4c9ee97549c688f88cb2cbbbcc0d9e9c5a637e36c9cdea1fa66403f92f78cc27

General

Target

5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe
Size

12KB
MD5

5dd1818c9d8aba19127024e1618337b0
SHA1

b2649530ffc6f7e08f14b36af2341e13184744ed
SHA256

4c9ee97549c688f88cb2cbbbcc0d9e9c5a637e36c9cdea1fa66403f92f78cc27
SHA512

37927eab99b6f1fa5d1ede6bdd99764a060129a4a45e465645a8e0ae6bbcf340f7c669f5a45b076324d2a2eab526868cb1a3ecb049f92bc18f9191e195ebb1d4
SSDEEP

384:JL7li/2zpq2DcEQvdQcJKLTp/NK9xa5V:5ZMCQ9c5V

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp1E1C.tmp.exe

pid process

2772 tmp1E1C.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp1E1C.tmp.exe

pid process

2772 tmp1E1C.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe

pid process

2952 5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2952 5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe

pid	process
2772	tmp1E1C.tmp.exe

pid	process
2772	tmp1E1C.tmp.exe

pid	process
2952	5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2952	5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 2952 wrote to memory of 2724	2952	5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe	vbc.exe
PID 2952 wrote to memory of 2724	2952	5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe	vbc.exe
PID 2952 wrote to memory of 2724	2952	5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe	vbc.exe
PID 2952 wrote to memory of 2724	2952	5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe	vbc.exe
PID 2724 wrote to memory of 2672	2724	vbc.exe	cvtres.exe
PID 2724 wrote to memory of 2672	2724	vbc.exe	cvtres.exe
PID 2724 wrote to memory of 2672	2724	vbc.exe	cvtres.exe
PID 2724 wrote to memory of 2672	2724	vbc.exe	cvtres.exe
PID 2952 wrote to memory of 2772	2952	5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe	tmp1E1C.tmp.exe
PID 2952 wrote to memory of 2772	2952	5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe	tmp1E1C.tmp.exe
PID 2952 wrote to memory of 2772	2952	5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe	tmp1E1C.tmp.exe
PID 2952 wrote to memory of 2772	2952	5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe	tmp1E1C.tmp.exe

C:\Users\Admin\AppData\Local\Temp\5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zocfgj3y\zocfgj3y.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F15.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC69C3ABEE3864980A8753FCDAA263C8C.TMP"
3⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\tmp1E1C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1E1C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5dd1818c9d8aba19127024e1618337b0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
f0565343a0a552bcba870efdae66bb01

SHA1
8c9cad0a3f38dfbbd0e75a3195f1a0a5c94a25b6

SHA256
fd72ee510fadb93e3c2ff5e8fa61602ef8c99060258ea65138a9d264e0264785

SHA512
6778573f8e5d1a4916ae2794fe65fb8f8eb31381097312711d49eb84e83501a9c4a0f1b46fd76aa00c16f851a192bdcba8af7853b876ee67240325b1937b89dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1F15.tmp

Filesize
1KB

MD5
f253f7d7e7c028f166ac397101d4ebc0

SHA1
2a03d23c9ffd751c9f06ee7c9b20efb5ea601a7f

SHA256
55a170fe72d64a00b05a3e0f4ba3785e78e90853a1d156b4efdd4441bfea72e6

SHA512
8a302c12d74b89061d55c4d6059125ed3d1ce8281617447124a9fc7453d9e1ec2717b328c0cd8da2428258006bf90e19ec063f0833065087944d72fdb40cabe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1E1C.tmp.exe

Filesize
12KB

MD5
e3e39739e38db4cc8f214965c65e1cd9

SHA1
f9229800ea71c8b286b7525ce68e0ae4a9213081

SHA256
c1b27d32ee69ead3844c8fd176f398014bd71b1c7e933d575408cf37ff8bcc28

SHA512
029407f3826d9e86ca3c1e0b8fb63a4823680e0b51fd8dda7f77801691fce4e3b7527253dace424a679799bbfbe6f77b2b9be13eabebf5fa1ebdbdc84a978e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC69C3ABEE3864980A8753FCDAA263C8C.TMP

Filesize
1KB

MD5
0d254429ab7bf4004a856dd71ec9622c

SHA1
f423da2021e65eb68656610e3d460290a3db30de

SHA256
77807cb9e17e619e6d4a9aa7ea0b8b078b517c31388870f7ef4ff0ae461f8d52

SHA512
d1cc3e7ba7c9f4c6edfcffb6af4e4b0d4ba7cd15593647989e90c603c5181f5ea4d7f4d4eb2a232d41475be0c6a9876f93d27c5599e1437d902edcdaa979a0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zocfgj3y\zocfgj3y.0.vb

Filesize
2KB

MD5
412898acdd009b9e1932ae961501f926

SHA1
365601adfdabe4f7dc3800f311a12993a4d645c6

SHA256
0b4fad03c99470867f3f2491ce292f1777b5d0bde48291345332f1a16694b101

SHA512
02bdafd54f2dcd4ff07bfb6fd262364571ba0baab5c083bd4f7986058adc7dfd54b494b2267256a31b5b554d478570fb65e8cfe922f7f827f6bf7b102a4c7ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zocfgj3y\zocfgj3y.cmdline

Filesize
273B

MD5
00cf789319d9fdb2d8e382b4f7bb6433

SHA1
b6305dc9ae5cd03c140f078acd763d4ac93d86f3

SHA256
7fb26e8fdef423d78c89fc819066031b5b5a6616d352ea46405dbaad1c644018

SHA512
956ae8ffc812ea4cfd786e5f84f374cf53f8af0f7c100fe6d8643469bf236cefc022c66390754d35dbc7e07bcc5dcc949892effccbf0e4ad869deedf139c166a

Download Submit
memory/2772-23-0x0000000000290000-0x000000000029A000-memory.dmp

Filesize
40KB

Download
memory/2952-0-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/2952-1-0x00000000008E0000-0x00000000008EA000-memory.dmp

Filesize
40KB

Download
memory/2952-8-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2952-24-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing