4323134fb722c9287945645c7919942f91d0e7f5c29f4255a27eed09da07ab6f

General

Target

5668c5e81e531f6cefe9afbc60bc7780_NeikiAnalytics.exe
Size

12KB
MD5

5668c5e81e531f6cefe9afbc60bc7780
SHA1

7b65d2c2a2348fed7d663a99809b43f8d469a179
SHA256

4323134fb722c9287945645c7919942f91d0e7f5c29f4255a27eed09da07ab6f
SHA512

c6ce9d76a41fbef134c61518b6b2b18c1468a20e1cc07b58a0e39ee7cf69dc45df5d75895c56e755f969e6484d84fde87b1df19445245104a1a5d80c740dc6be
SSDEEP

384:1L7li/2zWq2DcEQvdhcJKLTp/NK9xa3s:VeM/Q9c3s

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2496	tmp98C7.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2496	tmp98C7.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2896	5668c5e81e531f6cefe9afbc60bc7780_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	5668c5e81e531f6cefe9afbc60bc7780_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2948	2896	5668c5e81e531f6cefe9afbc60bc7780_NeikiAnalytics.exe	28
PID 2896 wrote to memory of 2948	2896	5668c5e81e531f6cefe9afbc60bc7780_NeikiAnalytics.exe	28
PID 2896 wrote to memory of 2948	2896	5668c5e81e531f6cefe9afbc60bc7780_NeikiAnalytics.exe	28
PID 2896 wrote to memory of 2948	2896	5668c5e81e531f6cefe9afbc60bc7780_NeikiAnalytics.exe	28
PID 2948 wrote to memory of 2664	2948	vbc.exe	30
PID 2948 wrote to memory of 2664	2948	vbc.exe	30
PID 2948 wrote to memory of 2664	2948	vbc.exe	30
PID 2948 wrote to memory of 2664	2948	vbc.exe	30
PID 2896 wrote to memory of 2496	2896	5668c5e81e531f6cefe9afbc60bc7780_NeikiAnalytics.exe	31
PID 2896 wrote to memory of 2496	2896	5668c5e81e531f6cefe9afbc60bc7780_NeikiAnalytics.exe	31
PID 2896 wrote to memory of 2496	2896	5668c5e81e531f6cefe9afbc60bc7780_NeikiAnalytics.exe	31
PID 2896 wrote to memory of 2496	2896	5668c5e81e531f6cefe9afbc60bc7780_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\5668c5e81e531f6cefe9afbc60bc7780_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5668c5e81e531f6cefe9afbc60bc7780_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g1zx00rh\g1zx00rh.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9DA6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6D7A5402BA34BAB8A7F2EA25E43F12.TMP"
    3⤵
    PID:2664
- C:\Users\Admin\AppData\Local\Temp\tmp98C7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp98C7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5668c5e81e531f6cefe9afbc60bc7780_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
a50e698800b0812e8f0e43282036339e

SHA1
b94b6fa6a5b5315ace2e53f8a601c383d06434ea

SHA256
a7a359ec0b05314d746185960970a678b8a86e13382b8afffc09b850b732a758

SHA512
051e42fe2c9a56260bf95f0697726dd7344fa0cdb2d828abeada0263797e54eb21ca50832625dc30c04f221e5c13996a91ed161054d44f57e6648d4c4de9dbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9DA6.tmp

Filesize
1KB

MD5
b660000b5a5fa3cdf2e72076a8c59211

SHA1
7ffec0ba7b3b1f26465ab7a10e4de07bb3e6a791

SHA256
3c6d2a01e33f3f9ed6394ba6b6f048a611989ae8dd69be89b83d21828b2a4ee7

SHA512
50b93d98c1b416ec728ce359b2129b66db480cdeeb5c147445b0733a8f3f66906f92458a618fb26f354761cca915cdc9abd45f8b7557a13c2322bc268916a585

Download Submit
C:\Users\Admin\AppData\Local\Temp\g1zx00rh\g1zx00rh.0.vb

Filesize
2KB

MD5
a96f176d16737fbeb784a82006785475

SHA1
c3150cad853109581607d4154e10751bfd8f8576

SHA256
53f2519442506a9bac309ade5c20586d329be279231bf425d275b8166cb858cc

SHA512
80503862e5a3d601044de8b54bebf9b192554021624578a7600034e67047b79e32af74193c4980445db3ae6f47f8a48d141f94606cfc7b664192bf7da7b3caec

Download Submit
C:\Users\Admin\AppData\Local\Temp\g1zx00rh\g1zx00rh.cmdline

Filesize
273B

MD5
419f1b1573ee8749dc42ce08a4381535

SHA1
c952ecf4693b98d12c3eb40c01bdde5ca46b9854

SHA256
8b5556365dd91a3b0e632ee047ad56d1fa77daad0c6e46e976f3bc2c2d002cad

SHA512
bbdf785f6a4daf4c37ef579f9c43a4301d4ef6331c3855928dd0a1358b9bce2021d986cdbe90fcbc4eaff6a5067877619cab72fcda74649934e95541bfdc3130

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp98C7.tmp.exe

Filesize
12KB

MD5
7e1b54a35b83b479cc3cca97dabf0da0

SHA1
c8dba6fcc4524464868dfe0ec078b8af247f551b

SHA256
0a905b7973400df8e750a670414832be0b77796aef9afd8c1ee44b86f98fd48f

SHA512
2181fe6a8d86885e6fad2d79ef69fada2f3065ca62e9dbe0e41e2a8b6da4728fddcef97af6348c964a364d7c517a6a7988d6429d2d322ef440087ddd899c720e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6D7A5402BA34BAB8A7F2EA25E43F12.TMP

Filesize
1KB

MD5
d8a7aeaabe58614adc9a989f15c1e244

SHA1
445d7987650be7825cc2facef77b4d9c91a4a5d4

SHA256
475311feaa026b8099b8e842f39511d60584d383cd72ddb682a61adeb62b06bb

SHA512
e747abf9d7d5a8fcae8be1f4959a07441094b602d4c8873eb4d5ef79ca55e5a3845d49824bae60842819e42ed4a97c5199dc7e99644b8bbec6be0e6f35ff4902

Download Submit
memory/2496-23-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download
memory/2896-0-0x000000007434E000-0x000000007434F000-memory.dmp

Filesize
4KB

Download
memory/2896-1-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download
memory/2896-6-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2896-24-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing