3bff2b09b0b2a02cadebb840a8bb7435c5eab5fe85cfbc6c500185f2645e354e

General

Target

6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe
Size

12KB
MD5

6ffb0ebe5e7db285cbc0a55c0a77d9b0
SHA1

2092ca285c99f6274196cf3cacf9b3fdb42c17df
SHA256

3bff2b09b0b2a02cadebb840a8bb7435c5eab5fe85cfbc6c500185f2645e354e
SHA512

7b82b35331644d7981d98e220f2d5e306b49b1b387103784a91237e42fd72a70e1c4607dbdb31856d4df659fe011d511711133dc7b2843cb7e44bc9d664778d0
SSDEEP

384:tL7li/2zjq2DcEQvdQcJKLTp/NK9xazK:93MCQ9czK

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmpB19.tmp.exe

pid process

2596 tmpB19.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmpB19.tmp.exe

pid process

2596 tmpB19.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe

pid process

952 6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 952 6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe

pid	process
2596	tmpB19.tmp.exe

pid	process
2596	tmpB19.tmp.exe

pid	process
952	6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	952	6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 952 wrote to memory of 2992	952	6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe	vbc.exe
PID 952 wrote to memory of 2992	952	6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe	vbc.exe
PID 952 wrote to memory of 2992	952	6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe	vbc.exe
PID 952 wrote to memory of 2992	952	6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe	vbc.exe
PID 2992 wrote to memory of 2092	2992	vbc.exe	cvtres.exe
PID 2992 wrote to memory of 2092	2992	vbc.exe	cvtres.exe
PID 2992 wrote to memory of 2092	2992	vbc.exe	cvtres.exe
PID 2992 wrote to memory of 2092	2992	vbc.exe	cvtres.exe
PID 952 wrote to memory of 2596	952	6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe	tmpB19.tmp.exe
PID 952 wrote to memory of 2596	952	6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe	tmpB19.tmp.exe
PID 952 wrote to memory of 2596	952	6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe	tmpB19.tmp.exe
PID 952 wrote to memory of 2596	952	6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe	tmpB19.tmp.exe

C:\Users\Admin\AppData\Local\Temp\6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dca21olk\dca21olk.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC40.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD05229086A004220B441E71F73C0AE3.TMP"
3⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\tmpB19.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpB19.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6ffb0ebe5e7db285cbc0a55c0a77d9b0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
5b78b1b7e7cdcd4bef40a4f6f44a0b1b

SHA1
aa63161b9f62f268e65db1b0d7724cb136aebab2

SHA256
4e9204c06e0e0643815972f136571cf6079067c6ce508a72dc3b57e3c2aaa34e

SHA512
d0b68549ce7a6c2f7e4f4ff78a33008d80fc2f7b31c2b5085a5ce9e9c8f4fa35f5ab5932ca4724cdd78659727138b9d7b3225b523cee034ef519a31410e37adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC40.tmp

Filesize
1KB

MD5
708ff42955f57f7ad7f583f13663f3e9

SHA1
6b58afc7810c9f2695e80c5d1e24bc05beb46847

SHA256
3075834a361ede9404a1b8b0e07b8255b097a82e80850d201009c9d7e7dcf072

SHA512
28668a7ff5168d4580d6bf09b7ba06c3e34fc8d49a007662e829b63f39433bd7e50ea9db6726624219a5c8ec6b5841b3793d8e5a9eb70edad90b7e632e18d228

Download Submit
C:\Users\Admin\AppData\Local\Temp\dca21olk\dca21olk.0.vb

Filesize
2KB

MD5
f208f3afa9e24f8a3a7918eb73df530f

SHA1
15818c1c3da9c8ccf98e26985661dd66f86e204a

SHA256
c01c0987efef812679391a58fe71aba3f124b4e64bf087eb044cf511c086a6aa

SHA512
db1ac29800e6ac399b413ca3c9c31aed5c7a09801c74a954d26df105097df001299c4f95b4a530b407335469e62f53abdb3c0d516364a149a43b964449d8586f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dca21olk\dca21olk.cmdline

Filesize
272B

MD5
256e6040b880f31dbc9edd4b73929600

SHA1
aca14c61967774625a908554516ee79b0206ec69

SHA256
2b6d0b45984272d19c5beec68f761da41fedd134e3bb7b6ae99d160778d900d3

SHA512
30fbcc4ef60991e6c26ed380ba7ed08b7f47e9a2c835a3a792a76d4035fe77a03a46fd5f6ac3f797681d0b0e81f5d9f8b039ca9c537fd34d8218db3a1a15ecfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB19.tmp.exe

Filesize
12KB

MD5
6438d163b7dd9c9a3ba1aed096441ccc

SHA1
12d099027849b7454cef49b193c309d2bee4ab11

SHA256
73eb12a54c3423559247740eba04daf8ea635be81d5f30040291d058f86b5dc1

SHA512
b46bf06c1c082852d4707d8172233a18af335545d2eb5a4d2baf8f14a47f3866135d9b5f0ff2e46ae07c18c5c05ae9a54c3372a95ebbb3b5af4b73638255cc23

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD05229086A004220B441E71F73C0AE3.TMP

Filesize
1KB

MD5
a2b9862e1dee9f42de6edd1feb356382

SHA1
598e2c187c5153e9c01ac27c48f0142283ac82db

SHA256
6998ad12847fb900c16ae7f0eba40bba66e5918e4177845360fad31e1266fb7d

SHA512
b60b0a31bdb1bebaf5b0792bda3c3ee13d2c47b9040f4a960b050e204bed3519a995be35fe36521e08bf75b7f0e7023e03300b8581aabe49b8af2a6e4c6c4793

Download Submit
memory/952-0-0x000000007481E000-0x000000007481F000-memory.dmp

Filesize
4KB

Download
memory/952-1-0x0000000000140000-0x000000000014A000-memory.dmp

Filesize
40KB

Download
memory/952-7-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/952-24-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/2596-23-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing