7ADC0.TMP"3⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\tmp1881.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1881.tmp.exe" C:\Users\Admin\AppData\Local\Temp\05d5f3b522bedac3f1ce6543b32868f0_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD57847dd7a814446cc6a3aad61eacd3c4c
SHA11153b559b9bfb78ab5a5201b733d0893981de9ee
SHA256fa95261f1e33384aa24eaa5bbd6709ad6968fee524a53f11a674e7b8ab502a88
SHA512f1ee25d73e4a10a23e012ecce00f7b175d78144cf287324cbb84a9869e9e04b4c95a0edb4891f9978aa09c6ab0f7f1b140339e007a227da2d12225a491bc418a
-
Filesize
273B
MD5ed2717de14e3b6aa773a3dc0b53c3054
SHA1767d28feb32e1e926be3e2345f877dab9843bbc2
SHA2565a768c833a4afc43374aad2e6fc1d79a6543c1b8d69046cb9389e27f5b4171ce
SHA512e3066dbe7982e98f9db547d91893eaaea14678eca7cca7263f45e8376fe85c3405a95f1ff58380e1790f7c49b2d261bfe0eb87616cd64836bfcbb2b96bb466bf
-
Filesize
2KB
MD598d732423d296f81fb4602070fa68cdc
SHA1854d9d253e6f999f34e09fbddb3594cb95c13066
SHA25618563f65f790169ac6fb77466f59390a6077e9cb16c051c23266d9b1d6ef07a4
SHA512a232fa0d6cfec6314581e462968a95ece75db25b83820662c5722bf5e88818a5e0cd2e7e4016e823a9f456c6bde1271afc560b30638f63ce0b9e97cf7cef1461
-
Filesize
1KB
MD58d4ac34155983fd16dcb2d7710951254
SHA1b70ce4b9f3c71a32740f0a9d17fd2cbb7f795534
SHA256ae01bcb9a00e3855cabf48e400bee69f785376d90e4562cde63fa1e8d59b2c3b
SHA512e19d3e51d072c77d752c72085d200571e674c193ad10d87a8225c3660564e0b0d690e7c1089f2bef289ba127a463cb847ef02e386b3fbacc57032dfe134ca5a8
-
Filesize
12KB
MD557a8cc1856c9f5faa14b7e503490907f
SHA1e792ee57370ceb05e26f286b65539254eeec8613
SHA2562abcef51c01c90138578e6f3579ffeedbd4be295112d0f7281467daa5d55dc9d
SHA51223d472b30af233b70340a2ea203265c3bff2ce88aa19e229b1fea277bd74bbd7597d9772871621a8d2346f39a64d8b093a137fe8fe1cd28f09dee2f472302f33
-
Filesize
1KB
MD5544bc27ccc74c04fc739699e3b64b8ae
SHA1029cd9741d5ebfd707f29ccf0904ce3d8409f3d9
SHA2568fd4015568eebb08b12ad0b154d044cd5bc13c17eb48a6a9dc229b8b643560a2
SHA5128d496fb9c8563d00a6f61ee04f999c418ffc17f52ddc934460c3e199a075944129b264a8cb4768dbff9ffcbab9859bf8b0b6333209093392f0f429803d271c5a