12cb2d23ee54c7bd2395832746c30c61c67de21b168a1e44e1d70552503d0bd9

General

Target

61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe
Size

12KB
MD5

61b2172d7c2013c5f6d268a1bac4b6c0
SHA1

33bd967012981a068865e822db79f3af27647d35
SHA256

12cb2d23ee54c7bd2395832746c30c61c67de21b168a1e44e1d70552503d0bd9
SHA512

dbf4bde991084736fbfe5a533a3e1501238f824b894202853079398203b9f47f4c8cb5dbba97e6555ce25f23d480ce2ae6448bd21e46eb21f97a396d778e5b2a
SSDEEP

384:HL7li/2zYq2DcEQvdhcJKLTp/NK9xaHx:rsM/Q9cHx

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp890E.tmp.exe

pid process

2524 tmp890E.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp890E.tmp.exe

pid process

2524 tmp890E.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe

pid process

2168 61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2168 61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe

pid	process
2524	tmp890E.tmp.exe

pid	process
2524	tmp890E.tmp.exe

pid	process
2168	61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2168	61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 2168 wrote to memory of 2072	2168	61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe	vbc.exe
PID 2168 wrote to memory of 2072	2168	61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe	vbc.exe
PID 2168 wrote to memory of 2072	2168	61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe	vbc.exe
PID 2168 wrote to memory of 2072	2168	61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe	vbc.exe
PID 2072 wrote to memory of 2488	2072	vbc.exe	cvtres.exe
PID 2072 wrote to memory of 2488	2072	vbc.exe	cvtres.exe
PID 2072 wrote to memory of 2488	2072	vbc.exe	cvtres.exe
PID 2072 wrote to memory of 2488	2072	vbc.exe	cvtres.exe
PID 2168 wrote to memory of 2524	2168	61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe	tmp890E.tmp.exe
PID 2168 wrote to memory of 2524	2168	61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe	tmp890E.tmp.exe
PID 2168 wrote to memory of 2524	2168	61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe	tmp890E.tmp.exe
PID 2168 wrote to memory of 2524	2168	61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe	tmp890E.tmp.exe

C:\Users\Admin\AppData\Local\Temp\61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qbs12cj1\qbs12cj1.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C19.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc42492A6C73E54101A51BF77CBFBC676.TMP"
3⤵
PID:2488

C:\Users\Admin\AppData\Local\Temp\tmp890E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp890E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\61b2172d7c2013c5f6d268a1bac4b6c0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2524

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
181c2da9764b9be13d1adc181d86e360

SHA1
68e3a0fb138a38cc61c07115b08d4e20797a4640

SHA256
728e26ca1c87c88bd5b561ba099c655a01be2625ed43516a0003d2bde08a1e90

SHA512
e5b7f162a0bc088ac85712a429a8920e74952b2b5386cb4391c4162e4dc33c3f2e9c347340d8f1262fb45ac4958db78fe49a3576b302c283549976fe068ab71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8C19.tmp
Filesize
1KB

MD5
93ce36deed5b5aec2fdc8b26393b3c64

SHA1
2c0b937d086fc6e2aa314bc88f5d635c2dbefc12

SHA256
32c60ebbcdf2e1d6cd2c9c21a195b6d9f790b3f1781caf76c82241fed6355729

SHA512
1eebd8f0fe443bad8d814e1f39bfcb09658ec2de5c49abe6d7d94f3e05cdf964029abe141c7cbdd28fbd6fc24e1b643502e09f8f5ea73dd22e1015c25a9c05ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbs12cj1\qbs12cj1.0.vb
Filesize
2KB

MD5
2d3e8141f3935bdc14737681c98c4d30

SHA1
65e5641fbb5ddeea8401396c32a9764c5d915f71

SHA256
f041c30bc2e70c834c52cbf4ec67f4308738864012d5dc01491d8395e8c158b0

SHA512
aff1d582cc7579ec08c8538d98095a07531d4197eb0fd58243195df5256ece01c4b560f07d5c8363ce45b4a19debc6974034b17fdaf5528e553bf7940a076e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbs12cj1\qbs12cj1.cmdline
Filesize
273B

MD5
3ae586e9b867cb5621e4e98bee22165d

SHA1
79435befd035b217a9c3db477d63b51462081a11

SHA256
a995a8fc18f749b0588b000c352f72eb884d8bde48c65779172b5bdbfa55f1a6

SHA512
06f39b130efb82f9270f3b77cb98b00b5aa6d9902b364576363d29a5f1b8b684b7298cc2525749ae938aefdee4d918506b963745efa002da8054b059ab7c1b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp890E.tmp.exe
Filesize
12KB

MD5
e36a4a2b4cb00d67fd56fcbe33f1c28b

SHA1
32751ba228e39b23472c802d7b76fbda436a5c0c

SHA256
0083c7892fd81dc39073604c8813bd7f4dd8d41f689968d55d8354bb3f671036

SHA512
de3de9ebc783b824c980b688658d9759e8a5c8b1e9bb5b1e9c0b8b7e7ba1762531c0bb175a8e13a1155f40246a4f61932bd42fcf546ec740def900f7d73dae1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc42492A6C73E54101A51BF77CBFBC676.TMP
Filesize
1KB

MD5
23749e39c4db3392a73736e717d8e9cd

SHA1
8c53c7f36e25dedda87100c518794fe95352d23b

SHA256
27133197693100f57341c6ba1241495dc3f6fbbbe2d7f7902f055c55fe5ed0fd

SHA512
529cebecccbb191a23cde404107f8dc290523251aa893864c19b10726e31c807487c7472038da3a52ed733c6ca647503c77a93e242fdc0e16c5086db5480e8c6

Download Submit
memory/2168-0-0x0000000073ECE000-0x0000000073ECF000-memory.dmp

Filesize
4KB

Download
memory/2168-1-0x00000000001F0000-0x00000000001FA000-memory.dmp

Filesize
40KB

Download
memory/2168-7-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/2168-24-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/2524-23-0x0000000000910000-0x000000000091A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing