Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 01:34
Static task
static1
Behavioral task
behavioral1
Sample
6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe
-
Size
12KB
-
MD5
6e8f4759faf934b3cc85b1e1517369e0
-
SHA1
031296e8c3b1968e9e55740390068e66eacf7c48
-
SHA256
d4d4a937354eabc147fe88e8c7b27280363dc1935cd69b2bab2e9f128c2de391
-
SHA512
15a4af2c0f0699cc6c32a6428128524f28d0d1e8c346bb7090c19685beb58b12f9b5563125e96321904255a6886cd50358e47fc1ae20926dc08dc94bb9fba865
-
SSDEEP
384:dL7li/2zzq2DcEQvdQcJKLTp/NK9xajM:NXMCQ9cjM
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
tmp2D49.tmp.exepid process 2528 tmp2D49.tmp.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp2D49.tmp.exepid process 2528 tmp2D49.tmp.exe -
Loads dropped DLL 1 IoCs
Processes:
6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exepid process 3028 6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exedescription pid process Token: SeDebugPrivilege 3028 6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exevbc.exedescription pid process target process PID 3028 wrote to memory of 2944 3028 6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe vbc.exe PID 3028 wrote to memory of 2944 3028 6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe vbc.exe PID 3028 wrote to memory of 2944 3028 6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe vbc.exe PID 3028 wrote to memory of 2944 3028 6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe vbc.exe PID 2944 wrote to memory of 2680 2944 vbc.exe cvtres.exe PID 2944 wrote to memory of 2680 2944 vbc.exe cvtres.exe PID 2944 wrote to memory of 2680 2944 vbc.exe cvtres.exe PID 2944 wrote to memory of 2680 2944 vbc.exe cvtres.exe PID 3028 wrote to memory of 2528 3028 6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe tmp2D49.tmp.exe PID 3028 wrote to memory of 2528 3028 6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe tmp2D49.tmp.exe PID 3028 wrote to memory of 2528 3028 6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe tmp2D49.tmp.exe PID 3028 wrote to memory of 2528 3028 6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe tmp2D49.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wcmiz2zy\wcmiz2zy.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E60.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEA65E7FD7234E588FA57CE93749BDEB.TMP"3⤵PID:2680
-
C:\Users\Admin\AppData\Local\Temp\tmp2D49.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2D49.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5ac6ecc99f016223ecec3faf4573c5391
SHA1c242d34c1dddb317a92db662563808dbdf611615
SHA256718be0f18df5975a98405b7f502d4f68eca4958754e8dccc6d47274b8d19c281
SHA5126c5565f8191f16cdf113facaf0227f3a49ed1a86e2fb7217abb1cd0bc7dcc7c093a2d1cbd94ffc6a3718f107ae15e171298668149a677c8f56923a7cf5db9166
-
Filesize
1KB
MD554dfa139fef556bcb3dbd77e8ddedefa
SHA144c7c214fed11cfdffce2c405a4a7e5c4427aa15
SHA256829d42daa5ed8dbbb5eb984e0873f0b6a29d08244f946697367565f09c9dde5c
SHA512a00bd95fe1b09ba882f6ada616418df6ed4a1ec6b7efd5f499d03d583acee5f8cc07e804a6e1ff9fd21a758b82cbb85ba3ac52d632563ffdc6e7f95977bcc473
-
Filesize
12KB
MD54fe51ed5ebae905977b394c608a77d3c
SHA165eb13db12f885cb473ee78720386841e0e4dc60
SHA256bf404d15910dd043b34a570b1ed7013c419ef6e738a8fdd022b99cfb817c7f7f
SHA5127913e49c108adf7450f5fa92fbc6dbf8a83aa0bd0fde318eb61f5f84ebed29ea464a7edfaa16ee5b870bf7750870415eb2fe67e8db0f81e789a9838409b4a84a
-
Filesize
1KB
MD5943ee627d6dec8144f9d4e27ad2d3235
SHA17f991273449e1b4ed2f94fef2841b2bdd673cada
SHA256eb92ee0c7333c907d4407d73941af3f8dfc3355030dc513b537e285b7d3494ac
SHA512fd265115a30daf1d0169bc210f6f3ee35a815a9f3c89672c8d125244a4da19d934c1f19544c4029f839ca195d57c80b8f463c73260ba630a05d54527a9ba068f
-
Filesize
2KB
MD5aed174705ab930638d9944bc2de8e492
SHA17453c426d0285d454fb491f0dc912cbd430d3448
SHA2562508a57ffcb44e362590cbf236463fb4a4295b8056ecf54d11ea0adae3794d7a
SHA5120839efd4f5d47ee369b87a0f5f1d8f887a0dc8213c8c4ef340ac7687d57a2de9816cfd445057b01a8daed4b0f3c0183aee8ec05dcf607209b0ae73450338d985
-
Filesize
273B
MD5dd94fab81f4faa9445ee823c5ec20a36
SHA1c632a1d2da86ceb8ed295b6f8a08632fbab53f7a
SHA2567faca4af67c4419d53d7937ab8da027a24b9c261bbfaeb15aab3a45c47f678cb
SHA512cba72142ce0f8dbf6247e30940d87539515e7a4cab6ba42b0eaf5b7ad60207c257b8eae1763985d30c9ba21f453e5e6ef3b4a524278eea9226008ff57d9bdcc5