445c757029444573228919e4480e0a2cf34f4186e5bb748b317be60649071919

General

Target

6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe
Size

12KB
MD5

6d6545af57f5f07a2686b9b0f254e9a0
SHA1

7e0fb59eaecfb2038bfec2cc3d306ed093a35f5d
SHA256

445c757029444573228919e4480e0a2cf34f4186e5bb748b317be60649071919
SHA512

595a15a5889ce4e461df6f5162612b808f65fdcb0db9a3d871150863bf8d80e9721b3065942bdae0b9697f5b48bdbeba2d301f9e06d9fd7148043c524c43db10
SSDEEP

384:jL7li/2zbq2DcEQvdhcJKLTp/NK9xa4K:nfM/Q9c4K

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp197.tmp.exe

pid process

2708 tmp197.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp197.tmp.exe

pid process

2708 tmp197.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe

pid process

2268 6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2268 6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe

pid	process
2708	tmp197.tmp.exe

pid	process
2708	tmp197.tmp.exe

pid	process
2268	6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2268	6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 2268 wrote to memory of 2180	2268	6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe	vbc.exe
PID 2268 wrote to memory of 2180	2268	6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe	vbc.exe
PID 2268 wrote to memory of 2180	2268	6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe	vbc.exe
PID 2268 wrote to memory of 2180	2268	6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe	vbc.exe
PID 2180 wrote to memory of 1804	2180	vbc.exe	cvtres.exe
PID 2180 wrote to memory of 1804	2180	vbc.exe	cvtres.exe
PID 2180 wrote to memory of 1804	2180	vbc.exe	cvtres.exe
PID 2180 wrote to memory of 1804	2180	vbc.exe	cvtres.exe
PID 2268 wrote to memory of 2708	2268	6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe	tmp197.tmp.exe
PID 2268 wrote to memory of 2708	2268	6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe	tmp197.tmp.exe
PID 2268 wrote to memory of 2708	2268	6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe	tmp197.tmp.exe
PID 2268 wrote to memory of 2708	2268	6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe	tmp197.tmp.exe

C:\Users\Admin\AppData\Local\Temp\6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tvndyipl\tvndyipl.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES33C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFAD78FBB49204F91BCB78221C6D0E7E1.TMP"
3⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\tmp197.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp197.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6d6545af57f5f07a2686b9b0f254e9a0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2708

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
ec9ef401c08c6e2d8b20e2f63dde9255

SHA1
da5decc12370e4eb45a46c4c1b6dab2265e8552b

SHA256
e50365e7872bc9467f7e6d7297801d7d65df5962b3d9c3d6223b122dda0abdbf

SHA512
74665f0ac66c56b73bf152b1502d41b5c110046aa153ca3aab866f817fa7db419247c2d05d848a87135bd40f4748041cd43bd83ce493ca6db6cf6c58aa9846d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES33C.tmp
Filesize
1KB

MD5
d04eab2518d0447f2e41ad91222a16fa

SHA1
8ec022698ecf1b5bf7ca972e4d8fc33c427bb4c8

SHA256
d33bd0d5c94f0623272ca37574093836b7585f9e815b2e475d7aba3b63641af3

SHA512
2f1a9a36e1b043ed8b4d9ae7fd049990d5e97060d729eafb574d16b111f2073a754f8e95153518d60350db372f817ac3d13deb2f99c94da820a778ec8b0aaa9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp197.tmp.exe
Filesize
12KB

MD5
4f79f971a00065a6df3df14e778a2dff

SHA1
33174dc91c82e54837b43e438497d4fe699fe491

SHA256
900d69ecfd1bb51ce86adaa7176c4637c1b39a9d6c962947eb86eb008314575c

SHA512
7c84b5ef8fdec4df4f336f7ba0cefab68882915e2e045bb5783a4fa974c7816ea165840c7ceae610b39f2d4e358bcfbc23722d4419d60a85a6479596e905f317

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvndyipl\tvndyipl.0.vb
Filesize
2KB

MD5
a657c4a4fe0bd28bd93df9dc058a07cd

SHA1
44f9217a5ca39aabe321f81a1c65c3a29bb7ea63

SHA256
aadacf051fa82893634446c04997db7f38203de87834930c47f8538cc077bd54

SHA512
c0b633738934bccf0978bb77d11658a667696436e63586077d699ef53173bc8901a07cb24c15f8dc7fe0416e6c419be2e74816b8b7b0f78c35e426229986e4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvndyipl\tvndyipl.cmdline
Filesize
272B

MD5
55c845d7b55e1f4fc1e202e5a69a6f26

SHA1
92cffc07e650deb19abf5235945b5138d150b33d

SHA256
8ae0862c8ab17018b3fde52f43f8b81f471e280972265098e6a9ce23e11d3d35

SHA512
4737f04e2c92c607b2261270ddde1028b8086158c275396e095f5186a11bd4ad839c378bbac18a56271a7448d93d289f1187a50f804da9aa9fca732693b0ae21

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFAD78FBB49204F91BCB78221C6D0E7E1.TMP
Filesize
1KB

MD5
4331b15911e8dfddd31a000f3ba43250

SHA1
9246c40c2bf0f861a5834b4b347432c5c5da1e6d

SHA256
13e78fcfdc0ddb1368a11c3abbfbc5ca102b6ba65a299c13e6df8cd5f2abb5a7

SHA512
1e35bf86ca246837b60fb6075343b593b72cebeebc7b71986e31e439ea6529bd21d8b676b6957327bf93394bf9e70a93abb2886ae8b3bf0130d41d0b644e3efb

Download Submit
memory/2268-0-0x0000000073FDE000-0x0000000073FDF000-memory.dmp

Filesize
4KB

Download
memory/2268-1-0x0000000000C10000-0x0000000000C1A000-memory.dmp

Filesize
40KB

Download
memory/2268-7-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2268-24-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2708-23-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing