206c41107f4a1eaed6184b192f211a05b16cb1968825e2a0917792af1eba24e9

General

Target

930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe
Size

12KB
MD5

930c5ed38490afea5f8e625ae27b76b0
SHA1

efd4d953b1316cb804fb5b483c544e3575010062
SHA256

206c41107f4a1eaed6184b192f211a05b16cb1968825e2a0917792af1eba24e9
SHA512

82a3adef52dad16914ad0350982d4f2f83c2a5389dfa60a15268572ca03fbd580c778ea522a423a6ca8564c28ed56819e34597fe246d98ca28880c47c3927dfd
SSDEEP

384:lL7li/2zWq2DcEQvdhcJKLTp/NK9xa5K:l2M/Q9c5K

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2712	tmp2398.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2712	tmp2398.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2180	930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2208	2180	930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe	28
PID 2180 wrote to memory of 2208	2180	930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe	28
PID 2180 wrote to memory of 2208	2180	930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe	28
PID 2180 wrote to memory of 2208	2180	930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2608	2208	vbc.exe	30
PID 2208 wrote to memory of 2608	2208	vbc.exe	30
PID 2208 wrote to memory of 2608	2208	vbc.exe	30
PID 2208 wrote to memory of 2608	2208	vbc.exe	30
PID 2180 wrote to memory of 2712	2180	930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe	31
PID 2180 wrote to memory of 2712	2180	930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe	31
PID 2180 wrote to memory of 2712	2180	930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe	31
PID 2180 wrote to memory of 2712	2180	930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vvgr2oip\vvgr2oip.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES254C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc448803D499004322A11B4DC35B68691.TMP"
    3⤵
    PID:2608
- C:\Users\Admin\AppData\Local\Temp\tmp2398.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2398.tmp.exe" C:\Users\Admin\AppData\Local\Temp\930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
ba0fa2e1e0076a2aa590b346529b4c4e

SHA1
f4fffd26518d5ecc7c26a074957c86aeb9142497

SHA256
d4853ef6715b83987ea4b85ba0bfea5fd7003cfc6a46ccbc09b5be242545553e

SHA512
b434c91f950223b29c0c9c6738d2a447dc240fca559eaaa85b9778f28ce6f2e83cd02bc83e5d6407789006856b563001ea217fd4c6aca371e9fa96bb834ae87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES254C.tmp

Filesize
1KB

MD5
a221a3f0d688f8f3787a13ae5faf2a93

SHA1
2914d60bcd3d0f42f185bbfe32f5ec4b32d3be4e

SHA256
dc36eeb9bde7de077324c237d1084ca484bd621dd3ec047c7bd8b24d6ab4552f

SHA512
4d968d678f2db526a95873cdb3827b09f57e9042f18eaa4f4a188a4eccad26d6120d71de671fbe4722e5d30197652b7f8d472ca623efc150557dd15a8580fb55

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2398.tmp.exe

Filesize
12KB

MD5
2e614b79a4379fe1773122614ac3af8a

SHA1
9676b7ba030ad6bc01f98e8ec6c3fbb574430d3e

SHA256
6d4e175b24c4d9fa6943bce75ff7b4e8eeb99da98900fc1e1a1a0cc8b6b148b1

SHA512
b802288504d825c97f780d641beee71beb01173e81da5a3a18978be1080eb49e629616c4aae143f51c2ed6e21efe29907c8b5df7ec858dc4fd5c75cfb0e0bc1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc448803D499004322A11B4DC35B68691.TMP

Filesize
1KB

MD5
70c207ee35e91fd874a7aac9d625b8d0

SHA1
2ab2454daf510b36ba7168047b4b0632bfef9032

SHA256
979ace2b6aca2ab2f14fbbe1357fbf296b46b0f3556ae5ac0230dcf7034e60be

SHA512
beb6b7e71cefeb7dec6c979706f03fbf630b3ee47fd86458b91283ae1acaa9bba36bd7bfa4fa3c1a3459761f27182ef7e931000fca7d2084ffdc62075f3bbbf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvgr2oip\vvgr2oip.0.vb

Filesize
2KB

MD5
2fd1fafc788e4fbe8f15df4074741138

SHA1
324becc4ec7a736eaab94e7071932b9d34aa65a3

SHA256
5c0d67b8fe18197f5cbaea25a4e16f6b0e3b0713b5c0389fd9415fcf0f237c5f

SHA512
7689f6a283a00c96e943bf897af2d38d339144f983915be588c92f2164c222501b1f03a143fd24a877ef7e74c00e1adf91207f3f09ff154e058345283888d9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvgr2oip\vvgr2oip.cmdline

Filesize
273B

MD5
723a27e3a101568dea9b9ec3c327f734

SHA1
096203c11a551bd02c92e54ebff821f59a0e13f1

SHA256
a081602f64823f182bdab02c4ba5c947d8bca89fe7a85f7c1342b24d132e6d19

SHA512
a388469b18b45c6eb5877ca12f57980276dd34bd5fde00db93228f95e27bd07f1b6d5d9397fc3c8655664d006035fc1f9a7c219b0409a8cade6009f783323ae0

Download Submit
memory/2180-0-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download
memory/2180-1-0x00000000009D0000-0x00000000009DA000-memory.dmp

Filesize
40KB

Download
memory/2180-7-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/2180-24-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/2712-23-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing