ba4ff14179bb978398ee5369218e3523f0ebcdd3ab687a2373bb407a00de0616

General

Target

35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe
Size

12KB
MD5

35c9a14d09a92bd10310b933e49f4be0
SHA1

178588821c7f2966f0822db248f2d4bfa3a1d8ef
SHA256

ba4ff14179bb978398ee5369218e3523f0ebcdd3ab687a2373bb407a00de0616
SHA512

64342406baa8569364da799dffe695fc21d0e229144581a78a1785656a7a007e580821aeac26950c8c34ff7d837b0707bce677ce7a51c82a2dcd74916a6fbc18
SSDEEP

384:pL7li/2zZq2DcEQvdQcJKLTp/NK9xaZH:ZpMCQ9cZH

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp39B7.tmp.exe

pid process

2760 tmp39B7.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp39B7.tmp.exe

pid process

2760 tmp39B7.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe

pid process

1644 35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 1644 35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe

pid	process
2760	tmp39B7.tmp.exe

pid	process
2760	tmp39B7.tmp.exe

pid	process
1644	35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	1644	35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 1644 wrote to memory of 2188	1644	35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe	vbc.exe
PID 1644 wrote to memory of 2188	1644	35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe	vbc.exe
PID 1644 wrote to memory of 2188	1644	35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe	vbc.exe
PID 1644 wrote to memory of 2188	1644	35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe	vbc.exe
PID 2188 wrote to memory of 2360	2188	vbc.exe	cvtres.exe
PID 2188 wrote to memory of 2360	2188	vbc.exe	cvtres.exe
PID 2188 wrote to memory of 2360	2188	vbc.exe	cvtres.exe
PID 2188 wrote to memory of 2360	2188	vbc.exe	cvtres.exe
PID 1644 wrote to memory of 2760	1644	35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe	tmp39B7.tmp.exe
PID 1644 wrote to memory of 2760	1644	35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe	tmp39B7.tmp.exe
PID 1644 wrote to memory of 2760	1644	35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe	tmp39B7.tmp.exe
PID 1644 wrote to memory of 2760	1644	35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe	tmp39B7.tmp.exe

C:\Users\Admin\AppData\Local\Temp\35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r0tlayfa\r0tlayfa.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B3C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD4B3BAF68976458ABB44E732A7F448B.TMP"
3⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\tmp39B7.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp39B7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\35c9a14d09a92bd10310b933e49f4be0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2760

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
1b6736e61cd284bd9ed369317ddf2816

SHA1
c5d90259f796ef5f5273d8bc2e33e56b75718a44

SHA256
c1c4d1cad7150ae8e4cc8673387428e5ea02656e1ac169225d717be1d17e9eca

SHA512
b4a6b37e4e8bd630bc93bd77b5b8c9c43e76d41e4aa61d61062e34fc7bf60ca38e86ec55d7d8777df958da28d52040fa5be656323ebb412837863506d8e72e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3B3C.tmp
Filesize
1KB

MD5
5fc537218609c862fcb493a96b63550a

SHA1
04b530deb83e535b84c4881926fe81bb219b0bf2

SHA256
8ba8cb2014d884665c0ef85bee7cddbfaa7175b7a3c390da0f22020b6e769ae4

SHA512
335d7bf5a82c34b3eeb78aa6394aaf0cb118bc89f339eaf97d4ab1c359fd730219a19e5ebe076034fe8c825bf426f002b96b5bf12e4734c697a1bcc7d0f83e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\r0tlayfa\r0tlayfa.0.vb
Filesize
2KB

MD5
f821b7ca619fee37cbc116055abcebcb

SHA1
8448e4196effb57a6fa810bcb419c6583fd0b104

SHA256
f10a7e38e43e6e8b572428e42208ddb552489ac1bdcac1c74ed22ffa406b142b

SHA512
1ff90c3d515031b6670e2d00373065fbd086bf040358b6a633846ff2cac28670c5d17a2cc6fab3fe39d1e85ef82b3d6c48903964841fa32f5db3e19aeffa40a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\r0tlayfa\r0tlayfa.cmdline
Filesize
273B

MD5
e4132428bf0e57f5de0b39e4cf3c56fa

SHA1
9cc978e539eac150fb263af677c9ca18ff371acd

SHA256
ce53b9799057358f1b8ea9d6dd3f061c322877c5b2cd4f2e82e9b5c2463f0b1d

SHA512
e44cc052b96d554fd819232feac49565da6b86b779d9eb787c142074578767dfa9cbb4f1ccb46df11c0e94acc4ee68c7f22f133333e042501d32770cb5423695

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp39B7.tmp.exe
Filesize
12KB

MD5
45a205b3b3dfba007450aa9a6f0509af

SHA1
de244e9f4828045fd5dcaaf7f43660225df5ec93

SHA256
c8970a54b19e1c6908efd5fe240de8fea61b38f6901259a67d8492e0b852a840

SHA512
4f9f01c621ac2b67d07e59ea3d57b8f9c1515c76f11c8b2ff307348988f3577420259b31fc87074ab96792385e03a8dc22884a1495a71d8df8c67a78f43a0d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD4B3BAF68976458ABB44E732A7F448B.TMP
Filesize
1KB

MD5
1f57e3f531e3fd3eee83901b5c7acddf

SHA1
0a5692ce046e0e040a23ee1d876f79738b3f6298

SHA256
5ff0bb025ab03f2868238efc4afcb5af93bba496b031ca50fc7cffe72f1f88cd

SHA512
0146d64307dac29cc4aeb2ceed6832a20c717af4505487e09a54b45b19ff49a9001ae8c6a8482b6a609a11fee81cab1090ff99a7ff257ec3e5ff7f42d6a07a12

Download Submit
memory/1644-0-0x000000007476E000-0x000000007476F000-memory.dmp

Filesize
4KB

Download
memory/1644-1-0x0000000001260000-0x000000000126A000-memory.dmp

Filesize
40KB

Download
memory/1644-7-0x0000000074760000-0x0000000074E4E000-memory.dmp

Filesize
6.9MB

Download
memory/1644-23-0x0000000074760000-0x0000000074E4E000-memory.dmp

Filesize
6.9MB

Download
memory/2760-24-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing