fd6d9a4c6b62cdc964d31fcca0ad227ee0d2c7e91ecfa346e42860bf29cdf4b4

General

Target

751d21d2c315986d6e850c88121afab0_NeikiAnalytics.ps1
Size

1.6MB
MD5

751d21d2c315986d6e850c88121afab0
SHA1

1d8e4d51c9eb0fdced843132febc0a0dcdb30b51
SHA256

fd6d9a4c6b62cdc964d31fcca0ad227ee0d2c7e91ecfa346e42860bf29cdf4b4
SHA512

8d58e8c3a87547a746aad8c917863dff7aa2e10f11541a2e1f4f5e7f64a33916b12d51ec29b683b28eff1b3002f8a3f8bb88317794f907cf41d0390854977441
SSDEEP

24576:f6m3pPu6Cc+gujcae7paq+AzGG8rSo5TrWuc0CN89VHG7QOCxb1JZVo+VyNNuSEK:x261ui8NW4O7QvpEuSEIF

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	2368	powershell.exe
9	2368	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2368	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2368	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 1168	2368	powershell.exe	31
PID 2368 wrote to memory of 1168	2368	powershell.exe	31
PID 2368 wrote to memory of 1168	2368	powershell.exe	31
PID 1168 wrote to memory of 2436	1168	csc.exe	32
PID 1168 wrote to memory of 2436	1168	csc.exe	32
PID 1168 wrote to memory of 2436	1168	csc.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\751d21d2c315986d6e850c88121afab0_NeikiAnalytics.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9vk6naje.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3EF5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3EF4.tmp"
    3⤵
    PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9vk6naje.dll

Filesize
4KB

MD5
c67c9b8ce39ce866e4c3f4df93faa891

SHA1
604de15dff9e0f44bcf00417ef7cd936b28c549d

SHA256
98e8bb82425fd581d421abd00c3c9f5e83e3715492f95cdd861362ecc4822a20

SHA512
dea9b247cb9d8d9598c30d464fcfa696f207482952a12db8618c69862c9df0cebc70bafa5c62f60092cc310665e66a69b9b3c46aeac1beaee388c2f825f8d924

Download Submit
C:\Users\Admin\AppData\Local\Temp\9vk6naje.pdb

Filesize
7KB

MD5
8a5deecf80f0ff8d605f4f8d8425f1a3

SHA1
6fc714603fa02aaa1a073497c1cf7127cc4b67ce

SHA256
7c0ca20fae106290b1edcf3ff1dc4b08f39f7c6dcf165556405d7b6dd376f00c

SHA512
13f4d1b2e89f23c1088532be1c9ff3930e24033bda5d0376158aaf9779bb848a15505a12e95497bc34959adf33001cde1664b82f8a77098509928e8ff3c4daef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3EF5.tmp

Filesize
1KB

MD5
b97e1b7793c47cde866defb711f321c9

SHA1
a349ec018981dcbf244503cd0e8911ea4df4f7ce

SHA256
9cef7fd1b8d08d5a1cf6204b9e2f92d4fe7608a663057a442c0714001d2aeee4

SHA512
6abaadfb00f4531bcd07f211ea34ed6f7865cc3ff29e15648e3ddc44a0b7e07039866c7b164ef75885366c9898eed8e394a93c591437a8b6b9abe94db814cf92

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\9vk6naje.0.cs

Filesize
1KB

MD5
5989018a4c0ad9cc8bc4cc1e5524186c

SHA1
ec9217244192c5ec96b4ac67982ac05983036569

SHA256
f2c563322c4d6a4c8b00946b48e3a59b45d8ec5991d977acd4514960f8fab4e5

SHA512
2550fb415b2022e3e3d14be551310c7c6821d8b1af7854253d8701f5376d720e1f661c0177f24b0f3bfedf90469064c107d72b1dcac6efa355c24dc6aa786975

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\9vk6naje.cmdline

Filesize
309B

MD5
65d160ac2ef508594bcbde094a865c07

SHA1
71639c59470c66748133e160a6d8458bd7e3ff11

SHA256
38a3354033ed71d35f3fd3c5d8ede11df3c4bec4767d1bb14e5aed4ed7963d2b

SHA512
7ebcaff096cf68cf86eebf68d9195ed150e8c6a1401322b0a26c7cc6da6c989dba1505359c7132d7f57619f78a0046fccfebf66458c7bff7a61d6572bfc6e733

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3EF4.tmp

Filesize
652B

MD5
10a24fd90cba1fbb6d353fdc942d7b4e

SHA1
c91e014cb8116e39b082fd738bb7a722a1f6529d

SHA256
a933b50ef2a15fe7dc399b63b01a499f59f004542ea43fda53e546da8015eb55

SHA512
afc7e1ac5055f56ff0fa86e21ee314938874175d1b25be8629868e55df559650de396f1e2abdae798a3bf9c96c151ca8aa9c9436a06d21308fe9a56ae79360dd

Download Submit
memory/1168-32-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

Filesize
9.6MB

Download
memory/1168-24-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

Filesize
9.6MB

Download
memory/2368-9-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

Filesize
9.6MB

Download
memory/2368-11-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

Filesize
9.6MB

Download
memory/2368-13-0x000007FEF589E000-0x000007FEF589F000-memory.dmp

Filesize
4KB

Download
memory/2368-16-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

Filesize
9.6MB

Download
memory/2368-15-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

Filesize
9.6MB

Download
memory/2368-17-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

Filesize
9.6MB

Download
memory/2368-12-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

Filesize
9.6MB

Download
memory/2368-14-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

Filesize
9.6MB

Download
memory/2368-10-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

Filesize
9.6MB

Download
memory/2368-4-0x000007FEF589E000-0x000007FEF589F000-memory.dmp

Filesize
4KB

Download
memory/2368-8-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

Filesize
9.6MB

Download
memory/2368-7-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

Filesize
9.6MB

Download
memory/2368-34-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/2368-6-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2368-5-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing