fd6d9a4c6b62cdc964d31fcca0ad227ee0d2c7e91ecfa346e42860bf29cdf4b4

General

Target

751d21d2c315986d6e850c88121afab0_NeikiAnalytics.ps1
Size

1.6MB
MD5

751d21d2c315986d6e850c88121afab0
SHA1

1d8e4d51c9eb0fdced843132febc0a0dcdb30b51
SHA256

fd6d9a4c6b62cdc964d31fcca0ad227ee0d2c7e91ecfa346e42860bf29cdf4b4
SHA512

8d58e8c3a87547a746aad8c917863dff7aa2e10f11541a2e1f4f5e7f64a33916b12d51ec29b683b28eff1b3002f8a3f8bb88317794f907cf41d0390854977441
SSDEEP

24576:f6m3pPu6Cc+gujcae7paq+AzGG8rSo5TrWuc0CN89VHG7QOCxb1JZVo+VyNNuSEK:x261ui8NW4O7QvpEuSEIF

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
18	5080	powershell.exe
24	5080	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5080	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5080	powershell.exe
5080	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5080	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 840	5080	powershell.exe	92
PID 5080 wrote to memory of 840	5080	powershell.exe	92
PID 840 wrote to memory of 992	840	csc.exe	93
PID 840 wrote to memory of 992	840	csc.exe	93

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\751d21d2c315986d6e850c88121afab0_NeikiAnalytics.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uosfhur2\uosfhur2.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E2D.tmp" "c:\Users\Admin\AppData\Local\Temp\uosfhur2\CSCEA094EBDAD754D7DA59E7B120E6BE77.TMP"
    3⤵
    PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5E2D.tmp

Filesize
1KB

MD5
24958da24ca793245f8819678b08503e

SHA1
1c5de159fe4e34c281975ef6aa485afba2d5c6ad

SHA256
cfd39773f8ca82329c6d21b96b5a6299642ec95945dccc6d3ee94b0b9cd86ad0

SHA512
d3448550df01e31fa4c7aa9ae7df108d3bc21f41d9c954ecf77d609915e98fac2edb4a43dfd8d520dd09c9db510d0b630f75b3f4134376bc6dcbe769b5e070b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5fvcm4ik.qxt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\uosfhur2\uosfhur2.dll

Filesize
4KB

MD5
2943e9495409e3ef27bc4dfee02c6a98

SHA1
a037a9ec56f626c97efb0633c8330ff151ef1e7d

SHA256
68e8bfd4dbf0a89eda8a6f9cb487780f10ec0d6999513c90ea4b9483e641c7b6

SHA512
a8e5c7b99c93c73828cc4d552ac1e6633353b8a7c6259a77f9a792e278f19883bef39fe5805deed1275d7237784595ad7229c9faa0fd83fe74787b45bdbd5458

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uosfhur2\CSCEA094EBDAD754D7DA59E7B120E6BE77.TMP

Filesize
652B

MD5
f7482d3635b7425adcde2a721d655f6b

SHA1
19bcfe5e35b4e3f28764c08060d6ea095fd80d4b

SHA256
1a0ad3c27620f3e953394e2b07d27dcac65a084c432526e7de61f53246a86887

SHA512
c4151157afcc8ca0656727f961872c50bf0635a0b8486ddff7ddfc37c7181ecfd087cdf921acd7d9bf583b237d4ef333774a3e5fc84dbb4d4f19f336413203a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uosfhur2\uosfhur2.0.cs

Filesize
1KB

MD5
5989018a4c0ad9cc8bc4cc1e5524186c

SHA1
ec9217244192c5ec96b4ac67982ac05983036569

SHA256
f2c563322c4d6a4c8b00946b48e3a59b45d8ec5991d977acd4514960f8fab4e5

SHA512
2550fb415b2022e3e3d14be551310c7c6821d8b1af7854253d8701f5376d720e1f661c0177f24b0f3bfedf90469064c107d72b1dcac6efa355c24dc6aa786975

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uosfhur2\uosfhur2.cmdline

Filesize
369B

MD5
1a8409084a9fdfc00c5cbbd1bf6dee1c

SHA1
eec615f04a93c9468e373ebd3d66415bd72efb2b

SHA256
9451a45ca0988a8292048aa1e1070d44cba032687dbd42cf9ce2fa1d7743c049

SHA512
4160cacf9b07214f2b4990fd82d4e8ccd2aeca73d172a7e7ec00346fc4413483b9c60854ea1205c9240cb037159a72a8f2d07568fe3852f2c4902fb6e47428cf

Download Submit
memory/5080-27-0x000001A69B270000-0x000001A69B278000-memory.dmp

Filesize
32KB

Download
memory/5080-14-0x00007FFEF97C0000-0x00007FFEFA281000-memory.dmp

Filesize
10.8MB

Download
memory/5080-0-0x00007FFEF97C3000-0x00007FFEF97C5000-memory.dmp

Filesize
8KB

Download
memory/5080-12-0x00007FFEF97C0000-0x00007FFEFA281000-memory.dmp

Filesize
10.8MB

Download
memory/5080-11-0x00007FFEF97C0000-0x00007FFEFA281000-memory.dmp

Filesize
10.8MB

Download
memory/5080-13-0x00007FFEF97C0000-0x00007FFEFA281000-memory.dmp

Filesize
10.8MB

Download
memory/5080-10-0x000001A6B4410000-0x000001A6B4432000-memory.dmp

Filesize
136KB

Download
memory/5080-29-0x000001A6B37E0000-0x000001A6B39FC000-memory.dmp

Filesize
2.1MB

Download
memory/5080-31-0x00007FFEF97C3000-0x00007FFEF97C5000-memory.dmp

Filesize
8KB

Download
memory/5080-32-0x00007FFEF97C0000-0x00007FFEFA281000-memory.dmp

Filesize
10.8MB

Download
memory/5080-33-0x00007FFEF97C0000-0x00007FFEFA281000-memory.dmp

Filesize
10.8MB

Download
memory/5080-37-0x00007FFEF97C0000-0x00007FFEFA281000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing