d4d4a937354eabc147fe88e8c7b27280363dc1935cd69b2bab2e9f128c2de391

General

Target

6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe
Size

12KB
MD5

6e8f4759faf934b3cc85b1e1517369e0
SHA1

031296e8c3b1968e9e55740390068e66eacf7c48
SHA256

d4d4a937354eabc147fe88e8c7b27280363dc1935cd69b2bab2e9f128c2de391
SHA512

15a4af2c0f0699cc6c32a6428128524f28d0d1e8c346bb7090c19685beb58b12f9b5563125e96321904255a6886cd50358e47fc1ae20926dc08dc94bb9fba865
SSDEEP

384:dL7li/2zzq2DcEQvdQcJKLTp/NK9xajM:NXMCQ9cjM

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp2D49.tmp.exe

pid process

2528 tmp2D49.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp2D49.tmp.exe

pid process

2528 tmp2D49.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe

pid process

3028 6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 3028 6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe

pid	process
2528	tmp2D49.tmp.exe

pid	process
2528	tmp2D49.tmp.exe

pid	process
3028	6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	3028	6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 3028 wrote to memory of 2944	3028	6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe	vbc.exe
PID 3028 wrote to memory of 2944	3028	6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe	vbc.exe
PID 3028 wrote to memory of 2944	3028	6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe	vbc.exe
PID 3028 wrote to memory of 2944	3028	6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe	vbc.exe
PID 2944 wrote to memory of 2680	2944	vbc.exe	cvtres.exe
PID 2944 wrote to memory of 2680	2944	vbc.exe	cvtres.exe
PID 2944 wrote to memory of 2680	2944	vbc.exe	cvtres.exe
PID 2944 wrote to memory of 2680	2944	vbc.exe	cvtres.exe
PID 3028 wrote to memory of 2528	3028	6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe	tmp2D49.tmp.exe
PID 3028 wrote to memory of 2528	3028	6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe	tmp2D49.tmp.exe
PID 3028 wrote to memory of 2528	3028	6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe	tmp2D49.tmp.exe
PID 3028 wrote to memory of 2528	3028	6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe	tmp2D49.tmp.exe

C:\Users\Admin\AppData\Local\Temp\6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wcmiz2zy\wcmiz2zy.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E60.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEA65E7FD7234E588FA57CE93749BDEB.TMP"
3⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\tmp2D49.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2D49.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6e8f4759faf934b3cc85b1e1517369e0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
ac6ecc99f016223ecec3faf4573c5391

SHA1
c242d34c1dddb317a92db662563808dbdf611615

SHA256
718be0f18df5975a98405b7f502d4f68eca4958754e8dccc6d47274b8d19c281

SHA512
6c5565f8191f16cdf113facaf0227f3a49ed1a86e2fb7217abb1cd0bc7dcc7c093a2d1cbd94ffc6a3718f107ae15e171298668149a677c8f56923a7cf5db9166

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2E60.tmp

Filesize
1KB

MD5
54dfa139fef556bcb3dbd77e8ddedefa

SHA1
44c7c214fed11cfdffce2c405a4a7e5c4427aa15

SHA256
829d42daa5ed8dbbb5eb984e0873f0b6a29d08244f946697367565f09c9dde5c

SHA512
a00bd95fe1b09ba882f6ada616418df6ed4a1ec6b7efd5f499d03d583acee5f8cc07e804a6e1ff9fd21a758b82cbb85ba3ac52d632563ffdc6e7f95977bcc473

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2D49.tmp.exe

Filesize
12KB

MD5
4fe51ed5ebae905977b394c608a77d3c

SHA1
65eb13db12f885cb473ee78720386841e0e4dc60

SHA256
bf404d15910dd043b34a570b1ed7013c419ef6e738a8fdd022b99cfb817c7f7f

SHA512
7913e49c108adf7450f5fa92fbc6dbf8a83aa0bd0fde318eb61f5f84ebed29ea464a7edfaa16ee5b870bf7750870415eb2fe67e8db0f81e789a9838409b4a84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEA65E7FD7234E588FA57CE93749BDEB.TMP

Filesize
1KB

MD5
943ee627d6dec8144f9d4e27ad2d3235

SHA1
7f991273449e1b4ed2f94fef2841b2bdd673cada

SHA256
eb92ee0c7333c907d4407d73941af3f8dfc3355030dc513b537e285b7d3494ac

SHA512
fd265115a30daf1d0169bc210f6f3ee35a815a9f3c89672c8d125244a4da19d934c1f19544c4029f839ca195d57c80b8f463c73260ba630a05d54527a9ba068f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcmiz2zy\wcmiz2zy.0.vb

Filesize
2KB

MD5
aed174705ab930638d9944bc2de8e492

SHA1
7453c426d0285d454fb491f0dc912cbd430d3448

SHA256
2508a57ffcb44e362590cbf236463fb4a4295b8056ecf54d11ea0adae3794d7a

SHA512
0839efd4f5d47ee369b87a0f5f1d8f887a0dc8213c8c4ef340ac7687d57a2de9816cfd445057b01a8daed4b0f3c0183aee8ec05dcf607209b0ae73450338d985

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcmiz2zy\wcmiz2zy.cmdline

Filesize
273B

MD5
dd94fab81f4faa9445ee823c5ec20a36

SHA1
c632a1d2da86ceb8ed295b6f8a08632fbab53f7a

SHA256
7faca4af67c4419d53d7937ab8da027a24b9c261bbfaeb15aab3a45c47f678cb

SHA512
cba72142ce0f8dbf6247e30940d87539515e7a4cab6ba42b0eaf5b7ad60207c257b8eae1763985d30c9ba21f453e5e6ef3b4a524278eea9226008ff57d9bdcc5

Download Submit
memory/2528-23-0x0000000000B10000-0x0000000000B1A000-memory.dmp

Filesize
40KB

Download
memory/3028-0-0x00000000744CE000-0x00000000744CF000-memory.dmp

Filesize
4KB

Download
memory/3028-1-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/3028-7-0x00000000744C0000-0x0000000074BAE000-memory.dmp

Filesize
6.9MB

Download
memory/3028-24-0x00000000744C0000-0x0000000074BAE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing