22834560775aa87b187213b183a3cd3ede81b6043fe112a819d443db5eeedaa1

General

Target

6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe
Size

12KB
MD5

6f3b5d0a9e4367c48c5c69880d4d27e0
SHA1

b1aec9811710b5b42f427835f863a660745efd53
SHA256

22834560775aa87b187213b183a3cd3ede81b6043fe112a819d443db5eeedaa1
SHA512

2aae1e45897f81cf2c74556372c640f9eb2bf49b81268c21249a72fa319733a1a06b59719f56e034e8ae27ededcf125a20c47c6c3a4bbec11cc43c064685dc77
SSDEEP

384:xL7li/2znq2DcEQvdQcJKLTp/NK9xa0E:xDMCQ9c0E

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp2E71.tmp.exe

pid process

2572 tmp2E71.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp2E71.tmp.exe

pid process

2572 tmp2E71.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe

pid process

2872 6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2872 6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe

pid	process
2572	tmp2E71.tmp.exe

pid	process
2572	tmp2E71.tmp.exe

pid	process
2872	6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2872	6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 2872 wrote to memory of 2904	2872	6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe	vbc.exe
PID 2872 wrote to memory of 2904	2872	6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe	vbc.exe
PID 2872 wrote to memory of 2904	2872	6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe	vbc.exe
PID 2872 wrote to memory of 2904	2872	6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe	vbc.exe
PID 2904 wrote to memory of 2564	2904	vbc.exe	cvtres.exe
PID 2904 wrote to memory of 2564	2904	vbc.exe	cvtres.exe
PID 2904 wrote to memory of 2564	2904	vbc.exe	cvtres.exe
PID 2904 wrote to memory of 2564	2904	vbc.exe	cvtres.exe
PID 2872 wrote to memory of 2572	2872	6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe	tmp2E71.tmp.exe
PID 2872 wrote to memory of 2572	2872	6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe	tmp2E71.tmp.exe
PID 2872 wrote to memory of 2572	2872	6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe	tmp2E71.tmp.exe
PID 2872 wrote to memory of 2572	2872	6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe	tmp2E71.tmp.exe

C:\Users\Admin\AppData\Local\Temp\6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2l5xmykx\2l5xmykx.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F89.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAF8307E040C49AB8F1B732CC8B7EA31.TMP"
3⤵
PID:2564

C:\Users\Admin\AppData\Local\Temp\tmp2E71.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2E71.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6f3b5d0a9e4367c48c5c69880d4d27e0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2l5xmykx\2l5xmykx.0.vb

Filesize
2KB

MD5
5c69340636bdcdb07bfe5f04d4625d0f

SHA1
63c668c7e14fb200e1492217f846eb006f7fc613

SHA256
b5cae3b2925708e3e72450146bff8dfdd43445a8ca837e5b41ebcd51dce8c6e9

SHA512
07cde3259e81a450eefe487d6014cc838a33def89978da5ff5b98055aaf32dcaf057758bae0b5dbdd6598759c2689d02b7d748608cf0e76b6d98862bc198410e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2l5xmykx\2l5xmykx.cmdline

Filesize
273B

MD5
11bd23f19e728369ab8e45282d3cae06

SHA1
436731442be03084bea17c34561fd33071c62d27

SHA256
7f848d2ba2a2de2566d210493be0173a1e6483b86587b885e29ff7a464f97a52

SHA512
00639208b9491d073ac3b6aa08476d6c4b0e08433c9671cd992ac4420307768249f07d53865c5a2701371c2cc85e1754529a2d8fd61759749bf3bbf2eeae21d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
87d95d9719d1401db7361d8904830a6f

SHA1
745d9b6dc60a47e357fb0e48db3db894b9e74ccc

SHA256
5d2d7e189a8497ac0c0457f0dd3603cc302c399ffe32015e28251f155a92fefc

SHA512
6dcc7825588aa467f836e85d12bedb4a002de43445a39083e0d6bc1fff98d43e628fd92549c53c3889a25bf1513d88c2050776f90a52d24a39efde756a8012e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2F89.tmp

Filesize
1KB

MD5
6d539bb9807de47ccddfc4fda63bdada

SHA1
ffb549db93d7a9b82194ada4b723ff46092241b5

SHA256
8499501c60b05393fbb83294a1ee457784e832307b0703b1fd1de3db49ec2ca4

SHA512
a2baa3adad9c792dd47e8bba5c6c32d213e39999941742af5b0663a07af7b9facfedaa25089897a464b45440c17c6271306ac58adecc69f11b2db4a9e521583d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2E71.tmp.exe

Filesize
12KB

MD5
3c5d80c7fdfacf58765f4379667b54fa

SHA1
09e2baf803b70066dc6676abef13d2816b5ee62f

SHA256
7144a3215607e0bbf7b7c20be3905092f965dab30b1d4226468411b6358a41c2

SHA512
b74f4fefd6547a5b82ba85dfee3456ead11d00e815642330c519113436f61e64b96ee70b29cbcd49d9ab59ebee4f96e84c4f341cfcfcc8f417db2a42cf108c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAF8307E040C49AB8F1B732CC8B7EA31.TMP

Filesize
1KB

MD5
b401dd130e95208f1e1529b38a82ddf6

SHA1
ad52f958ed299da74d51eaf11a6a7ea1f0293515

SHA256
affab33e2bbe4554c3c993a17ba33291c6b5b8bdde8de93dae73e87b83f06b09

SHA512
fd7e1f290baff7e5a2ecfb377e4e96f07194bb6cfbfa08a8ef391c67187b86605b7f94d59a8a21685bec7248b9dc26f47fa49053f5174dad1a4f06f73e9aa264

Download Submit
memory/2572-23-0x0000000000990000-0x000000000099A000-memory.dmp

Filesize
40KB

Download
memory/2872-0-0x000000007490E000-0x000000007490F000-memory.dmp

Filesize
4KB

Download
memory/2872-1-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

Filesize
40KB

Download
memory/2872-7-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2872-24-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing