54e8bb0d59c6defff1c8f133192b02c7c79402ab2e4453501f833d1220b9290a

General

Target

f08fca4a2c8dfedafa954ee1a0ff5b60_NeikiAnalytics.exe
Size

12KB
MD5

f08fca4a2c8dfedafa954ee1a0ff5b60
SHA1

a763f7c8318aeff5980d85c8813924e9f90b2727
SHA256

54e8bb0d59c6defff1c8f133192b02c7c79402ab2e4453501f833d1220b9290a
SHA512

7939bee5c80e27a76dbf60a2d4b42605a3ae824f1e3908fb7c759834e101c9108f6d8fee5dd5bd88f19b45b9f4f264b65d49840bacf419eca6893da2e357daaa
SSDEEP

384:DL7li/2zOq2DcEQvdhcJKLTp/NK9xaCA:HeM/Q9cCA

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2616	tmp19F7.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2616	tmp19F7.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
3012	f08fca4a2c8dfedafa954ee1a0ff5b60_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	f08fca4a2c8dfedafa954ee1a0ff5b60_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2780	3012	f08fca4a2c8dfedafa954ee1a0ff5b60_NeikiAnalytics.exe	28
PID 3012 wrote to memory of 2780	3012	f08fca4a2c8dfedafa954ee1a0ff5b60_NeikiAnalytics.exe	28
PID 3012 wrote to memory of 2780	3012	f08fca4a2c8dfedafa954ee1a0ff5b60_NeikiAnalytics.exe	28
PID 3012 wrote to memory of 2780	3012	f08fca4a2c8dfedafa954ee1a0ff5b60_NeikiAnalytics.exe	28
PID 2780 wrote to memory of 2620	2780	vbc.exe	30
PID 2780 wrote to memory of 2620	2780	vbc.exe	30
PID 2780 wrote to memory of 2620	2780	vbc.exe	30
PID 2780 wrote to memory of 2620	2780	vbc.exe	30
PID 3012 wrote to memory of 2616	3012	f08fca4a2c8dfedafa954ee1a0ff5b60_NeikiAnalytics.exe	31
PID 3012 wrote to memory of 2616	3012	f08fca4a2c8dfedafa954ee1a0ff5b60_NeikiAnalytics.exe	31
PID 3012 wrote to memory of 2616	3012	f08fca4a2c8dfedafa954ee1a0ff5b60_NeikiAnalytics.exe	31
PID 3012 wrote to memory of 2616	3012	f08fca4a2c8dfedafa954ee1a0ff5b60_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\f08fca4a2c8dfedafa954ee1a0ff5b60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\f08fca4a2c8dfedafa954ee1a0ff5b60_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jcs0020e\jcs0020e.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B7C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4772C0F078C54E4BB629A697A8864D.TMP"
    3⤵
    PID:2620
- C:\Users\Admin\AppData\Local\Temp\tmp19F7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp19F7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f08fca4a2c8dfedafa954ee1a0ff5b60_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
09b9a90111eb3bb76c206d4b03b48fe1

SHA1
789fe784cd548786cc8b93f33bdab0386b6fc75e

SHA256
4262ca4c46f87e840fdcd735b9686b1ead3187af137bb11ebbabecb5bb2a8946

SHA512
024966e583383e42296c100e148dfd71314cd728d8a0a61ab63fe4f9836b06d58fba8d271ada12dee2f0fc6defa5a47021ec050aa52b8d7b1490132bd4cabdb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1B7C.tmp

Filesize
1KB

MD5
dbad070695235fc7c9223a53d740349d

SHA1
924c95cb7540dd0a81fdd02f357f3cc89bcd189e

SHA256
48df2c18308487a18cfb964ed93cdc8b144459c54b4f2625a84782b03f6d1fb7

SHA512
8bb71895218d2c84d20af79f84939f0a01dac8bcc866ec8c51ba8e397cfa44e751506db59680c76e309db847592cbb254e14bbaa66683f689533f80af36cc4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcs0020e\jcs0020e.0.vb

Filesize
2KB

MD5
da48af82a4f696f786467aa4ad976f15

SHA1
fd2e529fa28eb558db64e48922a5de5860830650

SHA256
8591665482f1a77a64d434cb67a3b7a572267cee7fa701447a90761eee2993d3

SHA512
63be531fd199ae83811f2b53dbe2868a0e4e58da9a096afa6625d8713127ca00f489733b3033906c353b63a142a697b0f1928ba65f8a75264fa2346b37d930e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcs0020e\jcs0020e.cmdline

Filesize
273B

MD5
348e8032f24d2b108f9a0bf589f1c10f

SHA1
f16242cfb03743615a8612a1da11b8b5266ec922

SHA256
af9d6faffa5b38b6afa690d8efc46a60f8095287d4dfc3e28bacc73653c52484

SHA512
10f25a84791b4d44032e8ca0ff6698a2621c94542c492a5d15ba7ccd0591e5c2f70f9819540c4ed5ba3f240731ac141f64ab26ef3d4f942bec7be95d9fff7a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp19F7.tmp.exe

Filesize
12KB

MD5
c483662fe23c81003adc6ff4d14368fb

SHA1
80b98533a92789cbeabeb0323bb25f6d51802eb1

SHA256
51c53b56254a822a6e7ccf871b41524b7b38be90acc7d3e0c859fded75098a95

SHA512
a037d9d229ea226fec8d59bcad546a46303f6b97ef18de394ecb407bd3b41dd74b3854fd498f97eb104d500d33b83448b48f2277dcd6a5c22d05eb39536f6453

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4772C0F078C54E4BB629A697A8864D.TMP

Filesize
1KB

MD5
102b153877b44be6092d7b2b9a396209

SHA1
2ca72d00334c97aefa14930be8e9a498f6f9073b

SHA256
15d4769ceb5cc321438a146baa2539962fc3f4df6e7eb0db141daa28674f7934

SHA512
c8826be9d80957c11fa5c89987df06c8f9ec0578a181a8ed1343e427b7de7064dd96f218ae261f447185c733af6a9a075c9948231c3657245463853b3f262c9f

Download Submit
memory/2616-24-0x0000000000E80000-0x0000000000E8A000-memory.dmp

Filesize
40KB

Download
memory/3012-0-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

Filesize
4KB

Download
memory/3012-1-0x00000000000D0000-0x00000000000DA000-memory.dmp

Filesize
40KB

Download
memory/3012-7-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/3012-23-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing