0ed0f4e4094589992d4b21500c14fbdf5af02a8b0ba9e8cd133b028eebab56d3

General

Target

a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe
Size

12KB
MD5

a183764d0d4dc59eb970008125ae27c0
SHA1

8e84d2f9ae19bd1a141f5e5d5ec82fb79868f4a2
SHA256

0ed0f4e4094589992d4b21500c14fbdf5af02a8b0ba9e8cd133b028eebab56d3
SHA512

30aa47ed5896b072a106ed5a7bba7523cffaf3f497efa3aa326d47b5a73cfc439d4146e04d087f6733f4e6f88915747f4e41eb804772aad2a831b61b35136325
SSDEEP

384:1L7li/2zIq2DcEQvdQcJKLTp/NK9xan0:VcMCQ9cn0

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2552	tmpBF3.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2552	tmpBF3.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2332	a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2320	2332	a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe	28
PID 2332 wrote to memory of 2320	2332	a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe	28
PID 2332 wrote to memory of 2320	2332	a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe	28
PID 2332 wrote to memory of 2320	2332	a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe	28
PID 2320 wrote to memory of 1812	2320	vbc.exe	30
PID 2320 wrote to memory of 1812	2320	vbc.exe	30
PID 2320 wrote to memory of 1812	2320	vbc.exe	30
PID 2320 wrote to memory of 1812	2320	vbc.exe	30
PID 2332 wrote to memory of 2552	2332	a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe	31
PID 2332 wrote to memory of 2552	2332	a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe	31
PID 2332 wrote to memory of 2552	2332	a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe	31
PID 2332 wrote to memory of 2552	2332	a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ims0c51d\ims0c51d.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7974E45BF27548CDAC50D5705694CBA3.TMP"
    3⤵
    PID:1812
- C:\Users\Admin\AppData\Local\Temp\tmpBF3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBF3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a183764d0d4dc59eb970008125ae27c0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
b1a6baa2ab93f6182489c587ad5b85f7

SHA1
899fbe461073fdb623d45617725f20634646e766

SHA256
f905f03a51f2a4a8946f75f43dbae8d2035a28a18ba57bc029218f98e8d59edb

SHA512
1cc94bfb08959566aae168c1334beb2062b282c8418690569f3044e49b57901f27e2b0d2e4b9dc8162a04dd10dba32ae5c22a8268101345810c07cf833791829

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCEC.tmp

Filesize
1KB

MD5
def396cc4a666701fb6fced76a40d74e

SHA1
05218b19367e45652c6070df7be5883c00d14eff

SHA256
77f11ca05465c88793db107bc5c905e96896ecd485722245fc8553a84935ef91

SHA512
be9d38876a6fc75edfc826a185114e9b0f7646f14a67af36226e6ff3f29cc2251d825b8607a2aee3ad465884f1ec4068d6b1acab47cd899886bb28d51f110c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\ims0c51d\ims0c51d.0.vb

Filesize
2KB

MD5
9731b8d9e752d194f5353523287b36b5

SHA1
3a9615b7fe365d58acb7204726ec2255b1e57468

SHA256
9a70250c47675fc82ae38935e2b29932234e9ea3caf524d9917db7866587e6e8

SHA512
ff877b29d2dbffeea070fc40f6abc2946a8ca049d26d31b6c020aa48bc2c9477a918d56effce3be1920d664b6a1054e55784b4d56f462f5cafd6c4d9ff17b75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ims0c51d\ims0c51d.cmdline

Filesize
272B

MD5
022b73050bdd18eca15125b4a2d8d2e3

SHA1
cdebcff6a1eb845bdce7bb1b0f4fb49bcee5e671

SHA256
64a694e7650c552a547051269fd3ac993e98446270365fc0dbc9e2bb82f923e7

SHA512
8500e6ac56b0d426d8317114468dee56b9882a644994adbd2860491c6779fa1b7e68d59711dde891a153542fd60ab858c5e6eca8dc65f3e8e4a1cfda068b74b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBF3.tmp.exe

Filesize
12KB

MD5
8e496c134952158ae19b2571bf685df7

SHA1
0955c992075cefa1e9e73b7e90f70138c2739b48

SHA256
e03c8a04223f1f7fafd7a7cab35646bd5132608507e3b59afc78efc4d3979853

SHA512
5dfbf66dca2067e5620d7e1b157e251254e2dff6e5cd5fbe12bba93d3a08ad04a43ffba49809d8ce8d4625ef8bd3b6bd2881e2b86bcaa5efbd9c56f688ba69c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7974E45BF27548CDAC50D5705694CBA3.TMP

Filesize
1KB

MD5
71f791b532227a4760c9ce341c608a3f

SHA1
b45defc005268a4e48b8218254e83c29568aae83

SHA256
426dafda13629bb50668cf84fbf767fd91ce6f7abe9b291c09631a7909c04d72

SHA512
fac752982d241d29cad46279a53f6651144147f667499f625bf72d5cb3222092f736fbf28fb60693fb44e95922bd9bd575581788a1465baf04e04494f45a1cb3

Download Submit
memory/2332-0-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/2332-1-0x00000000010C0000-0x00000000010CA000-memory.dmp

Filesize
40KB

Download
memory/2332-7-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/2332-24-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/2552-23-0x0000000000E10000-0x0000000000E1A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing