5e14a9250351a9c93df1f7f80f305a029cbabafaaf0a119f4a7bcd2e75fcd2b6

General

Target

6cf708817892612db26859889051aba0_NeikiAnalytics.exe
Size

12KB
MD5

6cf708817892612db26859889051aba0
SHA1

632409296ca72b721ce1a3aa3c50a5846262f88c
SHA256

5e14a9250351a9c93df1f7f80f305a029cbabafaaf0a119f4a7bcd2e75fcd2b6
SHA512

77932f931cd8f377ab8d52287d8db5427e48d2240f8232c4f27967599208337eac8548a4cb761a449577e5213177183caeb33ec24e2b505a318ded185758e0a8
SSDEEP

384:eL7li/2zhq2DcEQvd2cJKLTp/NK9xa1M:IxM8Q9c1M

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp82B8.tmp.exe

pid process

2516 tmp82B8.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp82B8.tmp.exe

pid process

2516 tmp82B8.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

6cf708817892612db26859889051aba0_NeikiAnalytics.exe

pid process

2076 6cf708817892612db26859889051aba0_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6cf708817892612db26859889051aba0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2076 6cf708817892612db26859889051aba0_NeikiAnalytics.exe

pid	process
2516	tmp82B8.tmp.exe

pid	process
2516	tmp82B8.tmp.exe

pid	process
2076	6cf708817892612db26859889051aba0_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2076	6cf708817892612db26859889051aba0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6cf708817892612db26859889051aba0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 2076 wrote to memory of 1164	2076	6cf708817892612db26859889051aba0_NeikiAnalytics.exe	vbc.exe
PID 2076 wrote to memory of 1164	2076	6cf708817892612db26859889051aba0_NeikiAnalytics.exe	vbc.exe
PID 2076 wrote to memory of 1164	2076	6cf708817892612db26859889051aba0_NeikiAnalytics.exe	vbc.exe
PID 2076 wrote to memory of 1164	2076	6cf708817892612db26859889051aba0_NeikiAnalytics.exe	vbc.exe
PID 1164 wrote to memory of 2564	1164	vbc.exe	cvtres.exe
PID 1164 wrote to memory of 2564	1164	vbc.exe	cvtres.exe
PID 1164 wrote to memory of 2564	1164	vbc.exe	cvtres.exe
PID 1164 wrote to memory of 2564	1164	vbc.exe	cvtres.exe
PID 2076 wrote to memory of 2516	2076	6cf708817892612db26859889051aba0_NeikiAnalytics.exe	tmp82B8.tmp.exe
PID 2076 wrote to memory of 2516	2076	6cf708817892612db26859889051aba0_NeikiAnalytics.exe	tmp82B8.tmp.exe
PID 2076 wrote to memory of 2516	2076	6cf708817892612db26859889051aba0_NeikiAnalytics.exe	tmp82B8.tmp.exe
PID 2076 wrote to memory of 2516	2076	6cf708817892612db26859889051aba0_NeikiAnalytics.exe	tmp82B8.tmp.exe

C:\Users\Admin\AppData\Local\Temp\6cf708817892612db26859889051aba0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6cf708817892612db26859889051aba0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yorr4akw\yorr4akw.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES864F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9B8D5444BDFE45589A104C5017FF645.TMP"
3⤵
PID:2564

C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6cf708817892612db26859889051aba0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
fa08ce52d48ac4c99127221bdeb9f653

SHA1
56b80608fa1f854b1ed74431e08bf78ad448f8f1

SHA256
ad113494e40028a0c02e7d7361f5f8caf6f01a75efffc3c811908a357820aeef

SHA512
c5750e5f31d9ebf08769830fc7c48558c11b2dc2a0edc9c8f525df3c6908488830635c660afcfa776cefacf60632d6c7d678fd051207de3cc6db03de58e3a5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES864F.tmp

Filesize
1KB

MD5
c3a7e7607478f4c1cd25012aa065b5bd

SHA1
8dd40ac28a98af24709f8b66573000dab5cf71de

SHA256
20497d282c2e3c23629060411316f54a46dbca57bb921e264a6118b881e88129

SHA512
1b14a8a1461dac6552afa66e19d58c1b9a91ccab61aa18df94150a38aa5f33cdf1494ffa91f116b1fb1ce37f304a2646c625aa24b4c743551a0330f08506c6a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp.exe

Filesize
12KB

MD5
a6d60a44a313706fa0dbd1911e000dba

SHA1
327424b25792e170e859a876f65309ffdb9b94bf

SHA256
c1a6acf61cb7b613296307587704cdb54d0d0071c4e3064000feec05be4c827b

SHA512
acd93edd2b3d00c1877aee3ed289f62e6c7dcb597ea7e874397168e06429671771a8ba840913fee1d5118e23460d2464cc0a5a896b52436a87e615e0b112a42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9B8D5444BDFE45589A104C5017FF645.TMP

Filesize
1KB

MD5
2af491da89f204d3a23857f1f69c4fce

SHA1
4d7960d970a40b3fa5503f67d8d1d104274fd942

SHA256
b85eac5a937d8b4cba99bd020f83a1371a296fffd8694b79d3e3ccc5bb6fbedf

SHA512
f4eef3bc994de80bb7bf86fb4bb645b6ff4d45ccea617a5cd731d8125ef621e06c9902ed88a6e1e8c33982a95010c75de58f4e90b0e85552219c7f21b0746ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yorr4akw\yorr4akw.0.vb

Filesize
2KB

MD5
3f5d69d29b3a45779e5f704c96674d92

SHA1
e4b547e84a795fefd3eb5d4d4ba5fc8c8e7a24b7

SHA256
0a6bebeaf8d3ffefd98d7aebb5877d9c46e8f4b81b24f302fd23113b44e0ec32

SHA512
6b35e370b80a9fbf44e3bb1384eeee618296506e403c5de3421d26b64d362d8b9e07e13d7672402155c6a5fb4fb7eef4c1a1588d3ade341bf8fb438ff1684ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yorr4akw\yorr4akw.cmdline

Filesize
273B

MD5
16c5755cfe921a7c50474bd2020d8171

SHA1
5b43cade89c4b0e48fcb35a48cdf34bb4dc8d3fd

SHA256
4cce049cd35306a485eb8d9b01120e6d6101a05032e81be1d0b2518ccb5e990a

SHA512
3cea603c17809eb88b63aa21b817d79cf44c67298ad80d62ff5cd3c00c973de9df294f6c54e802966decb5ef74b241ac34ac641ed04b865163317518eaa6cdb8

Download Submit
memory/2076-0-0x00000000745CE000-0x00000000745CF000-memory.dmp

Filesize
4KB

Download
memory/2076-1-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2076-6-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download
memory/2076-24-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download
memory/2516-23-0x0000000001190000-0x000000000119A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing