5e141b740cf20bd0c59ba1eb4e60e1c6e2158ad5a733f234fb725910854535b9

General

Target

76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe
Size

12KB
MD5

76038c3520272b84b6146eb5079ad240
SHA1

24346cda359af03ae6073c5990a892d57e1c815c
SHA256

5e141b740cf20bd0c59ba1eb4e60e1c6e2158ad5a733f234fb725910854535b9
SHA512

9a31a689abcc77a75feab573e5b6a9b2dd7801ba83ce8d756dbe03632dd142cb71ca64a80f0a0f2400e88a88822c1dd338a889e705640ee5cad5e3d1860d6d6e
SSDEEP

384:PL7li/2zZq2DcEQvdQcJKLTp/NK9xa6+:jxMCQ9c6+

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp2849.tmp.exe

pid process

2500 tmp2849.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp2849.tmp.exe

pid process

2500 tmp2849.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe

pid process

1656 76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 1656 76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe

pid	process
2500	tmp2849.tmp.exe

pid	process
2500	tmp2849.tmp.exe

pid	process
1656	76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	1656	76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 1656 wrote to memory of 1924	1656	76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe	vbc.exe
PID 1656 wrote to memory of 1924	1656	76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe	vbc.exe
PID 1656 wrote to memory of 1924	1656	76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe	vbc.exe
PID 1656 wrote to memory of 1924	1656	76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe	vbc.exe
PID 1924 wrote to memory of 2552	1924	vbc.exe	cvtres.exe
PID 1924 wrote to memory of 2552	1924	vbc.exe	cvtres.exe
PID 1924 wrote to memory of 2552	1924	vbc.exe	cvtres.exe
PID 1924 wrote to memory of 2552	1924	vbc.exe	cvtres.exe
PID 1656 wrote to memory of 2500	1656	76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe	tmp2849.tmp.exe
PID 1656 wrote to memory of 2500	1656	76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe	tmp2849.tmp.exe
PID 1656 wrote to memory of 2500	1656	76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe	tmp2849.tmp.exe
PID 1656 wrote to memory of 2500	1656	76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe	tmp2849.tmp.exe

C:\Users\Admin\AppData\Local\Temp\76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p4i50ffs\p4i50ffs.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29EE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc666DC68893045D4912A1A72BF3BA5C.TMP"
    3⤵
    PID:2552
- C:\Users\Admin\AppData\Local\Temp\tmp2849.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2849.tmp.exe" C:\Users\Admin\AppData\Local\Temp\76038c3520272b84b6146eb5079ad240_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
e12d7473afd7002346951507420dd45f

SHA1
544b05729688def6814f0539ca3aff1421d712db

SHA256
e83fabe554ce8d7eb2365512f5e679e0a85f09a72688942762fac5a598a993c7

SHA512
ad2ed07dede8be994226871d26c7a42afd6ac65de096964dcc6d9d2c66dffe81d48120c94762875d3edc89a7e998a70dbb517a9bcd202e6f260a0b3659f707d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES29EE.tmp

Filesize
1KB

MD5
ea3f58dc818ef985303f2886e5244c7e

SHA1
27227a4d9adbf64ba3830bf98dba439fe7fcec8f

SHA256
c5fc94a561fd0117cd8fe61a637db639d1c13011e88e562bed6d69b3b3d90792

SHA512
ef1c68cc06ce17b0dce39a2af6b7bdb3a45a773335eddba57d3e83922f1248f0eed97426ebffded48803cc127a7abca3c9a615695c671d8b1d898bf965de4535

Download Submit
C:\Users\Admin\AppData\Local\Temp\p4i50ffs\p4i50ffs.0.vb

Filesize
2KB

MD5
66db85510c0294b566d82a66d3c1055a

SHA1
deb9ff13e5d990e78690097b4bb3262d8a9d05da

SHA256
3de6cd12ae1fc2a5f59f3088e306449be7ce0732bd411eb6ca6b0c4602488424

SHA512
502e48a28bb0e1e9d7b52a5b0bac15f4bb156a48442ebe7442a18ea9236f6201665a8143d95666444e8ec92162ace573b434c67ed34bdc787f723f5bd1415407

Download Submit
C:\Users\Admin\AppData\Local\Temp\p4i50ffs\p4i50ffs.cmdline

Filesize
273B

MD5
32b1f6e5264c780863c5426acb69f438

SHA1
8c6bd0dde0989a52e1ffd40295f9a7c101a28ec2

SHA256
729e80cc73b5204345c809a4747cbe5cb6491d4e27aa6dacf6d156e74ed656b7

SHA512
d7d388a2991b699440921a141a05c6198d7a884ba34c7abf0e752599bebf3426081d1171c2bcfd712e294af6e07da0176cf84cdbf559ee8ce7dfcb1efd4dc06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2849.tmp.exe

Filesize
12KB

MD5
2c6581c9075cddbfdd385e12764fc383

SHA1
abc3795971fd761fcd26e6b871ddfff02bbe6ed0

SHA256
d4eb8183991a1ba0d7ef4bc487759976a7e7c2cb42837658a1c02b9210b30253

SHA512
2dc2d11860ee129d6146b789c2847c9db96c5635e379c24c3d1a128e54d52bbcef6f0a1d4e2e4d26459bd05bc5db392161de2e9a9160fa55c90b0815742b4745

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc666DC68893045D4912A1A72BF3BA5C.TMP

Filesize
1KB

MD5
3563886e0f7fe5db201c36f68622f1e6

SHA1
8ff76782eef4fe1c5bde8110ae1b8d41c50d0a1c

SHA256
b2eea984f1a855510f41f098ef03db9e138bf882d6c01f4e517b37a7cb468111

SHA512
f41566fca902008836cf68947539ea76573748ac824470b950f87beff133b8bcdf772b22b05902ea8ba3bda0b1cde528929144b0908750e2681b33cb1428e9a0

Download Submit
memory/1656-0-0x000000007481E000-0x000000007481F000-memory.dmp

Filesize
4KB

Download
memory/1656-1-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

Filesize
40KB

Download
memory/1656-7-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/1656-23-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/2500-24-0x0000000000810000-0x000000000081A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing