e76f413f106f04974471460bb165d72869ed985c2a22bef23c2579dcd719dc32

General

Target

778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe
Size

12KB
MD5

778a7116161cd47a5447fc36ff0353a0
SHA1

d5be4ec2525ce1e3da54cd213be708c23c7e7c36
SHA256

e76f413f106f04974471460bb165d72869ed985c2a22bef23c2579dcd719dc32
SHA512

f9ee968d163d800529a4fecc22ec5a822082f6628fe7f5a49b75721bfd62dfd32697ef39db38110109baf6bff33342e2c1683f0a4accfa6d1adbe80ba48ea366
SSDEEP

384:tL7li/2zaq2DcEQvdQcJKLTp/NK9xaZP:9CMCQ9cZP

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp27DC.tmp.exe

pid process

2668 tmp27DC.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp27DC.tmp.exe

pid process

2668 tmp27DC.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe

pid process

1736 778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 1736 778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe

pid	process
2668	tmp27DC.tmp.exe

pid	process
2668	tmp27DC.tmp.exe

pid	process
1736	778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	1736	778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 1736 wrote to memory of 1320	1736	778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe	vbc.exe
PID 1736 wrote to memory of 1320	1736	778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe	vbc.exe
PID 1736 wrote to memory of 1320	1736	778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe	vbc.exe
PID 1736 wrote to memory of 1320	1736	778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe	vbc.exe
PID 1320 wrote to memory of 2692	1320	vbc.exe	cvtres.exe
PID 1320 wrote to memory of 2692	1320	vbc.exe	cvtres.exe
PID 1320 wrote to memory of 2692	1320	vbc.exe	cvtres.exe
PID 1320 wrote to memory of 2692	1320	vbc.exe	cvtres.exe
PID 1736 wrote to memory of 2668	1736	778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe	tmp27DC.tmp.exe
PID 1736 wrote to memory of 2668	1736	778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe	tmp27DC.tmp.exe
PID 1736 wrote to memory of 2668	1736	778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe	tmp27DC.tmp.exe
PID 1736 wrote to memory of 2668	1736	778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe	tmp27DC.tmp.exe

C:\Users\Admin\AppData\Local\Temp\778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1hxmfh3g\1hxmfh3g.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29EE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6CE0663E22F54A69B8EE6C14F118E2.TMP"
3⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\tmp27DC.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp27DC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\778a7116161cd47a5447fc36ff0353a0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2668

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1hxmfh3g\1hxmfh3g.0.vb
Filesize
2KB

MD5
189e24583df413889e3c506d1a6f1b7d

SHA1
bef2ffd897db2f22a658d1988c4dd6adebb221b6

SHA256
9b8593a398e7255573a35cfaf05c6c8d8f79f982e3d6204e2d3ae21b357d0971

SHA512
c2223f331e0354e847b27f31183c5dd7cb17216a34ee14642dbd45a0277a8c423bc1c31b03ff91d3f232560d202bf2049e6fdd89ac48d2bf4014e2ae03ebfdf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1hxmfh3g\1hxmfh3g.cmdline
Filesize
273B

MD5
52f82345e5744a4ce95c8f0f218ebcfc

SHA1
d01c6d780ef8f18c4fb83fba111c2503f9e49292

SHA256
73b9226a7d59ef4950be242a1560bb1238d130a61f6c0d3396ee2a0e69c627d0

SHA512
215062168b56eed592375e81db82763b8b285590d55c74d337c1094fcd3848501da3d6deee7f6c2745d4e906442cabf2d11a3ab174da13c4ce1856f40fa44f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
109d034adad24a584946274b56e3e3cc

SHA1
7b4602155f392a73f7a16a326c0d57fe0087490e

SHA256
f3a97c4dab7fb134cdb4b2dcbe2b3a914beefa37fad292c138882aee397a8a14

SHA512
f75fd6a8a089f2b95a10195149622d6c4debaa197a2bf07c504a607774007d785b88d8834aba81fbdfbc7573c50097b8c35b65d0c55f4dadc72f8d5ac766a744

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES29EE.tmp
Filesize
1KB

MD5
b06cf7d26fb8caea5d7502b6478835c7

SHA1
973b85b63be1dc9223175cade8d7f77ce9c9c836

SHA256
02031c141552f34154a7cbb926af091eeaa5be52ba17322c3a688d3b95da1dfb

SHA512
5857cc0dc6f5053cacab0ba87671f14f41f9b67fe0eae62233da5aac797d3d9c2c143b92b683881c9c8ca1affe049ac25dced0d56f1fd16119cf580960ab9cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp27DC.tmp.exe
Filesize
12KB

MD5
d7b3ecd712b419814d259f4429bc1fcd

SHA1
aafeed54a4dd4c70694780bc6d14d8f96b7faca5

SHA256
313e75b4c093b0c0c92085330336350e9cc1a889d4849f1ed7051004178cc191

SHA512
1abc451fd2abe275b0a89e55bd01b386f4fab872f6c7b64c701cd6b9ce8b1898a756a6e638679add878a2681c2f03a33727ef88efdd54a61ea9153915e86cbc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6CE0663E22F54A69B8EE6C14F118E2.TMP
Filesize
1KB

MD5
cdba1a66d55b620fdabdc53ef04a9e96

SHA1
05c259e16e07feec00951865e32e5080161009a9

SHA256
1b0dfcad51db8bfea0a556924861f0fe6e3b9fc9c0338665e1b5890bf3ae356b

SHA512
d15d560e7bb0b7cbb7c2c0e45ece4b77a29796f35adfbcfddf915fca85ed62f9b6d37b37e79f84d3375a2d7e0ea659c36d81f05893076963435b4a0a41b42e42

Download Submit
memory/1736-0-0x0000000074AFE000-0x0000000074AFF000-memory.dmp

Filesize
4KB

Download
memory/1736-1-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

Filesize
40KB

Download
memory/1736-7-0x0000000074AF0000-0x00000000751DE000-memory.dmp

Filesize
6.9MB

Download
memory/1736-24-0x0000000074AF0000-0x00000000751DE000-memory.dmp

Filesize
6.9MB

Download
memory/2668-23-0x0000000000D50000-0x0000000000D5A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing