3761a58958c12df556f96abc57016938f2029440986a402399318055fd1ea970

General

Target

a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe
Size

12KB
MD5

a7bf23f906f6ea2116393fd2cbb66da0
SHA1

835af6df2b99fa6f5f548ea1a0d62f00cf4728d4
SHA256

3761a58958c12df556f96abc57016938f2029440986a402399318055fd1ea970
SHA512

bffe4b9060f88c9da2e322ee5c3a7fc300346118db2eb9eff49bacfaad6664d52124bfa8f12554f65b52e0f15f5974c13b46a8a5209dd4eab0340c3e43bd6197
SSDEEP

384:nL7li/2zZq2DcEQvdhcJKLTp/NK9xaJw:LxM/Q9cJw

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1968	tmp58EA.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1968	tmp58EA.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2236	a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2344	2236	a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe	30
PID 2236 wrote to memory of 2344	2236	a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe	30
PID 2236 wrote to memory of 2344	2236	a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe	30
PID 2236 wrote to memory of 2344	2236	a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe	30
PID 2344 wrote to memory of 1636	2344	vbc.exe	32
PID 2344 wrote to memory of 1636	2344	vbc.exe	32
PID 2344 wrote to memory of 1636	2344	vbc.exe	32
PID 2344 wrote to memory of 1636	2344	vbc.exe	32
PID 2236 wrote to memory of 1968	2236	a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe	33
PID 2236 wrote to memory of 1968	2236	a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe	33
PID 2236 wrote to memory of 1968	2236	a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe	33
PID 2236 wrote to memory of 1968	2236	a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe	33

C:\Users\Admin\AppData\Local\Temp\a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\02vx4igf\02vx4igf.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5EB3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1A1DABFECA504BF4884C514E675F4EAB.TMP"
    3⤵
    PID:1636
- C:\Users\Admin\AppData\Local\Temp\tmp58EA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp58EA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\02vx4igf\02vx4igf.0.vb

Filesize
2KB

MD5
6591fc92acd78cdfca144dc1afa01340

SHA1
2ffbb184706f6f47678ff4dd1075b5eedd752f10

SHA256
71fedf295adc2577e40591fe3705f9c3e340dc3a2327f8951b8a3f230c01d987

SHA512
fa7f327ec1709f1612feac9559dac7b6fa1a9f62138cd17ffd47e00262ba18c7e3657284d97bd21b4566365657dc669447a3688dc673364a4f2fe5338d466b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\02vx4igf\02vx4igf.cmdline

Filesize
273B

MD5
135ee7545c4a38005e4f9f5bcf657432

SHA1
8bcabd028f7568aaf4f5a3e98c57a17bee4b70db

SHA256
00982c932756c2f2dc0dacbb2dd0b8ae464844fd73e4ea884c6c52bedf6afbbe

SHA512
e2508a5e1516412bbc15d1a513e6a64cb0f6ad1bfd4bc413b1d2c178d0c42416376fe677404c1d651e4e3f425a128aa6391f71a75f18e9f56c8fd46a5b89a8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
5b8e75baafdf6f5c354cc3f2c39203c5

SHA1
920a35497ea0a494b29940e6305221178345064d

SHA256
ad7c539a91704dd7c543c965fb91d682f0ebb390d095893ba664d4c71cea50d0

SHA512
763d4eda7d1903b45911c280d2c9cdbe5bf19f23ddf32df9eb971e38546bd43609a49a5bab2f7f90cc9c539b543e38ffb3ba635199501d1d048f66e9692987aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5EB3.tmp

Filesize
1KB

MD5
a4304f410b96d6e7a35f76ad6640e891

SHA1
2d23045688e2dcd06e564681a32424e823f6408f

SHA256
e6dc43d1a5b3c897bcac0f58c830bce9f5a1bd454ad875122f00741c8869ec40

SHA512
e9ab6193979c4520669165bd093c77a9d647b7e73dfdf8da3912393d8678e1afe87819aaabe9022632cc21aba8a72a94bc985a3205714538139f083919fc9ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp58EA.tmp.exe

Filesize
12KB

MD5
1392f72583aa1ddc305a2416611d3181

SHA1
43e8e395d8f8c609973174f8ccf027acb15934fc

SHA256
a0d3dfcc55ef76abf9939010d48ab6a9f85902297803973805717e8d35bf9c86

SHA512
7a97952978bbb63e974ddac10c7811112f6eb3df1d697914bb0b8c3fdc860be6e52c9f8769ba9be6a35d2b5e59523516a26c4be8fa4ab2d8e3884b361e65201a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1A1DABFECA504BF4884C514E675F4EAB.TMP

Filesize
1KB

MD5
872bbf74c8931527540c0866132d43c3

SHA1
a1caea4c1c1eb556445273f35034caa4f8d47832

SHA256
65d0a54fb45319c56e549533e82dd1dea0b10d5f78a215202dc7ee741883a0ba

SHA512
e16771c099b1a4c1aa575a736b5d7dc848ee4aa4330106aa845db9008b5a5500f37a5e8215bcf76d5ce8de4f8da761df47c39013e1fb8267c4673b9024a7207a

Download Submit
memory/1968-24-0x0000000000960000-0x000000000096A000-memory.dmp

Filesize
40KB

Download
memory/2236-0-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

Filesize
4KB

Download
memory/2236-1-0x00000000012B0000-0x00000000012BA000-memory.dmp

Filesize
40KB

Download
memory/2236-6-0x0000000074ED0000-0x00000000755BE000-memory.dmp

Filesize
6.9MB

Download
memory/2236-23-0x0000000074ED0000-0x00000000755BE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing