e0fefaeb970b8ff2b079e696e5d66715bf98d04ca005b1cfb0ce00c54b411a50

General

Target

01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe
Size

12KB
MD5

01f9a5120de1b2b1f94ffe742b596250
SHA1

3a132d13cd644c8197218bac49a38fd2691ac5ec
SHA256

e0fefaeb970b8ff2b079e696e5d66715bf98d04ca005b1cfb0ce00c54b411a50
SHA512

1104720a63ce25753fe7a678319f443cc29e82434950a3f8322d52ea644c641f5065c05a88f937fb078fca5544aaccfa011bdb00afd117ea35f293de4fe18532
SSDEEP

384:pL7li/2zYq2DcEQvdQcJKLTp/NK9xavar:ZkMCQ9cvar

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2700	tmp2167.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2700	tmp2167.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1700	01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2216	1700	01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe	28
PID 1700 wrote to memory of 2216	1700	01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe	28
PID 1700 wrote to memory of 2216	1700	01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe	28
PID 1700 wrote to memory of 2216	1700	01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe	28
PID 2216 wrote to memory of 2316	2216	vbc.exe	30
PID 2216 wrote to memory of 2316	2216	vbc.exe	30
PID 2216 wrote to memory of 2316	2216	vbc.exe	30
PID 2216 wrote to memory of 2316	2216	vbc.exe	30
PID 1700 wrote to memory of 2700	1700	01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe	31
PID 1700 wrote to memory of 2700	1700	01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe	31
PID 1700 wrote to memory of 2700	1700	01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe	31
PID 1700 wrote to memory of 2700	1700	01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vto0y10p\vto0y10p.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2359.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc44FE66BBAC444DE69AFFC7AF57C9728F.TMP"
    3⤵
    PID:2316
- C:\Users\Admin\AppData\Local\Temp\tmp2167.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2167.tmp.exe" C:\Users\Admin\AppData\Local\Temp\01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
7cc133e23921c4e52a11e15d66baa87b

SHA1
5f569b78f0022e2878d3ad0a67479c11dccf5359

SHA256
200a871c53e804df02ada3ce7c69de712c390375e8e77301f00fb1e3cc14b322

SHA512
ae8230ac901b68177e1e375604594d5f0326a0813b1e103390fb6434aad71f8c251bbebfec00fce18abd9018ca8337e6353570911338741396de7792a687f46b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2359.tmp

Filesize
1KB

MD5
efb73fa02d4a5de5ab05d1a8d13fdbf5

SHA1
8f06e72f91169512e4ae605ea4548a2d84a22b36

SHA256
70239966ec6fe3a72514ff91fccd297756bcea70bb24258a1e3add01aaf1e9d4

SHA512
4cf3819241b4601cf0e24584d0b85a0dfc4e1154843d849b53732b37c2693bebb19b6c2ce11cfc7f5f02620b4185b355caec90efdbb09fd628bcb7d5879f1d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2167.tmp.exe

Filesize
12KB

MD5
b98b3d4ebaa8b20a38b8e4ef860b0cd3

SHA1
fd699d05084e61b9f3bea4cb0da497f68e2a82df

SHA256
aebeaf57e3e4eab13acd2b8900467165f6837fda1e35a3d076b04c0f47c2e4f2

SHA512
1fa3848fb15af4364065b3fa280d2c6e92d7777577cc937a5d0cd7d2e5e796e558228acba48b84d6b3f8fe5fe071a117dd178cd644d4a4ccf9c5020aa0e672b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc44FE66BBAC444DE69AFFC7AF57C9728F.TMP

Filesize
1KB

MD5
70e7e686c72dc83768b9b84af8b6b619

SHA1
48b444ee8a81ce1c2c8d781e0e31657289f4787b

SHA256
29171963d83ae0c9102a4f2f2a62ff051df8d6487de5a38bd8b3eed8add64d9d

SHA512
1271a99a7545f69f1e1277f22f0004ef0a7f11f9e0d0f5ec695bba1d3f65f62bd047225e34077f67cf3400faf4af3c6f5474f5f52708a7bb5f61f7857985eef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vto0y10p\vto0y10p.0.vb

Filesize
2KB

MD5
acf1f093f110cc9aed7f5fd8d53aea1f

SHA1
0bbf47691268b7318c87aa74dfa8eff187029ab8

SHA256
b2456516e4bed32d3b2737a39da8c1faf1065d1321dd69701188f88e4d398c11

SHA512
4129a158c66cef988b79647f5d45ca527c76c7095c5be0fd7a0d0e5234a97516d4ac695fe2fcef2f46ad8c5ae111d25800316d2b43b426ef8be0bac6ff6e4fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vto0y10p\vto0y10p.cmdline

Filesize
273B

MD5
c14e652a403e6433066a3c34d321e166

SHA1
34ddd7b4d41f6baa8b2a1a987155a196f331c618

SHA256
0c2e6c8a2d0131b75782cc5a1405ab2e6ce395cb571e77509eb5b14873d21c8f

SHA512
4f8626fde5702fb615e52775d117c75c56af8c74d72ce7b028d3ad04ed3f963609c5b1f324ff9013480f505e773b78391f70434bf95d90e76e323c1fbe6c8fb5

Download Submit
memory/1700-0-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/1700-1-0x0000000000A40000-0x0000000000A4A000-memory.dmp

Filesize
40KB

Download
memory/1700-7-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/1700-23-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2700-24-0x0000000000C80000-0x0000000000C8A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing