71e6364151a95dfab32bad01a7d3dbf040957bc45bca0e0e866bbd49456f0888

General

Target

7594fbd430609b83d681ceb830890de0_NeikiAnalytics.exe
Size

12KB
MD5

7594fbd430609b83d681ceb830890de0
SHA1

701eba16f53791b73b3a582e4e813520e6ebbb15
SHA256

71e6364151a95dfab32bad01a7d3dbf040957bc45bca0e0e866bbd49456f0888
SHA512

46149a358a626e01e17a22bc09e8d5cc5447d7c55c18132a6e0a816b3984cdbc8b8068e2939269ea09aebef341f1a7e419751899c13d2371faba23c6c59c0eea
SSDEEP

384:uL7li/2zHq2DcEQvdhcJKLTp/NK9xa8U:4bM/Q9c8U

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2620	tmp230C.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2620	tmp230C.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2768	7594fbd430609b83d681ceb830890de0_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	7594fbd430609b83d681ceb830890de0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 1744	2768	7594fbd430609b83d681ceb830890de0_NeikiAnalytics.exe	28
PID 2768 wrote to memory of 1744	2768	7594fbd430609b83d681ceb830890de0_NeikiAnalytics.exe	28
PID 2768 wrote to memory of 1744	2768	7594fbd430609b83d681ceb830890de0_NeikiAnalytics.exe	28
PID 2768 wrote to memory of 1744	2768	7594fbd430609b83d681ceb830890de0_NeikiAnalytics.exe	28
PID 1744 wrote to memory of 2532	1744	vbc.exe	30
PID 1744 wrote to memory of 2532	1744	vbc.exe	30
PID 1744 wrote to memory of 2532	1744	vbc.exe	30
PID 1744 wrote to memory of 2532	1744	vbc.exe	30
PID 2768 wrote to memory of 2620	2768	7594fbd430609b83d681ceb830890de0_NeikiAnalytics.exe	31
PID 2768 wrote to memory of 2620	2768	7594fbd430609b83d681ceb830890de0_NeikiAnalytics.exe	31
PID 2768 wrote to memory of 2620	2768	7594fbd430609b83d681ceb830890de0_NeikiAnalytics.exe	31
PID 2768 wrote to memory of 2620	2768	7594fbd430609b83d681ceb830890de0_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\7594fbd430609b83d681ceb830890de0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7594fbd430609b83d681ceb830890de0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lah55byz\lah55byz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2433.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB1D450A39F9C425DBD4852EA3755863F.TMP"
    3⤵
    PID:2532
- C:\Users\Admin\AppData\Local\Temp\tmp230C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp230C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7594fbd430609b83d681ceb830890de0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
490151d402f270a5ba00993f35ccd485

SHA1
d437957f7214a0f00d3d6c1c6adcc0df72ac39b8

SHA256
25e4c8a621aae78164e5c76857a927efd09056b0ab4347f465752c982b7a6956

SHA512
4f5bfe16ac2741edbd6ab84f613f38d69e11f01b9181536c7630a63e08fa6af6470a104590614a7de21912ffcbeb630b7aff5489940f05cf5e6881bd82d282fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2433.tmp

Filesize
1KB

MD5
0fac21dc46c12419982cc6b648bde907

SHA1
76295940493ee35ba6b00a05f59b2e8eb7b7b430

SHA256
ac30edae209253f317e2932ac442cd4af29cf31e53976874f9460e3d379f3df4

SHA512
eaa83276a27a3c37af97767ea257bdbfcca8497ab02d6e187fd959a836626c9bbdf30ccd47ad04b2b1b0709bae4af724efbd638487fc9005b25de57e504a305c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lah55byz\lah55byz.0.vb

Filesize
2KB

MD5
9e600091157be03ade8a0cbbab88c99d

SHA1
4884222fad2762c81b73f23a6294b510c362264e

SHA256
4ceeb0ea1346732839af7c614e42a1385c4f998a1ff89cbd40725c595a740733

SHA512
ffa543b0d7c629111749f208a0720cd3224966765d14efdd450e75f25af2928f63d1033f49a3e8b2b35aacbdb5f9e7dea39e87c9b4240045b3cbcb1e4719ab8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lah55byz\lah55byz.cmdline

Filesize
273B

MD5
32164b1af2bacb24b17c4565abfb74e3

SHA1
d044c60fb98740a1cceb442bfb53327b5a49bd7c

SHA256
c8996d4e4f27cd980c7c784df8e43590950ba9fb066fe8eb25cd4a66b6908671

SHA512
fa78abc1433f1fe0bb975fec6e02226257553f25dc5a1590373364c1f15d555daa2b7024a38e69e49affb2c7ca0702679bd0eb62c828817073960ff66306799b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp230C.tmp.exe

Filesize
12KB

MD5
767426820cdcab0e3979947f57f1e10a

SHA1
5566b481b5cb2efeeab478e48df0dc9fe683edc1

SHA256
574f82ba112fa5812fb7bec3a82d5a13742985669af4dbc29b2057894f8c6aec

SHA512
68d74d150a05f4a20ede8a09587264fdf8bc1feff52a0e361b3bff6ced30a3edf47530a9533e8e75c8739c56d70c4b087c7692bd704912769ea6ab0a2daedd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB1D450A39F9C425DBD4852EA3755863F.TMP

Filesize
1KB

MD5
44cbcdd61dc4ad267e02bf0ad439173b

SHA1
e711ffcb6eb519e3395e870c2cc36f0e7afcb7b8

SHA256
3e3c08bc543f8b014ff4fc71cc51a3dc16910e180c3b2e35b3e18cf96a94a99b

SHA512
2da493b03d29db8ba0b99a39a144d152c52033eec4177299c4b4409a76dc2785e9899f230aab450df13988e276b5f8392e90671feca389b9dce0e345d563e00f

Download Submit
memory/2620-23-0x00000000001F0000-0x00000000001FA000-memory.dmp

Filesize
40KB

Download
memory/2768-0-0x000000007488E000-0x000000007488F000-memory.dmp

Filesize
4KB

Download
memory/2768-1-0x00000000011B0000-0x00000000011BA000-memory.dmp

Filesize
40KB

Download
memory/2768-7-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2768-24-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing