4c0c42a63f265c497eb03ffc744660a681f7c971b779c339978956b29af4df0a

General

Target

610f05f69d77517ed3a578525581b810_NeikiAnalytics.exe
Size

12KB
MD5

610f05f69d77517ed3a578525581b810
SHA1

934e0e6e1be367598d0a185fe86e7caad26706d6
SHA256

4c0c42a63f265c497eb03ffc744660a681f7c971b779c339978956b29af4df0a
SHA512

6c66e42ad8bba3809b89ae54c42b26bcb8aca2f6b457d9b0ba20a18f35ca466c03726334317debeae5bf38970518d3476809edbb9c72b09dbdc8cb2310da0090
SSDEEP

384:fL7li/2zWq2DcEQvdhcJKLTp/NK9xav5:T2M/Q9cv5

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp2B55.tmp.exe

pid process

2680 tmp2B55.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp2B55.tmp.exe

pid process

2680 tmp2B55.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

610f05f69d77517ed3a578525581b810_NeikiAnalytics.exe

pid process

2124 610f05f69d77517ed3a578525581b810_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

610f05f69d77517ed3a578525581b810_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2124 610f05f69d77517ed3a578525581b810_NeikiAnalytics.exe

pid	process
2680	tmp2B55.tmp.exe

pid	process
2680	tmp2B55.tmp.exe

pid	process
2124	610f05f69d77517ed3a578525581b810_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2124	610f05f69d77517ed3a578525581b810_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

610f05f69d77517ed3a578525581b810_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 2124 wrote to memory of 1272	2124	610f05f69d77517ed3a578525581b810_NeikiAnalytics.exe	vbc.exe
PID 2124 wrote to memory of 1272	2124	610f05f69d77517ed3a578525581b810_NeikiAnalytics.exe	vbc.exe
PID 2124 wrote to memory of 1272	2124	610f05f69d77517ed3a578525581b810_NeikiAnalytics.exe	vbc.exe
PID 2124 wrote to memory of 1272	2124	610f05f69d77517ed3a578525581b810_NeikiAnalytics.exe	vbc.exe
PID 1272 wrote to memory of 1276	1272	vbc.exe	cvtres.exe
PID 1272 wrote to memory of 1276	1272	vbc.exe	cvtres.exe
PID 1272 wrote to memory of 1276	1272	vbc.exe	cvtres.exe
PID 1272 wrote to memory of 1276	1272	vbc.exe	cvtres.exe
PID 2124 wrote to memory of 2680	2124	610f05f69d77517ed3a578525581b810_NeikiAnalytics.exe	tmp2B55.tmp.exe
PID 2124 wrote to memory of 2680	2124	610f05f69d77517ed3a578525581b810_NeikiAnalytics.exe	tmp2B55.tmp.exe
PID 2124 wrote to memory of 2680	2124	610f05f69d77517ed3a578525581b810_NeikiAnalytics.exe	tmp2B55.tmp.exe
PID 2124 wrote to memory of 2680	2124	610f05f69d77517ed3a578525581b810_NeikiAnalytics.exe	tmp2B55.tmp.exe

C:\Users\Admin\AppData\Local\Temp\610f05f69d77517ed3a578525581b810_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\610f05f69d77517ed3a578525581b810_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ljdgw40d\ljdgw40d.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CEA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAF629D9EA264424EA67264CE85B3E947.TMP"
3⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\tmp2B55.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2B55.tmp.exe" C:\Users\Admin\AppData\Local\Temp\610f05f69d77517ed3a578525581b810_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
f77602eeb5dfd8d5331f89b51006957d

SHA1
1d3eeddd01c7c1acece87b7d4c2f3ae3ee15d49a

SHA256
5159b2149ef7241ac000f83f99020b1b74853f6ad93edfef4bd22341335d6f98

SHA512
99a847781f0450b99ff52492aed8c53e45248ff2b8a4a947833a12baebb1b6365506ab5afb2a133466cde7168e39cbfb196510b8b3e0670749301d686dd6b2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2CEA.tmp

Filesize
1KB

MD5
389748d497f627fe824c13e1ceea8c6c

SHA1
3ddeda4a51b90a4a938440002eb65af03ab23884

SHA256
ab0c71514a7bcc8942387111756483e75a11f8795ddd39ef380e39ea33a2d6ca

SHA512
20205b64b53292189deefc8b27dd5416d034c46f44a9bc0d68288b3a557761d9035f09bab124484d26474dcc7b815342359c5f117a5ba5fc31dd8552f1ef8baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljdgw40d\ljdgw40d.0.vb

Filesize
2KB

MD5
78688011e7bc26f5b0ecf073d20301a9

SHA1
c6e054b132eb32b289cca8648d1e309ce55ebb82

SHA256
a2e10214d5f3563077f786ebd7fc986fba92129384e3635c833d8d29717aded5

SHA512
1b465f2774f386d0a0fd0477eca17748dea1ecd22185e7a1e5b59f7155e3e868d8671dfaae0bfa8aa26efa5690285c23fde44cad3d910c3558c5ba56251528c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljdgw40d\ljdgw40d.cmdline

Filesize
273B

MD5
7bf73e6123329d9ad38228be2053b582

SHA1
dd6be58ec2d0b4c186bc99b4bcae1856ceb0757d

SHA256
9624f43cc1404f22391073477e5ae0e07cc06c6f8fbe1d0e9727521144032a38

SHA512
dab407b01112fe2a42e36133e47ae30ee3f8c406ce82cfb662d29195717f6aea331311c1890e1288cac2e906edfacac457baabec4f8fac94ca7313c56157c878

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2B55.tmp.exe

Filesize
12KB

MD5
95a6cb0e58f3afacd708cb8f2dc48e60

SHA1
d69d59053051daef25d4e90bd7fbe9a100f636f5

SHA256
38f9c55fa6de5727f960b0c8ee5d78f7a1cda50608463c6d75563829dd7d7c1b

SHA512
0154d87b12703dd167c53942be7c65d8f78dd8fab0d20235567eb96d048241057240b45578a077ceeeeb024bd1df37994eded3a88f3a14bb996e58677bfea40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAF629D9EA264424EA67264CE85B3E947.TMP

Filesize
1KB

MD5
b894df7c8173d15df80d598828c472e6

SHA1
cb446fb34cd0a40c4f8bc6393482885248540197

SHA256
62ddddc4bc516e8be2634bb43e97d60a119f483cb5ecbaa9942a0a7188d42ad4

SHA512
299bce5a066c757a19c4dbaf56d08bb6c2aeed384084f4495a7dc52ebd6b7e67d2883c0a87540aae213c5a69c2cc8a56fb817f56b2e8d0af645bba62fd0113dc

Download Submit
memory/2124-0-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/2124-1-0x0000000000D80000-0x0000000000D8A000-memory.dmp

Filesize
40KB

Download
memory/2124-7-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2124-24-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2680-23-0x0000000000E20000-0x0000000000E2A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing