Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/05/2024, 08:23
Static task
static1
Behavioral task
behavioral1
Sample
4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe
-
Size
12KB
-
MD5
4cba71691b8bc14345aa4dc0baced850
-
SHA1
86205dac169f33d4f8266eb9d3b199bb5d54eb55
-
SHA256
1614d4f29b90108fb81d661dbc8a23054e05916be3f1f10fb2cc92c28b8fa540
-
SHA512
ac11b286f86e96198fcf7fbb4f8e314fc04c884131310cf4075728762fc4d4fcd26663f7e4dbcf885a6818e36eb7bfee769f432ea6096e1da493218170b5feb1
-
SSDEEP
384:1L7li/2ztq2DcEQvdhcJKLTp/NK9xa/ar1:VlM/Q9c/2
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2412 tmp6EDA.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2412 tmp6EDA.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 3012 4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3012 4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2992 3012 4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe 28 PID 3012 wrote to memory of 2992 3012 4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe 28 PID 3012 wrote to memory of 2992 3012 4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe 28 PID 3012 wrote to memory of 2992 3012 4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe 28 PID 2992 wrote to memory of 2684 2992 vbc.exe 30 PID 2992 wrote to memory of 2684 2992 vbc.exe 30 PID 2992 wrote to memory of 2684 2992 vbc.exe 30 PID 2992 wrote to memory of 2684 2992 vbc.exe 30 PID 3012 wrote to memory of 2412 3012 4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe 31 PID 3012 wrote to memory of 2412 3012 4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe 31 PID 3012 wrote to memory of 2412 3012 4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe 31 PID 3012 wrote to memory of 2412 3012 4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3s201bfx\3s201bfx.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES73AA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA1CA6AC478EC4A759128C269FC754843.TMP"3⤵PID:2684
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp6EDA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6EDA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2412
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5f5414a370d81bcc0889ec51b40e2a17d
SHA11a385d595e6e2145ad87f287e0432669f164e195
SHA256212bfd7c0c709f459c74da37beef90503743ef310763da611cd91e463ba90144
SHA512e6d4ec54e87a2361afb87fe5be1bc864bc6cddf827e6e3e009f93b21aa0c067cd2bfb4884572311d673f6be6867b84303f2eeecd69b34b23d51f4ec247d991a2
-
Filesize
273B
MD5e0f883f60d4ea1f1a1d7188b10c6992b
SHA1c944065a79ab2afa75860309c4e7fa361f68035d
SHA256f35a61e45c1e8c4046058c027f11812fa4f5744662130a37d12e00f6475b95fe
SHA512d4d0f1939da80fa60093c8e321a7a2fad7eb3ce32b963a5a7f17a3585d29dd51829b42d18caeb5de76667caa90eec54e33646244473c7b76a61b576351ee93cb
-
Filesize
2KB
MD5fe7f8b2ad94f2dd05a2c947427a74ba9
SHA1b19e8a90a803138b0b2c69b58ec3a24204ca1161
SHA2568c4add7b83002205eca576055025b3b9644dc00d7003d5fd3402eacdaebcd758
SHA512e56cb122cb2ffb065a505d74e181d866e1ea5586bf83455baa00fb0340c7d6be5d47abbd74eb6182ffb0e17b306ffcaf0c75d40268c7badf83e3e6c838fc0dc7
-
Filesize
1KB
MD5366186ad91ed5426fb7cc0320a7f83c4
SHA181b58baf6cca46c0d6c83a1ff412c74e76ff4f20
SHA25662f484784a41ad4f88fcc98c3014a9d56b5a3be456428eac70df0187882e279e
SHA5127be53a6f2f5851c61066a1431237e6464e67c7e846a97b824fde5e2e3423c0065f33a99fdab9b9306bd9a570fd671a714fc3a4fa609c05f493f921ba5ad7f2b3
-
Filesize
12KB
MD515e5bfe7442711f0347f912933fe88fa
SHA1d8b02268418418b92113918e664ef6e5f0ce781f
SHA256d6396b9a0f8a0e956609975d977e42283ea2f1cd69fda7bf581747aa9b846972
SHA5127db44f3445f017b3ad10ab6f518cab42d70f2cec16cdc744bc1bc912c5a095f0da2ca838c1b66b383a8d1ea6a1f58213c7bfb7e8e3520250ed0654a8f006b4a6
-
Filesize
1KB
MD5d7fac24256c6bd5ddfb8744cc2dee209
SHA1ecbc0aedffdf343d0730d11bd5825b253dee922b
SHA256bcc0cd64ac303961da5a9608f45fbb4831e2c1065e2d81c2e699b32893a1cd27
SHA51205215b4b4a254f3d2b819c511d2ef87ef97314ada724afcbd4a5ef72178ba0b3d3240fafa33a849b426343dc044568919df34589cfe0401da0db374b14e1e3ce