37d1c491f7218be7b012f3887996c404ebe72a2fce5a2b2b682d12e5d2a6678e

General

Target

2078789126d0f957c30220478428b920_NeikiAnalytics.exe
Size

12KB
MD5

2078789126d0f957c30220478428b920
SHA1

235b26d7a2ea1a4c05dbfda6fa6711826f16a8f9
SHA256

37d1c491f7218be7b012f3887996c404ebe72a2fce5a2b2b682d12e5d2a6678e
SHA512

6e7378db6950fc2367ae60bd7aa673c832e06fd7ef158b2232554dcf9bd58fb4f559e0481d1e61486fff09ccbbb8c003d6d77c20f3090afd9ce334cb5aff2cc3
SSDEEP

384:IL7li/2zsq2DcEQvdQcJKLTp/NK9xaH5:2gMCQ9cH5

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2828	tmp1A36.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2828	tmp1A36.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
3020	2078789126d0f957c30220478428b920_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	2078789126d0f957c30220478428b920_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2644	3020	2078789126d0f957c30220478428b920_NeikiAnalytics.exe	28
PID 3020 wrote to memory of 2644	3020	2078789126d0f957c30220478428b920_NeikiAnalytics.exe	28
PID 3020 wrote to memory of 2644	3020	2078789126d0f957c30220478428b920_NeikiAnalytics.exe	28
PID 3020 wrote to memory of 2644	3020	2078789126d0f957c30220478428b920_NeikiAnalytics.exe	28
PID 2644 wrote to memory of 2656	2644	vbc.exe	30
PID 2644 wrote to memory of 2656	2644	vbc.exe	30
PID 2644 wrote to memory of 2656	2644	vbc.exe	30
PID 2644 wrote to memory of 2656	2644	vbc.exe	30
PID 3020 wrote to memory of 2828	3020	2078789126d0f957c30220478428b920_NeikiAnalytics.exe	31
PID 3020 wrote to memory of 2828	3020	2078789126d0f957c30220478428b920_NeikiAnalytics.exe	31
PID 3020 wrote to memory of 2828	3020	2078789126d0f957c30220478428b920_NeikiAnalytics.exe	31
PID 3020 wrote to memory of 2828	3020	2078789126d0f957c30220478428b920_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\2078789126d0f957c30220478428b920_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2078789126d0f957c30220478428b920_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nzjtjfli\nzjtjfli.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BCA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD14080C13D704527B121594FA79E1ADE.TMP"
    3⤵
    PID:2656
- C:\Users\Admin\AppData\Local\Temp\tmp1A36.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1A36.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2078789126d0f957c30220478428b920_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
59c0b2badfaf70e1f3428bf53f2c5e75

SHA1
e01abf431fc951b3de7915cfecc1d33bcf341919

SHA256
6aac5c5a7eac0a0f64979349ce6c39458a157a1e74dcb9e6807d49889bffd85a

SHA512
9687a8742984ae7b517b0aa5150002159a20390708a11757c7eefcb805b3947ef65b8b219d8104f6234205ef7a2a976b4f9274e7796c9351a6334c848731881e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1BCA.tmp

Filesize
1KB

MD5
7d40ce7dab16036f72aeb7b974f42580

SHA1
6d656b033e64fe085b7f390df75da08c0c9a26f3

SHA256
d688b8c83d5afd9bc72eb7ab66ca25fcf1215ea4edb6e5430d1112a42e559e1b

SHA512
3f3d6a8a71b98bdbc413b5ad22cc3128c888a8c1d2ec888bd66d67d7272451e06668945fe56a6b55018c503f7c6704a42142ae27d2c0aaa82d099a461d24d5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nzjtjfli\nzjtjfli.0.vb

Filesize
2KB

MD5
a26786a5cf66dbb11cce2e22b77019a8

SHA1
4a02462f6106a92cee0ea24c4faf24d8fc0781dd

SHA256
544d93ed4c62fa28afc42ae898291577c883b18d9687436b08d7a8b36bdd62b3

SHA512
ac4f8f8313da1d1c51929822b8b3718447e2fef488a5e55da186aae23e22bfe6ec70edbc891d08dc115bfe9d607d0f53aede82579c665f7a630e53ea2399c7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nzjtjfli\nzjtjfli.cmdline

Filesize
273B

MD5
74fa2d999d7bf22038b411cc77482794

SHA1
89d253b8a77c54690f36f6a791f19bf7bd666c9f

SHA256
245fd11c548d09b4ea8c429912cf450a0f454b40b6de42c1dede254e41e43daa

SHA512
cd62f7d0745178b0ab13c2003728c2d04bc894898fdbfd6aa59b99666aa61796eaf79dbd6ac2f56440c095b1649d49ecb3deb3b5848ac7e579e3cd05d0d5fd4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1A36.tmp.exe

Filesize
12KB

MD5
d50b94f9c25b83c81fc2081692a2d4ff

SHA1
f54e41f1fd41f22ccb0f8431ef44c5883308b0d6

SHA256
5dcded710c2c60f77534dea2f6530b2fbaadb6006737a65a6fc0241be62ac719

SHA512
66628bd8bc2a4ce40e032eccfb14c11947916e4f6f184e7986dfe3fdc9701ce2dcebd48dd017466bcdadd2e2f00d4d4510105d112039890fb61a727111970262

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD14080C13D704527B121594FA79E1ADE.TMP

Filesize
1KB

MD5
2d713ae198539729b3866182607f4911

SHA1
06a2db66cce46261f7cf81c658a2f92dfe6b7e8a

SHA256
b7681ed5fca455a88b5915f938413262bdf34412c8187fd5321dd9ec3d7cb115

SHA512
c774542cd80842fefcd217918d4b8d234888c51c31096ad4d0eb21af5adb950c5b546f8769a2c8cbbe261052bb5d0750532b44a0ee15c50c9e9661cca3525f4b

Download Submit
memory/2828-23-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/3020-0-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

Filesize
4KB

Download
memory/3020-1-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

Filesize
40KB

Download
memory/3020-7-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/3020-24-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing