0690c2d1b7625037c93f183b3de5d7998c0c8c0126ed65b19a2a3fcc98818dc1

General

Target

7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe
Size

12KB
MD5

7731c5cf8ffdeac783af3e5b6fb57550
SHA1

a6a8b55558c278b985c6c1f322d65c942bbdf592
SHA256

0690c2d1b7625037c93f183b3de5d7998c0c8c0126ed65b19a2a3fcc98818dc1
SHA512

b23acab15b7e62bde8b0fec3286a8f92602aec60f1833810e5e75b33adae7b5d4dbbd0ea5b8315b2e51420464a547108ab753ae2dc82759fc9de45b558666a64
SSDEEP

384:SL7li/2zAq2DcEQvdQcJKLTp/NK9xaN9:MMMCQ9cN9

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp18A0.tmp.exe

pid process

2632 tmp18A0.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp18A0.tmp.exe

pid process

2632 tmp18A0.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe

pid process

2924 7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2924 7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe

pid	process
2632	tmp18A0.tmp.exe

pid	process
2632	tmp18A0.tmp.exe

pid	process
2924	7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2924	7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 2924 wrote to memory of 3052	2924	7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe	vbc.exe
PID 2924 wrote to memory of 3052	2924	7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe	vbc.exe
PID 2924 wrote to memory of 3052	2924	7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe	vbc.exe
PID 2924 wrote to memory of 3052	2924	7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe	vbc.exe
PID 3052 wrote to memory of 2520	3052	vbc.exe	cvtres.exe
PID 3052 wrote to memory of 2520	3052	vbc.exe	cvtres.exe
PID 3052 wrote to memory of 2520	3052	vbc.exe	cvtres.exe
PID 3052 wrote to memory of 2520	3052	vbc.exe	cvtres.exe
PID 2924 wrote to memory of 2632	2924	7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe	tmp18A0.tmp.exe
PID 2924 wrote to memory of 2632	2924	7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe	tmp18A0.tmp.exe
PID 2924 wrote to memory of 2632	2924	7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe	tmp18A0.tmp.exe
PID 2924 wrote to memory of 2632	2924	7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe	tmp18A0.tmp.exe

C:\Users\Admin\AppData\Local\Temp\7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0rhznrho\0rhznrho.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES19A8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAE92F649A0D04D1FA661796716CFAFF.TMP"
3⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\tmp18A0.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp18A0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7731c5cf8ffdeac783af3e5b6fb57550_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2632

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0rhznrho\0rhznrho.0.vb
Filesize
2KB

MD5
0d45a692d895d29d030c846d09e7302b

SHA1
0851ff3e2667b2b176c187c824307a1de7930173

SHA256
a51f0975705042ec3a870ecbf3e39f663d0c17c49a04a7f7d4017b3150826209

SHA512
a15db8b3150da339d46cb947c9c353177d9144b0665681a5c2c1dfa798f43a17671f0f15c96106730c11fb63fc9818f26a7904f04e56f08b0dcd6da66700620a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0rhznrho\0rhznrho.cmdline
Filesize
273B

MD5
b5a762fe36307b411b1352f7348cc30b

SHA1
1a9453f9d74906c63e91de97c3acb6772f86748b

SHA256
a77adc536f07febecce0506010f95de16d0c95cc6e2db03e4a497c440af51ada

SHA512
a2bd129b490aa32ff0cb83365a913ae8b22ecd4f97f08f20355b9401b398e3ced37f85fef238927914ffab19acd2eaae2f40dbfc1ded7c3b9d1f5fad8d463f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
4debf77b2880bb705ead06f63a298017

SHA1
cc9fc641f8adf41e19ea6dda5e6ef7e7d037deea

SHA256
11184eaf8876a59ce69bc32a801dc3b089a5e5a3f7c683521744beddb7c033ad

SHA512
19a37d7571645ff9eaf9877182aa7683b2f26c44b5ad9bdd1a4732324683b4eaaf886f588645e33fd65c24310f90b2123b22630eeca9ea9d4997c3980fdb7cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES19A8.tmp
Filesize
1KB

MD5
871c0c009994b58cef4e622ef172b37a

SHA1
85e57bd65323055b1feeb5114c51d5b75b293f9a

SHA256
73e6087f6144cb85b805fff2fe78c19e13eed28a3111e33488bae923a1ae4ead

SHA512
5c2ae551112694f569a19c563393f45a0c0cc700e5d3710cfc097d823cb167a51733fce287d4ae9128971b8c4e18000ed60fd6e77b4543c9b4e94eea4c194cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp18A0.tmp.exe
Filesize
12KB

MD5
65068cf643db76d7ac4df917466ecca2

SHA1
d787746ef24cbfb92cc85466bc50d48a6b4889ef

SHA256
33909ecb972375be2e66df300c37453e2dda7f6a63cd5b6a760792ab21338ace

SHA512
98af67754aa45be829522da8fd242559b71c6396244e4acf5df125a7acdfa3dbbbcbb07255ea52fae3ca0545d033bb767d65473f3678c3f0f84305f936c4fd56

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAE92F649A0D04D1FA661796716CFAFF.TMP
Filesize
1KB

MD5
74a1ccf921c12fa6dae17e72c2fb9c7f

SHA1
70a807a2b65ec3ec0533b1796ab269c291e5a923

SHA256
401b8ce394ff6b21e7be72a2582db0b6ec9548a35e7d1e6793b65aa106b0018f

SHA512
7bb6451f242b99709fd3069dbc39839542d1e5ae32009ca5ffa7ba277ee0d2ef16365f0efd102685db9c591eed2eb6d615b0fb766cc606d0ec3572419b30f316

Download Submit
memory/2632-23-0x00000000011F0000-0x00000000011FA000-memory.dmp

Filesize
40KB

Download
memory/2924-0-0x000000007447E000-0x000000007447F000-memory.dmp

Filesize
4KB

Download
memory/2924-1-0x0000000000840000-0x000000000084A000-memory.dmp

Filesize
40KB

Download
memory/2924-7-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/2924-24-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing