Analysis
-
max time kernel
117s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27/05/2024, 11:39
Static task
static1
Behavioral task
behavioral1
Sample
eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe
-
Size
12KB
-
MD5
eced8197efc825de9bdf0766df90e9b0
-
SHA1
008bad968d2f89d9db06f35f39f17b26811aa5ee
-
SHA256
fdecb80962839579c9fa64d60261750101dd87424b003f09a7a82a76515f7307
-
SHA512
86427bd75f8f68c3cbc04580ab583b96786bd5a5e39fe9d59726f39e36fde11bd515f647e3157e5f5f40a4c6da5809e024a05d56c5863f2007fb7835b4adb86e
-
SSDEEP
384:YL7li/2zpq2DcEQvdhcJKLTp/NK9xaBO:mhM/Q9cBO
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2560 tmp9ED0.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2560 tmp9ED0.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 2776 eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2776 eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2776 wrote to memory of 2000 2776 eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe 28 PID 2776 wrote to memory of 2000 2776 eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe 28 PID 2776 wrote to memory of 2000 2776 eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe 28 PID 2776 wrote to memory of 2000 2776 eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe 28 PID 2000 wrote to memory of 2640 2000 vbc.exe 30 PID 2000 wrote to memory of 2640 2000 vbc.exe 30 PID 2000 wrote to memory of 2640 2000 vbc.exe 30 PID 2000 wrote to memory of 2640 2000 vbc.exe 30 PID 2776 wrote to memory of 2560 2776 eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe 31 PID 2776 wrote to memory of 2560 2776 eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe 31 PID 2776 wrote to memory of 2560 2776 eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe 31 PID 2776 wrote to memory of 2560 2776 eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3ql4szpw\3ql4szpw.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA42B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE8318DB0AF8C4B75976FC2FA20DFB19.TMP"3⤵PID:2640
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9ED0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9ED0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\eced8197efc825de9bdf0766df90e9b0_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2560
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53adbfc381b68d59e8f4b3d2235477177
SHA192f097fb60a90b74bce2904b3d7d17e2ddade609
SHA256b9fd3edeb43d2c1ac386ab7877cec212424b748dc8dfa8f34beb4aa1421f0f35
SHA512978e158ec3faeac9f01ad3f5a0d90bba651617f91d74b933998ee9376da4587dfcf8dd2085475a6c8dc8a51e90d6fb81d6b49c4633fb2d4300237f5843467081
-
Filesize
273B
MD5368e21aea10239f9506378c4babefd48
SHA1eb1159a132ae4195c68a05c37239b40de395eb10
SHA2561ac5cbe8d7bea4b904172b53f497ab0ceb1a7788bea7d4a4a6cd00036e78aee9
SHA5128d1bfcbfb337bfb63804342a530f6b5daf0b30e5c801a23c0b9aaae4358c17e42a1bd35b68b5ca14ed33236ed15fa9b766ed91d98a691104a50af1dc9ed768d7
-
Filesize
2KB
MD583e08bdbb9c236adfa11565862dd321c
SHA19c99a106a62dd15163323ba1dacf7291490df63a
SHA256aa673ddbadbae116dd14185ab91d85f83e1abc2e92952840dd7e3a20a0b9332e
SHA512701b6b06071a9e72e246997a4a91473b57bca8128cca740e499af8533e97e3c15d90037a9d5c8d3f5cedc0463cc59ee132dc1a4c51729e31edf99616fdc8311a
-
Filesize
1KB
MD5bccc80662453feecd00e7d941373a125
SHA19c6e68642af0054b8bba07d2c30c49741ecee11b
SHA2563733308588462016d991e7ec703afbdcfb036bdcce94688932c98e8824b201ea
SHA512594ffd2f0644211372cc3ac0bf8e990f1d36103a880666143e28a3762202e6da55f04296b8cfb4733cf596c2a0876489a1266daf9065f907f48f524fd844258b
-
Filesize
12KB
MD555747dc2a5cb0a237331dd05efaf30e4
SHA165216798d3a7a534b37f8989d7e333528a58310d
SHA2562150217d981f8767e55f27f3fab8b21ddd1f1694b1df301affcd23d61e36c4e3
SHA5121ce7074263076b60a4598ffe15f0448baca23def45fe9b84ce5d0c5763d5b11a52240e2fa04c0b285823922b71e1bf8d6c613fccf67c5f2b73226facf0d8722e
-
Filesize
1KB
MD516021916c15af6e38dc93d746fe63ece
SHA1d2471c97e60573361f6b91b163663f3c2787df6d
SHA256ab367d1c532b37a538ac5d2cd181f750d901b73c14687940e42d0ad8e9fe0b1d
SHA512720fa6ea31704bb0f836e02dcf07f61fe169387157888b64c82837e99319d25dfaff64bd5c01533f9c349239b46cee5867096a273a957352e70fca17d5b2dc4d