d2cf3cdcb30bbf1309e4d63ad3c7768eb4ba49b3cc6b1aa28530644e2e36c9ca

General

Target

25410b8c7b401e7b99d60a5fe2c4fe40_NeikiAnalytics.exe
Size

12KB
MD5

25410b8c7b401e7b99d60a5fe2c4fe40
SHA1

924075c30763996fa3b3516a7c58bf62dca8605f
SHA256

d2cf3cdcb30bbf1309e4d63ad3c7768eb4ba49b3cc6b1aa28530644e2e36c9ca
SHA512

31e635f4688a961c1d4624cccad8958c9eb279f75fbdc2c9421735a217047ef4efe9a0c226932fb80ca71233471047503d50ea96c2ef9211cf893d47e52e65b3
SSDEEP

384:iL7li/2z3q2DcEQvdQcJKLTp/NK9xauz:8LMCQ9cuz

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2752	tmp1556.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2752	tmp1556.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2268	25410b8c7b401e7b99d60a5fe2c4fe40_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2268	25410b8c7b401e7b99d60a5fe2c4fe40_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2856	2268	25410b8c7b401e7b99d60a5fe2c4fe40_NeikiAnalytics.exe	28
PID 2268 wrote to memory of 2856	2268	25410b8c7b401e7b99d60a5fe2c4fe40_NeikiAnalytics.exe	28
PID 2268 wrote to memory of 2856	2268	25410b8c7b401e7b99d60a5fe2c4fe40_NeikiAnalytics.exe	28
PID 2268 wrote to memory of 2856	2268	25410b8c7b401e7b99d60a5fe2c4fe40_NeikiAnalytics.exe	28
PID 2856 wrote to memory of 2560	2856	vbc.exe	30
PID 2856 wrote to memory of 2560	2856	vbc.exe	30
PID 2856 wrote to memory of 2560	2856	vbc.exe	30
PID 2856 wrote to memory of 2560	2856	vbc.exe	30
PID 2268 wrote to memory of 2752	2268	25410b8c7b401e7b99d60a5fe2c4fe40_NeikiAnalytics.exe	31
PID 2268 wrote to memory of 2752	2268	25410b8c7b401e7b99d60a5fe2c4fe40_NeikiAnalytics.exe	31
PID 2268 wrote to memory of 2752	2268	25410b8c7b401e7b99d60a5fe2c4fe40_NeikiAnalytics.exe	31
PID 2268 wrote to memory of 2752	2268	25410b8c7b401e7b99d60a5fe2c4fe40_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\25410b8c7b401e7b99d60a5fe2c4fe40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\25410b8c7b401e7b99d60a5fe2c4fe40_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f5d5cqkv\f5d5cqkv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES16FA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB75999CB72F746588C3A4255F49EA164.TMP"
    3⤵
    PID:2560
- C:\Users\Admin\AppData\Local\Temp\tmp1556.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1556.tmp.exe" C:\Users\Admin\AppData\Local\Temp\25410b8c7b401e7b99d60a5fe2c4fe40_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
8b6f431796d43893555c05eac89bb566

SHA1
cedd4313b54accc8c99be2086e092f72e79dade3

SHA256
ff18bf3e73e459c33cab6cede7f5a472fb1268e7a0aabf66f9ff5a0e310fd3a3

SHA512
f734affbf6f8d2a186ae1d9a33246ae85ef518a175d2c71db64fa8666efb16166b6a4d2aac2165b1b60496b831bc304f9653c5c231cc9e167a70cebec3cbc9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES16FA.tmp

Filesize
1KB

MD5
1d9688d8b8e9dc463c1a2b04c5eca674

SHA1
fb5405098d60d44ebc8c8f366bd4d3d8fc0321b2

SHA256
3c44386bb34994b5b5f775dea5233581e9c9a40ddcf26708cb40ce35b29e5644

SHA512
763f5396deccd47739e63e6886c7b86d3dee2b7a76f875862bf25d5c5d5ad80132b9cdbd21a068787658112b810a232a1c55a96c3179e06c1015c2928317392a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5d5cqkv\f5d5cqkv.0.vb

Filesize
2KB

MD5
b999b85db526c0bbd7302cfc3f685d9a

SHA1
91587b1c2c55b89bcc92bb601b87db9892987d8d

SHA256
b9636c7e8279e1559e6fbf9553ab4e42bba9c4350d858aa5c13596ca246c4b05

SHA512
20d7c80a003c9e457b1d759761ad3e5dd782681c30b061543cb7c8aac839d2ae40e8ac6473fa687e3d92800467152d964e96cb50f472a12016e1fb7a88056aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5d5cqkv\f5d5cqkv.cmdline

Filesize
273B

MD5
7a121bf85464a21f942e82ef2390925c

SHA1
394d9e1b2afdd28c289e7a3a7ead4ae44b5f224a

SHA256
e70603be977c8cecd7acbc7725eb565af26ba0f899a66e3d59300b6c31596cb9

SHA512
5f8d22d03524494e541132adbddc3cfe27fc5525b22d843c11efb7fb358d4bc121ae268dd9fce17e320b634bae1a6d039e757e6e9cad59e3484cf2daa61ff683

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1556.tmp.exe

Filesize
12KB

MD5
b83c1b6c7c626103db41484049f296a4

SHA1
fc0a5db90d320271632a4a118d1a519db0299351

SHA256
281651e95ca079f3ebb39bd8ab4183257d71c35e86b4238fa0ae4edf9666c4f4

SHA512
5d408e623f4f352093a2adbdd96697940d9fae0ff276ee761ca6612e617d3fbd4cc258a1e421710a08b0a7820b8e8c00b9b0927d6cddac17765bca0c2cefe3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB75999CB72F746588C3A4255F49EA164.TMP

Filesize
1KB

MD5
78da3b7ef0f96e490590bcedc4dcd35e

SHA1
fac14b56efcdc0d3cf62ab317a3c23367ec4ba18

SHA256
7be2541251e4d4104af7d27c6cdfa388ddd957ec0967bb48719ebd2f393ee4df

SHA512
e1ffe58593bad69ea262ea3ff4c1e92404e2590f909f37ae0f8473c7f6d34d0461419ce5473ac5d621e8eb96e159c322076fa6d3eeff475238101daaee6ac5e7

Download Submit
memory/2268-0-0x000000007467E000-0x000000007467F000-memory.dmp

Filesize
4KB

Download
memory/2268-1-0x0000000001070000-0x000000000107A000-memory.dmp

Filesize
40KB

Download
memory/2268-7-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download
memory/2268-24-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download
memory/2752-23-0x0000000000A50000-0x0000000000A5A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing