c5d939da596ded4aedfd409e42906d056f472b6edf91ca6e4914221db77dacef

General

Target

6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe
Size

12KB
MD5

6fb6d38918f7505534eb9c6b8b725ec0
SHA1

c9bc0eaa7856c4cd232eb6a97f195daf9abab393
SHA256

c5d939da596ded4aedfd409e42906d056f472b6edf91ca6e4914221db77dacef
SHA512

7ef5daa15e6dc49169dec60186283cb71a6079b1e13aa530b81da74b1e3cea2bd71ef64ddfae760d9caa90ef0bfdeacd65855b2f04364aa8b9a596456ef044b2
SSDEEP

384:8L7li/2z9q2DcEQvd2cJKLTp/NK9xaoU:alM8Q9coU

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp24E0.tmp.exe

pid process

2708 tmp24E0.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp24E0.tmp.exe

pid process

2708 tmp24E0.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe

pid process

2036 6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2036 6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe

pid	process
2708	tmp24E0.tmp.exe

pid	process
2708	tmp24E0.tmp.exe

pid	process
2036	6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2036	6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 2036 wrote to memory of 1220	2036	6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe	vbc.exe
PID 2036 wrote to memory of 1220	2036	6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe	vbc.exe
PID 2036 wrote to memory of 1220	2036	6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe	vbc.exe
PID 2036 wrote to memory of 1220	2036	6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe	vbc.exe
PID 1220 wrote to memory of 2324	1220	vbc.exe	cvtres.exe
PID 1220 wrote to memory of 2324	1220	vbc.exe	cvtres.exe
PID 1220 wrote to memory of 2324	1220	vbc.exe	cvtres.exe
PID 1220 wrote to memory of 2324	1220	vbc.exe	cvtres.exe
PID 2036 wrote to memory of 2708	2036	6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe	tmp24E0.tmp.exe
PID 2036 wrote to memory of 2708	2036	6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe	tmp24E0.tmp.exe
PID 2036 wrote to memory of 2708	2036	6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe	tmp24E0.tmp.exe
PID 2036 wrote to memory of 2708	2036	6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe	tmp24E0.tmp.exe

C:\Users\Admin\AppData\Local\Temp\6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\34j0ki3l\34j0ki3l.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2694.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFEB3D7C197E2478FBBC6911D35B75B0.TMP"
3⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\tmp24E0.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp24E0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6fb6d38918f7505534eb9c6b8b725ec0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2708

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\34j0ki3l\34j0ki3l.0.vb
Filesize
2KB

MD5
3974a7cbeec3b44333aa18eb72133282

SHA1
bf59ed62b0c109060203e514c5f4aae06fdbd21b

SHA256
d75c4f18da263e9f24c0a0bf1ec3801ff921975f3a7584418b5a7c85ef71e14e

SHA512
41ba6c1bce148eebbcdd36b73aeede0f3881a49f6d5dbe5a6dde2b255a295d00543ca4b4e5125cd4dc9bced559c67e785ce2f1dcf1c2896dea3fbed2bdf933c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\34j0ki3l\34j0ki3l.cmdline
Filesize
273B

MD5
c5f8cbfe468cbf39609aa1776a3d037d

SHA1
d9088f8ae22b0c52c16bfd55865cf83fe0cd51da

SHA256
65d9d93af73d28df31a4fd4da5967b1e477ed909c1b74f239de11a74059fe134

SHA512
2008fc0458a51b09e43f298ba310a82af3e0a25339885116c3272bd817b9c6f6f659dc10722a9e38afe72ebfef574dc435a6262bdc165a4b4c6a62016d5d3025

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
93839726a3eadd78ef9b050ec3d6b9ea

SHA1
0aea49beeb7f5fa1d4d5370a3f2a0277516cd683

SHA256
066998c5bfce98e321cd91a1d133f58dea679d61113a64d1615e7749b51149a3

SHA512
49965c63dab7b39c1f59e1afe61e79e050e6b1d150556056f899b50e27099513115fa6eeb0c1be02e309f1091b802aad07997d8f9b64e0bbf095dbcef8882712

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2694.tmp
Filesize
1KB

MD5
82273d6f1291c41b2d32395097ce41fd

SHA1
afb9e1d40eb883901575faddd54db514f8524bfe

SHA256
c82b75e9833d360a8195801eda0f71a4bd9c7e2000573fb21077baf68efea80c

SHA512
d79d413cd349aa63bb5bd21113eedaf2310c5dc8f5f68d8e40627106694b2b0fc43d6413e9b05fe4f2aab342215376b202c292fd9d066d8d06bfe0fdb6ce8e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp24E0.tmp.exe
Filesize
12KB

MD5
8549ffb33218226a24cc44e14550a440

SHA1
9de7b993fc057bc8def02cfe64542d426ad496be

SHA256
634057b1a1bc4e9495965067f6442bf53e80344581f0c0a01cac0ed09ac8c3e5

SHA512
a8ae9dc920c7cdb22cc033d1599c765c91045d576e210f10559b3bf1a5d751186238efc747cff89d7e051f3eed64a13cb69d1b200707129cf8160d7f39258a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFEB3D7C197E2478FBBC6911D35B75B0.TMP
Filesize
1KB

MD5
949274553908e33217ca9ee784ae0220

SHA1
28babe474c7f49865609ff17aaff1ef87e32efcd

SHA256
1d1b64229ce4336908b5e5bde34370192c56a15120001a550abdaceb04f69a91

SHA512
0c9715f28f1d18cfc6bfa1daff21a33e1f584528a08c2bdcf20134808de6851856c0186bb21d957cccc579a52bd905a1f93c3e6bc53ab18538651e5256f1e5c4

Download Submit
memory/2036-0-0x000000007488E000-0x000000007488F000-memory.dmp

Filesize
4KB

Download
memory/2036-1-0x0000000000D90000-0x0000000000D9A000-memory.dmp

Filesize
40KB

Download
memory/2036-7-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2036-24-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2708-23-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing