147a39816434ef685cc50ffded05d95eb48f912e156a165d2bf677d532504c6d

General

Target

2141eece5637c8c70eae990307b9f220_NeikiAnalytics.exe
Size

12KB
MD5

2141eece5637c8c70eae990307b9f220
SHA1

58e1e256e189840ae2fb568a150733df826864de
SHA256

147a39816434ef685cc50ffded05d95eb48f912e156a165d2bf677d532504c6d
SHA512

da4e3b612cadecd7eda684966addf4096840ef49efdb50ec4e50a9bd7786926445cebb50139bd0b4a7ff7452311f53a23be6f6b730668d06986ee4ac4ebf317c
SSDEEP

384:OL7li/2zsq2DcEQvdhcJKLTp/NK9xaLR:YYM/Q9cLR

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2656	tmpF0F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2656	tmpF0F.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2100	2141eece5637c8c70eae990307b9f220_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	2141eece5637c8c70eae990307b9f220_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2512	2100	2141eece5637c8c70eae990307b9f220_NeikiAnalytics.exe	28
PID 2100 wrote to memory of 2512	2100	2141eece5637c8c70eae990307b9f220_NeikiAnalytics.exe	28
PID 2100 wrote to memory of 2512	2100	2141eece5637c8c70eae990307b9f220_NeikiAnalytics.exe	28
PID 2100 wrote to memory of 2512	2100	2141eece5637c8c70eae990307b9f220_NeikiAnalytics.exe	28
PID 2512 wrote to memory of 2628	2512	vbc.exe	30
PID 2512 wrote to memory of 2628	2512	vbc.exe	30
PID 2512 wrote to memory of 2628	2512	vbc.exe	30
PID 2512 wrote to memory of 2628	2512	vbc.exe	30
PID 2100 wrote to memory of 2656	2100	2141eece5637c8c70eae990307b9f220_NeikiAnalytics.exe	31
PID 2100 wrote to memory of 2656	2100	2141eece5637c8c70eae990307b9f220_NeikiAnalytics.exe	31
PID 2100 wrote to memory of 2656	2100	2141eece5637c8c70eae990307b9f220_NeikiAnalytics.exe	31
PID 2100 wrote to memory of 2656	2100	2141eece5637c8c70eae990307b9f220_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\2141eece5637c8c70eae990307b9f220_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2141eece5637c8c70eae990307b9f220_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1x5q0xe0\1x5q0xe0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB42CEC6AB0F4078A0F5EBDFF3B9963.TMP"
    3⤵
    PID:2628
- C:\Users\Admin\AppData\Local\Temp\tmpF0F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF0F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2141eece5637c8c70eae990307b9f220_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1x5q0xe0\1x5q0xe0.0.vb

Filesize
2KB

MD5
c46d2c39b6d5839db496ba946cdc2bac

SHA1
2e01d0f095f16a007e02772f107a43c269d9b5cc

SHA256
93d9d8b93110bc34e4d58ae23d7898ce7723ce6e41e702fb263e78825e61425a

SHA512
c4d23303074b257541041232359a7a366d88e454b623cf6eeb84fd662fae9b38ddcd6792884907fd614e28ccccff34911447dfa61bf16d435bbb9afaf6ced183

Download Submit
C:\Users\Admin\AppData\Local\Temp\1x5q0xe0\1x5q0xe0.cmdline

Filesize
272B

MD5
5ae0be44f1fd4c462153c125a21eb36f

SHA1
5bdd52598f364d719a855e27954f2785171ed994

SHA256
4005b1ad43e427477456b91bc76d7e65cd9baf5ba438d192dbe1c2b14934972e

SHA512
8461e4e567e47bba3e091b24ee1041d1cc428fed478a76c55f90a66bd0d95b0405a87b02b48ad6a2ccc16ea5e8dabb9ecb2e6830d49cefbdf1487ebeb985cc96

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
53c8c192c98e8c2b5511c4f847cde8f7

SHA1
aa6be2197a2900cd0cca1af4f7093ac9c14ffad4

SHA256
437b0c418063b91cd22e7b0ebfa6c54d6e676f516d203a1a91f0632ba93dd889

SHA512
807dde617d16bcabec61cd647b8067014c8b9fcc2efc01fc6565b0291a9b97bda89099ff816d008e6868775f6547371143fdb9265f90e938f7b38f73716394ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFF8.tmp

Filesize
1KB

MD5
913cf27d8b9597b19fdf9bb525669b5e

SHA1
8d71ff61b7844d443298f6679c1846d285eef108

SHA256
a19f9ef2ab16736cba6af755221b8a1ee0e865849bbaa30361b2d47ac9337431

SHA512
01b3ba919f57eddc64780a2c60b0fe2f823b5d8abed1bd397030fc6d0dcb594405e1be603053236392c9e0f4e46d5d7e4e26eda3195be5d9a311d4e704067956

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF0F.tmp.exe

Filesize
12KB

MD5
95a8c27fb88217bb53edad412497ed7b

SHA1
a51d2b264b88089f2a57872753bc96e187e9046a

SHA256
fe9f138c0ba51da053bbe313432a3d7c4646236aad418c8e69e8e5b75870a4d9

SHA512
0b15041692c727abad1bfb223c14ca6778bb30242b24179a2b1eaf945a7321fdb66c0f0a68e95e4aa93c94e03e18c822a7fd380420e57d6d73a03bd269d2f6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB42CEC6AB0F4078A0F5EBDFF3B9963.TMP

Filesize
1KB

MD5
8431b0b049c52a448b00643a0c885520

SHA1
b4ca9404224f5637f548ab50b16ea8f22d69ef39

SHA256
e763e6f6df7201d68227b6d20e5a8d941e8088eeaf38dc50cf1df169a9736e60

SHA512
322b3832ac48d08684bfd90b16c3fa237ff531a1107d995a425c6191ded6f127e325b4a262785e3bab9b346dba713aeab7798e0cf59ced4f03e70d8c27e7cc01

Download Submit
memory/2100-0-0x00000000745AE000-0x00000000745AF000-memory.dmp

Filesize
4KB

Download
memory/2100-1-0x00000000008A0000-0x00000000008AA000-memory.dmp

Filesize
40KB

Download
memory/2100-7-0x00000000745A0000-0x0000000074C8E000-memory.dmp

Filesize
6.9MB

Download
memory/2100-24-0x00000000745A0000-0x0000000074C8E000-memory.dmp

Filesize
6.9MB

Download
memory/2656-23-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing