515e74d6c6b193fa66c8bbe77ac25b725b758397e1d852846c27989642085492

General

Target

77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe
Size

12KB
MD5

77b02a3b4192134447c9655803408f90
SHA1

340de3862ecd98bfd4a91d4c355639c03fc647d0
SHA256

515e74d6c6b193fa66c8bbe77ac25b725b758397e1d852846c27989642085492
SHA512

57530af9b4b327af8360452d43b307c2b702e4ebb747563407fcfdc4df260e7de08dc527833ca297dbcc1c17ce02e2b2a8dbf2758d08b36a4526922a956931aa
SSDEEP

384:rL7li/2zXq2DcEQvdQcJKLTp/NK9xa+r:/zMCQ9c+r

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmpA362.tmp.exe

pid process

2500 tmpA362.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmpA362.tmp.exe

pid process

2500 tmpA362.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe

pid process

2244 77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2244 77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe

pid	process
2500	tmpA362.tmp.exe

pid	process
2500	tmpA362.tmp.exe

pid	process
2244	77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2244	77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

77b02a3b4192134447c9655803408f90_NeikiAnalytics.exevbc.exe

description	pid	process	target process
PID 2244 wrote to memory of 1396	2244	77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe	vbc.exe
PID 2244 wrote to memory of 1396	2244	77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe	vbc.exe
PID 2244 wrote to memory of 1396	2244	77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe	vbc.exe
PID 2244 wrote to memory of 1396	2244	77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe	vbc.exe
PID 1396 wrote to memory of 2620	1396	vbc.exe	cvtres.exe
PID 1396 wrote to memory of 2620	1396	vbc.exe	cvtres.exe
PID 1396 wrote to memory of 2620	1396	vbc.exe	cvtres.exe
PID 1396 wrote to memory of 2620	1396	vbc.exe	cvtres.exe
PID 2244 wrote to memory of 2500	2244	77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe	tmpA362.tmp.exe
PID 2244 wrote to memory of 2500	2244	77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe	tmpA362.tmp.exe
PID 2244 wrote to memory of 2500	2244	77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe	tmpA362.tmp.exe
PID 2244 wrote to memory of 2500	2244	77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe	tmpA362.tmp.exe

C:\Users\Admin\AppData\Local\Temp\77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xy2t3np1\xy2t3np1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7E3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC7AD4FF85ED4115959E53D55692F6DC.TMP"
    3⤵
    PID:2620
- C:\Users\Admin\AppData\Local\Temp\tmpA362.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA362.tmp.exe" C:\Users\Admin\AppData\Local\Temp\77b02a3b4192134447c9655803408f90_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
d07b71b6ee27d23d1681e50c86a5d730

SHA1
dd1b157f2392d89cbfbcfdb9c83a0236d4dc1296

SHA256
93fb1f7269603c544844f14948901ad3ea4485047cd31031ed52ccff401eac76

SHA512
d2c2f0102edc360883659da96895e5853ae70b68bc7bb0ede304a207973a8cb08d32da9b9dc600fd00f2336c270a42f18d6665701c531d1ed4c21eeae4796da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA7E3.tmp

Filesize
1KB

MD5
2ba1376059d72666acfc221bd8870dd6

SHA1
5bfa6c52be238284d4918c787baa7d014d69ab56

SHA256
2625e60d55a6a9f55250d1ae16667e1c93c4e855b687ad0fd70f63266a0f4ba4

SHA512
2f70510a2c765956373c1c22ad7900ef39c2b4a369ec020e4be6fed7a5ef1af1871b6f3132c9decf39d22a5fe0b455270194bdcbbe623908b19e9bc7b352d3d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA362.tmp.exe

Filesize
12KB

MD5
21896c4f74c94e459acc6afacbf777ac

SHA1
bea788b8473921882d00937e0b45fb96d9ef65f8

SHA256
ba395781005d7c6f1cc7b863462a82a192703acf58d8d0d1609fd1c8b94f85ad

SHA512
3103a8810fd62a275967d81f6093ff159a1012cc6f0e76fdeec9e5bfd0fe80e188789be0a2996d0a5d9a5ac0938e316f5a04804d822a3de0d08107e2e92a4239

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFC7AD4FF85ED4115959E53D55692F6DC.TMP

Filesize
1KB

MD5
89843f0ba67388d159c3680c972620e1

SHA1
2d26d6faa1cb21bcf5a2f6feec668e14b9769816

SHA256
5815ca31d055406fa9aa770f9532a2f9d954e5924c7955c7c35ce0dda38faf94

SHA512
81ddc218c7733aa5aca3e3b874f498d85918462c47908b2c1d948cfd7b99c3313a67073fd64698db8b403f48bba500c73d87ffe9cd90464369f1ee5ebea15cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xy2t3np1\xy2t3np1.0.vb

Filesize
2KB

MD5
f9970bd1d41b753f444185b0cfc74791

SHA1
b93bf53d0f65a8e73dc0048d62a7b307b28827aa

SHA256
93cc35c0f37880dc367e35e686b3dcd146d6c80c5d36b3b76c9cb044fe904f51

SHA512
caaf0b69eeb750ff370bcd5939605c8f6b410e246d5a4c69ba3bb890627544ab24d86fe387b08319a8fcb46c891ca570813e7931c4966777338aa76a6709232c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xy2t3np1\xy2t3np1.cmdline

Filesize
273B

MD5
25fe0bfb22c9e8e4a5c9e5ef14a5122d

SHA1
7142bcb0f46f0a9bfa87a1e30280213b586b56a9

SHA256
b247e4ae24e18a32a4befdde7195c386fba7f7a10a74dc658325931d5ef07292

SHA512
294bbac1284ae4ff10b83ce7f80cfac6e1dcd9d431d559b55f2a0211fbff4cab0550a2834a4b290988187d67917be1efa2f5d23ca279df55ae39656e3058b177

Download Submit
memory/2244-0-0x000000007423E000-0x000000007423F000-memory.dmp

Filesize
4KB

Download
memory/2244-1-0x0000000000800000-0x000000000080A000-memory.dmp

Filesize
40KB

Download
memory/2244-6-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/2244-24-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/2500-23-0x0000000000A30000-0x0000000000A3A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing