f94f70706d0a74197a56d2f6274d5e7ef1cfc0e365606a7a3cba7ef186f619e4

General

Target

6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe
Size

12KB
MD5

6d60c74944bdfc379f5a8fe0f3ce3230
SHA1

b3219bdf82b9f009e6918e233b19e4a5572f605b
SHA256

f94f70706d0a74197a56d2f6274d5e7ef1cfc0e365606a7a3cba7ef186f619e4
SHA512

2da448412c0338f521fba1cb8a6d333f0c4691b52cd65f66ae843a9916b5ff615e4ada9646cd7d12f40b90add6e286ad2bacf491746760216aa81127b13c7b78
SSDEEP

384:2L7li/2zeq2DcEQvdfcJKLTp/NK9xaQM:wmMZQ9cQM

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2740	tmp369B.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2740	tmp369B.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1684	6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2180	1684	6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe	28
PID 1684 wrote to memory of 2180	1684	6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe	28
PID 1684 wrote to memory of 2180	1684	6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe	28
PID 1684 wrote to memory of 2180	1684	6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe	28
PID 2180 wrote to memory of 1272	2180	vbc.exe	30
PID 2180 wrote to memory of 1272	2180	vbc.exe	30
PID 2180 wrote to memory of 1272	2180	vbc.exe	30
PID 2180 wrote to memory of 1272	2180	vbc.exe	30
PID 1684 wrote to memory of 2740	1684	6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe	31
PID 1684 wrote to memory of 2740	1684	6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe	31
PID 1684 wrote to memory of 2740	1684	6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe	31
PID 1684 wrote to memory of 2740	1684	6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qtnrwjvx\qtnrwjvx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3840.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD0CE558D712E458B94DDDBE84A796D5D.TMP"
    3⤵
    PID:1272
- C:\Users\Admin\AppData\Local\Temp\tmp369B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp369B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6d60c74944bdfc379f5a8fe0f3ce3230_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
1280cfb2778250ce71ad4d325bf40c32

SHA1
5e58056fc99cb9e1bf6e42c449c7da5eb9ca6804

SHA256
2d6abbaf9b8e75794a13041f16c3667b3957a1bd4098df5c96c2559b2e51b572

SHA512
cb38690f5353f9b7beb1e92d449ef8aebaf981b0e78bcf416b2d52e9f1284b8635ed45f682593d775fc319827aec8a75976c09e6804afced5f1481fd82d05b3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3840.tmp

Filesize
1KB

MD5
6e1f633d17eb28090e686ac16bddaa57

SHA1
d464417f0206f957c8a3deae518742e4b5603733

SHA256
b1fdab2e4d76b873a33a9c48fa23c542b86231a361cc9ae94c607eed81a2b88f

SHA512
ad9f6fdcd868f456ca2494c8dbd3cf1b201499655a8fe0383e2a8efb7bfc2822d1674922e7fc325522d52df2bd589a703513362ffac8e078ea67ca962226abf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtnrwjvx\qtnrwjvx.0.vb

Filesize
2KB

MD5
7c580b753119e9afde95e2717e289db1

SHA1
0d1afa8a8c11d748ad598fd83bd6cbdde5a9c318

SHA256
c7bf90fb06f358a366ee1e98e2650906da229a07767e83c37140e341fd1de1b4

SHA512
e99c9ce42b671b6cafaef70454486ac2e134bf7a1182bd46a48da3073e345aa0d8c3b0033934ef1c7bae46818ed93a5571b8087e0d3509b6fe198730802eb321

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtnrwjvx\qtnrwjvx.cmdline

Filesize
273B

MD5
3da8e789b86a9bdb6775e3350a02a3af

SHA1
e02227c20710b5be6a9a2db33cd06c2a893692c6

SHA256
7e43e6ac55bc7a4373628d6e7367f2fcdae405f78e83fe1bb0081a33830fe327

SHA512
d0c78169966edd84773fd0a23a59f8cfcd54419bd61dc0eab54ceb788b363bff26a4692500269ded15ed4ffdb1be7a345674f65533870099b05fee765e9a19b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp369B.tmp.exe

Filesize
12KB

MD5
234d84665305a1bdd91b8513e6900783

SHA1
d0a22fa4d3ede3710dbaf4026ad6ad76ea50e60f

SHA256
ae96badb9216b79c7932fca28ed8997663d7c5472c6c4a32a69331255af51be7

SHA512
ea3f7d985d73b8bfa4a315f9723e1ac40d08c919053f2452ddb843d95993a02fcfecd4721d85d8a071aab4520b0395f57c36277266682615b045e56b6db6ac82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD0CE558D712E458B94DDDBE84A796D5D.TMP

Filesize
1KB

MD5
350afe7dabf8c44ce3a93ecb242be7db

SHA1
c7aa8d8cc065646814f1ed5abb6142e5e08c958e

SHA256
d5144b3455b533d2f9614615bd2489fc11100b7a044d6a4eb146723dbd95f029

SHA512
0df07f4c32cf92f22b0fe5aac1a3456f091107c1035350f61d6b01350972669f71a4916102c41ddd217920b8a9ebb79810a908363dbd4781d1e2655d2e51bde8

Download Submit
memory/1684-0-0x00000000746BE000-0x00000000746BF000-memory.dmp

Filesize
4KB

Download
memory/1684-1-0x0000000001210000-0x000000000121A000-memory.dmp

Filesize
40KB

Download
memory/1684-7-0x00000000746B0000-0x0000000074D9E000-memory.dmp

Filesize
6.9MB

Download
memory/1684-23-0x00000000746B0000-0x0000000074D9E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-24-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing