28eb656bfceda52d98ae02b4ef0e41f76204b4190f09ebf337e5d24cf392c1f5

General

Target

662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe
Size

12KB
MD5

662ab5937404a31318e2846afe557cc0
SHA1

f7073403235d3689c728ec4746755ac968b434f7
SHA256

28eb656bfceda52d98ae02b4ef0e41f76204b4190f09ebf337e5d24cf392c1f5
SHA512

06f026b1762f466f121123454a736e964ae84569208ebc9c68e325a4d64ce7842808c8b84ca0622d888a5d66a9ecc4546a7f69fb929440338cc394fbcd50d3a2
SSDEEP

384:nL7li/2zwq2DcEQvdQcJKLTp/NK9xaly:LUMCQ9cly

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp96B5.tmp.exe

pid process

2556 tmp96B5.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp96B5.tmp.exe

pid process

2556 tmp96B5.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe

pid process

1928 662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 1928 662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe

pid	process
2556	tmp96B5.tmp.exe

pid	process
2556	tmp96B5.tmp.exe

pid	process
1928	662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	1928	662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 1928 wrote to memory of 1724	1928	662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe	vbc.exe
PID 1928 wrote to memory of 1724	1928	662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe	vbc.exe
PID 1928 wrote to memory of 1724	1928	662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe	vbc.exe
PID 1928 wrote to memory of 1724	1928	662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe	vbc.exe
PID 1724 wrote to memory of 1804	1724	vbc.exe	cvtres.exe
PID 1724 wrote to memory of 1804	1724	vbc.exe	cvtres.exe
PID 1724 wrote to memory of 1804	1724	vbc.exe	cvtres.exe
PID 1724 wrote to memory of 1804	1724	vbc.exe	cvtres.exe
PID 1928 wrote to memory of 2556	1928	662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe	tmp96B5.tmp.exe
PID 1928 wrote to memory of 2556	1928	662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe	tmp96B5.tmp.exe
PID 1928 wrote to memory of 2556	1928	662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe	tmp96B5.tmp.exe
PID 1928 wrote to memory of 2556	1928	662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe	tmp96B5.tmp.exe

C:\Users\Admin\AppData\Local\Temp\662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\deryjonq\deryjonq.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9AF8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB859DCC289784A9F811E555E3499891.TMP"
3⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\tmp96B5.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp96B5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\662ab5937404a31318e2846afe557cc0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
d35eae5eb711973acb69c7343114defe

SHA1
e6879cf8ec737fa7933d405ff287fffee274f2bc

SHA256
47c46be8578ccfa96f7425b0bde63d81ba7acbab892f9bbd0667a2a8cd03d5d4

SHA512
9206ff6405390629e01c82640d31038104e2818b05bbffb2dc6a8f9807d7ac98e5638381685ac22f10bd0b3f5c7741d76dbbafc240e8c7691427acd3be07f541

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9AF8.tmp

Filesize
1KB

MD5
51a0df96c89d3eefc855650e98fac9c2

SHA1
60546df178a1665c44b13cf40cf47cc595754789

SHA256
3ab9ee90e2b3ac4f2a5b45c64145755256a0e04a5d29ef5550d48f41b49f83db

SHA512
8203b6f6048a27fe511d3011d8bad3ee273428b64ecd08252f789d283eefa9b0567fb1b0d9613794b3b8fab996f24a92a9b34dde52765010e767b9afdba00966

Download Submit
C:\Users\Admin\AppData\Local\Temp\deryjonq\deryjonq.0.vb

Filesize
2KB

MD5
3c62626416648ab295bd06f70acb5193

SHA1
0b5f6cdbba9c5b4eb7c878d476a42ceca0537f11

SHA256
259741c418c6d13ebf351dfca60fa756f479e79ab1b65fcf7031f2367a8ebf5c

SHA512
100466e4c716410635af34f134d81b5daff761c850ee9c16b534cd50821ec2284a4ac3484b0484b153be43709db92361c96b548d0f4d0584826fe0cbce5b3015

Download Submit
C:\Users\Admin\AppData\Local\Temp\deryjonq\deryjonq.cmdline

Filesize
273B

MD5
85aefb8d7a940fece96799e7870bd10e

SHA1
90abdfa89c7664f1a90db1bceefeabffa0fede24

SHA256
e73bfb84f518043276c3f11e5a8af204d8ecd0d9ef68b6aaf4ea3887ab9435b3

SHA512
541d5ebdacd37c0af431cfe9d22fb73100d62ba0579af91f8c04e8733efc642c8d8d33b023f5820b689e5a6dfaefd1fc366de0ca18147df7a3b8ded32db64a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp96B5.tmp.exe

Filesize
12KB

MD5
3da7d923444877a945522f37a4a60999

SHA1
668253511857101a78929cef8fcffdcfc5ea45f6

SHA256
de34370df1c9059d79413009d4beed663beff08f70064be22fdb32fb78510875

SHA512
51f3cb630a561f165ff580d86ca01cd82ca424fb0f646a11a8239c5bb2cfe452098d037a0ac4badc42b550eb62628765947371927b86d0e0f04d02be92f08b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB859DCC289784A9F811E555E3499891.TMP

Filesize
1KB

MD5
f0be021d4905937832810f3f799f2879

SHA1
cca1c8f55fb4fac3e264404fdc9c5b97ec46630e

SHA256
c72c6e975082abfcbce5cbf6f259676826c00ab919db0cb01ee2689c2be57dc5

SHA512
63c860a4273b349855ef81c816f5e62bda5c2b6e9f45163dd8f95479d94c95ecbc85d81fe070569d1f6b5d0cc6cd3b40cfce0d015f13e4603efe9c093ff041c8

Download Submit
memory/1928-0-0x0000000073FFE000-0x0000000073FFF000-memory.dmp

Filesize
4KB

Download
memory/1928-1-0x00000000008D0000-0x00000000008DA000-memory.dmp

Filesize
40KB

Download
memory/1928-7-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/1928-24-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/2556-23-0x0000000000910000-0x000000000091A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing