bc56d02cab262bc61ddf93b168d4d8570607d9ef55de663195459ddf3e779bfb

General

Target

35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe
Size

12KB
MD5

35a1e6edfbb594a21e5daede5c63e590
SHA1

6d1236953a53d76cf81bf7b82bae34de85d59c66
SHA256

bc56d02cab262bc61ddf93b168d4d8570607d9ef55de663195459ddf3e779bfb
SHA512

3d5b43b48f190d2876f674bf40e53975f5229e773f399b93c571021244bff5507b4e9acf269bf52748050e84510417a374da246445cc0a272d2ba7f7014c6a55
SSDEEP

384:zL7li/2zGq2DcEQvdQcJKLTp/NK9xaX4:XuMCQ9cX4

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp2618.tmp.exe

pid process

2560 tmp2618.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp2618.tmp.exe

pid process

2560 tmp2618.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe

pid process

2876 35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2876 35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe

pid	process
2560	tmp2618.tmp.exe

pid	process
2560	tmp2618.tmp.exe

pid	process
2876	35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2876	35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 2876 wrote to memory of 3040	2876	35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe	vbc.exe
PID 2876 wrote to memory of 3040	2876	35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe	vbc.exe
PID 2876 wrote to memory of 3040	2876	35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe	vbc.exe
PID 2876 wrote to memory of 3040	2876	35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe	vbc.exe
PID 3040 wrote to memory of 1276	3040	vbc.exe	cvtres.exe
PID 3040 wrote to memory of 1276	3040	vbc.exe	cvtres.exe
PID 3040 wrote to memory of 1276	3040	vbc.exe	cvtres.exe
PID 3040 wrote to memory of 1276	3040	vbc.exe	cvtres.exe
PID 2876 wrote to memory of 2560	2876	35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe	tmp2618.tmp.exe
PID 2876 wrote to memory of 2560	2876	35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe	tmp2618.tmp.exe
PID 2876 wrote to memory of 2560	2876	35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe	tmp2618.tmp.exe
PID 2876 wrote to memory of 2560	2876	35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe	tmp2618.tmp.exe

C:\Users\Admin\AppData\Local\Temp\35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rnprztsh\rnprztsh.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES277E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBCF3E1AF39B44837A9F59CDC68B4999.TMP"
3⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\tmp2618.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2618.tmp.exe" C:\Users\Admin\AppData\Local\Temp\35a1e6edfbb594a21e5daede5c63e590_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2560

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
f03b428c5d25ec9dd0aaef1f0b2ded18

SHA1
86c37bc62973da0c9c1e7621b9a82f984bbc8d7b

SHA256
6baa150a2969337e6dd11fa583c6240bf70e69eb31bcd1a94152d1c5076e3b20

SHA512
750c55e8d2530b91d336299993d3eead2b0bea2020d6276b926fadffbc293029dd82fa692d97c98c30a15ebe610545a212c7b76043940361724223b02aed90d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES277E.tmp
Filesize
1KB

MD5
6de1ffec7a09d83385c3f8ae36aefc5f

SHA1
629a82cf07434416f252f97bef130b1ef67d11c5

SHA256
a090eeefdb4a733d35632d17eeac653e29bb44172aa73faa610d312fac36b980

SHA512
ced62d1ed1af574103cfa080ed0fc31d47197646ccc65c280745d865acbfab2e72ad43f5c084fd611ea0e81337e4cd325f8df572a8a01f6f28d4222328cdbc3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rnprztsh\rnprztsh.0.vb
Filesize
2KB

MD5
bf752e152a44596294a9a73061f175d5

SHA1
966377d5db2bae4319e32a0603e43497059bb8cb

SHA256
4d92effe6563406d8c88151c0efa71c7c9dfa938ea4d4e079cd27991a62d5a45

SHA512
e12ce58906a8da644e306fdcc77ebf2f7a9a3d72ae3414589df1f1880e48ba0ce9a907457ecc035bd1309cadc309f0279c3265f79ab4fda5a387fb028c0e3fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\rnprztsh\rnprztsh.cmdline
Filesize
273B

MD5
807b0e2e67be36e950081aa8bbcaa2fa

SHA1
d43790f767f766d38c041a140c8c4861bdfdb10e

SHA256
a3802708a6fa31d249079d5b31850ed0d5d77f039a66e41fc41ca9e85af7dae9

SHA512
c4feabac4e3cc9a73677eb458b72858677f77541c2fc6b7db6ec3224c258e96f2484169306b1c82bb188c37c16c993628a993edb1f95d1bcd10c5bcbafa5ee5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2618.tmp.exe
Filesize
12KB

MD5
d31579d1f9cd995b6b29c88081894268

SHA1
8d04ab6033bb9d5cd9bb5cd041bc1e0323f17478

SHA256
06979bab977127349ed6d50af37354b43c900029aae0d8828cf7d06dcee5f357

SHA512
767e7bbe98d9710635e8a2df29f7d944af6ce00aefed6c4bcec7a501ebc84247d9da7253886b14155a198498c4197cb8666f7e978d4f5b383be816860151b2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBCF3E1AF39B44837A9F59CDC68B4999.TMP
Filesize
1KB

MD5
cc4ed7a9c67f9c040f448abb29adc0bd

SHA1
b59b87a87259b032a07955a948b02f4ee8f6c27e

SHA256
ecdac5b87667b1d8d038a5f21d9837407bb2b4cfbb120093569cef98674c7468

SHA512
9846f306387e4cbff7246c17083fe8990488fb4c6742f5a67c1880a7134bb1ab4f6c8c9666f6fdac61e28a5e7fdd5b8d60af33e2fbeeb368f5b10c1e3c7ec077

Download Submit
memory/2560-24-0x0000000001060000-0x000000000106A000-memory.dmp

Filesize
40KB

Download
memory/2876-0-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

Filesize
4KB

Download
memory/2876-1-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/2876-7-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2876-23-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing