Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/05/2024, 08:23

General

  • Target

    4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    4cba71691b8bc14345aa4dc0baced850

  • SHA1

    86205dac169f33d4f8266eb9d3b199bb5d54eb55

  • SHA256

    1614d4f29b90108fb81d661dbc8a23054e05916be3f1f10fb2cc92c28b8fa540

  • SHA512

    ac11b286f86e96198fcf7fbb4f8e314fc04c884131310cf4075728762fc4d4fcd26663f7e4dbcf885a6818e36eb7bfee769f432ea6096e1da493218170b5feb1

  • SSDEEP

    384:1L7li/2ztq2DcEQvdhcJKLTp/NK9xa/ar1:VlM/Q9c/2

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3s201bfx\3s201bfx.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES73AA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA1CA6AC478EC4A759128C269FC754843.TMP"
        3⤵
          PID:2684
      • C:\Users\Admin\AppData\Local\Temp\tmp6EDA.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp6EDA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2412

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\3s201bfx\3s201bfx.0.vb

            Filesize

            2KB

            MD5

            f5414a370d81bcc0889ec51b40e2a17d

            SHA1

            1a385d595e6e2145ad87f287e0432669f164e195

            SHA256

            212bfd7c0c709f459c74da37beef90503743ef310763da611cd91e463ba90144

            SHA512

            e6d4ec54e87a2361afb87fe5be1bc864bc6cddf827e6e3e009f93b21aa0c067cd2bfb4884572311d673f6be6867b84303f2eeecd69b34b23d51f4ec247d991a2

          • C:\Users\Admin\AppData\Local\Temp\3s201bfx\3s201bfx.cmdline

            Filesize

            273B

            MD5

            e0f883f60d4ea1f1a1d7188b10c6992b

            SHA1

            c944065a79ab2afa75860309c4e7fa361f68035d

            SHA256

            f35a61e45c1e8c4046058c027f11812fa4f5744662130a37d12e00f6475b95fe

            SHA512

            d4d0f1939da80fa60093c8e321a7a2fad7eb3ce32b963a5a7f17a3585d29dd51829b42d18caeb5de76667caa90eec54e33646244473c7b76a61b576351ee93cb

          • C:\Users\Admin\AppData\Local\Temp\RE.resources

            Filesize

            2KB

            MD5

            fe7f8b2ad94f2dd05a2c947427a74ba9

            SHA1

            b19e8a90a803138b0b2c69b58ec3a24204ca1161

            SHA256

            8c4add7b83002205eca576055025b3b9644dc00d7003d5fd3402eacdaebcd758

            SHA512

            e56cb122cb2ffb065a505d74e181d866e1ea5586bf83455baa00fb0340c7d6be5d47abbd74eb6182ffb0e17b306ffcaf0c75d40268c7badf83e3e6c838fc0dc7

          • C:\Users\Admin\AppData\Local\Temp\RES73AA.tmp

            Filesize

            1KB

            MD5

            366186ad91ed5426fb7cc0320a7f83c4

            SHA1

            81b58baf6cca46c0d6c83a1ff412c74e76ff4f20

            SHA256

            62f484784a41ad4f88fcc98c3014a9d56b5a3be456428eac70df0187882e279e

            SHA512

            7be53a6f2f5851c61066a1431237e6464e67c7e846a97b824fde5e2e3423c0065f33a99fdab9b9306bd9a570fd671a714fc3a4fa609c05f493f921ba5ad7f2b3

          • C:\Users\Admin\AppData\Local\Temp\tmp6EDA.tmp.exe

            Filesize

            12KB

            MD5

            15e5bfe7442711f0347f912933fe88fa

            SHA1

            d8b02268418418b92113918e664ef6e5f0ce781f

            SHA256

            d6396b9a0f8a0e956609975d977e42283ea2f1cd69fda7bf581747aa9b846972

            SHA512

            7db44f3445f017b3ad10ab6f518cab42d70f2cec16cdc744bc1bc912c5a095f0da2ca838c1b66b383a8d1ea6a1f58213c7bfb7e8e3520250ed0654a8f006b4a6

          • C:\Users\Admin\AppData\Local\Temp\vbcA1CA6AC478EC4A759128C269FC754843.TMP

            Filesize

            1KB

            MD5

            d7fac24256c6bd5ddfb8744cc2dee209

            SHA1

            ecbc0aedffdf343d0730d11bd5825b253dee922b

            SHA256

            bcc0cd64ac303961da5a9608f45fbb4831e2c1065e2d81c2e699b32893a1cd27

            SHA512

            05215b4b4a254f3d2b819c511d2ef87ef97314ada724afcbd4a5ef72178ba0b3d3240fafa33a849b426343dc044568919df34589cfe0401da0db374b14e1e3ce

          • memory/2412-23-0x00000000009B0000-0x00000000009BA000-memory.dmp

            Filesize

            40KB

          • memory/3012-0-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

            Filesize

            4KB

          • memory/3012-1-0x0000000000A40000-0x0000000000A4A000-memory.dmp

            Filesize

            40KB

          • memory/3012-7-0x0000000074C00000-0x00000000752EE000-memory.dmp

            Filesize

            6.9MB

          • memory/3012-24-0x0000000074C00000-0x00000000752EE000-memory.dmp

            Filesize

            6.9MB