e09f83478dc9ef34e7161e3b905a251984d4d4e98b8bedaf18c0a7e1a21f1b99

General

Target

3dbe56c03c39b1b306e98bfd06b87c60_NeikiAnalytics.exe
Size

12KB
MD5

3dbe56c03c39b1b306e98bfd06b87c60
SHA1

763003fd6f23df8e3ff752affc7f7e056d98785c
SHA256

e09f83478dc9ef34e7161e3b905a251984d4d4e98b8bedaf18c0a7e1a21f1b99
SHA512

f7da86cb6fcf77744819a8a948764c9edf094eba80e5d7a46b0060904aaaba15c09b172ac8f05b3ab3cf29de571516a0a55912362283794f6d292ef1c1423270
SSDEEP

384:zL7li/2ztq2DcEQvdQcJKLTp/NK9xaZh:XtMCQ9cZh

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp2000.tmp.exe

pid process

2744 tmp2000.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp2000.tmp.exe

pid process

2744 tmp2000.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

3dbe56c03c39b1b306e98bfd06b87c60_NeikiAnalytics.exe

pid process

1964 3dbe56c03c39b1b306e98bfd06b87c60_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3dbe56c03c39b1b306e98bfd06b87c60_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 1964 3dbe56c03c39b1b306e98bfd06b87c60_NeikiAnalytics.exe

pid	process
2744	tmp2000.tmp.exe

pid	process
2744	tmp2000.tmp.exe

pid	process
1964	3dbe56c03c39b1b306e98bfd06b87c60_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	1964	3dbe56c03c39b1b306e98bfd06b87c60_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3dbe56c03c39b1b306e98bfd06b87c60_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 1964 wrote to memory of 2344	1964	3dbe56c03c39b1b306e98bfd06b87c60_NeikiAnalytics.exe	vbc.exe
PID 1964 wrote to memory of 2344	1964	3dbe56c03c39b1b306e98bfd06b87c60_NeikiAnalytics.exe	vbc.exe
PID 1964 wrote to memory of 2344	1964	3dbe56c03c39b1b306e98bfd06b87c60_NeikiAnalytics.exe	vbc.exe
PID 1964 wrote to memory of 2344	1964	3dbe56c03c39b1b306e98bfd06b87c60_NeikiAnalytics.exe	vbc.exe
PID 2344 wrote to memory of 2520	2344	vbc.exe	cvtres.exe
PID 2344 wrote to memory of 2520	2344	vbc.exe	cvtres.exe
PID 2344 wrote to memory of 2520	2344	vbc.exe	cvtres.exe
PID 2344 wrote to memory of 2520	2344	vbc.exe	cvtres.exe
PID 1964 wrote to memory of 2744	1964	3dbe56c03c39b1b306e98bfd06b87c60_NeikiAnalytics.exe	tmp2000.tmp.exe
PID 1964 wrote to memory of 2744	1964	3dbe56c03c39b1b306e98bfd06b87c60_NeikiAnalytics.exe	tmp2000.tmp.exe
PID 1964 wrote to memory of 2744	1964	3dbe56c03c39b1b306e98bfd06b87c60_NeikiAnalytics.exe	tmp2000.tmp.exe
PID 1964 wrote to memory of 2744	1964	3dbe56c03c39b1b306e98bfd06b87c60_NeikiAnalytics.exe	tmp2000.tmp.exe

C:\Users\Admin\AppData\Local\Temp\3dbe56c03c39b1b306e98bfd06b87c60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3dbe56c03c39b1b306e98bfd06b87c60_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xrc3odrt\xrc3odrt.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2118.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc35F75EBA638D4AABB8CDB4452C61D99D.TMP"
    3⤵
    PID:2520
- C:\Users\Admin\AppData\Local\Temp\tmp2000.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2000.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3dbe56c03c39b1b306e98bfd06b87c60_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
18fe757a42523b922be025669fa09eb4

SHA1
e194337a7643047ee29b237bad70e1f20c9b8709

SHA256
bbca0c812b391ccb12f5528a65b6cfae70e49bf7c885db3a94e10b14172b1352

SHA512
128286c84fb56b93ebb63b82082893a848cce91a403f3a3cf4b2f7541e9bb547eef00ce07e25a3b788c9ea9e748c3dfa1f472dd4cea2a0e3b030bb5c7763760d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2118.tmp

Filesize
1KB

MD5
5d249e136f81133e966fa9dfccb0f70f

SHA1
0e31667eeec15a296fce49993de3ff555c4ae06f

SHA256
c9aa4d8236c4886f7eb663a7cf4f90535d67e299a4f95c6f5fa7e9e05c8fd6f8

SHA512
5033ec86caaf0ec95ae7f08d3f70e0d5e5a21d77db66dd94e9fe30394b71067da3408c2f9dce868a7e444779ccc3dd282334410cfd21460469e3a51469a7395d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2000.tmp.exe

Filesize
12KB

MD5
72134bff4a1f74b0f17db1c97580c1fc

SHA1
1d80cbd7048f170e09f2f55c27fc8bcafac19c4d

SHA256
551bf82a36361916b2225a6873f4c6f3690da79e26932356cea85d1467fab698

SHA512
7ce2a963f1c87b7b0c1b3df147418c65b98dc4fbd478817ae114a66222301c41f0fcc04a64b72feb485d814d150c840076f67c42cc4ac0d07d8160fd878bfc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc35F75EBA638D4AABB8CDB4452C61D99D.TMP

Filesize
1KB

MD5
8af80e4e6f47a59ed64371a04f6ff785

SHA1
50f014720497597ff960163bf64effa07668ad05

SHA256
7f445ae555fd697bcc312927d9c9f9daf0ce404e395ea94e5611fcd8180c7b88

SHA512
4ce523ce66cb6a64e0c3c6b048a7e30588abae1128eed8475bb3e5c14fe191b0deb08a9fb70c79b4b72f77a243529549c76ee317b6f4877115187d0dc1f60304

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrc3odrt\xrc3odrt.0.vb

Filesize
2KB

MD5
1ffb20e181aef1ce3f7cb4827024b987

SHA1
12e772338bcd8c5797a7d570d187e03d1db8b658

SHA256
60662ffbb9d34dc37fbf170184c144b12b6155ec871e59b29c2ae450c6dd1427

SHA512
c4055cab3b93ddfc94be5f2db86ca23f76d5d2c5fd39308cdf892f3054d18dcbcedf18c3e7fbd63309085893682785bd997183f3756fef9ba188ff32a4e7b13c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrc3odrt\xrc3odrt.cmdline

Filesize
273B

MD5
a3793542472748fc5aef92a2b4c1e2eb

SHA1
f7a3a6cafb1b65f1079ce994350780039930b407

SHA256
6b4a1fdef7b01884496db4d89715d890d3263f4c90f11075322c46e63af1ccdc

SHA512
fe50f4519c8d2096fde3eb32d399abc18aeeab701d416989c2dc13d68100d6dac7a5b2a3fb22817a6d822978daf55ce94ea7c91724cf2b5434134a7cf4d97016

Download Submit
memory/1964-0-0x00000000745FE000-0x00000000745FF000-memory.dmp

Filesize
4KB

Download
memory/1964-1-0x0000000000960000-0x000000000096A000-memory.dmp

Filesize
40KB

Download
memory/1964-7-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/1964-24-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/2744-23-0x0000000000130000-0x000000000013A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing