55f4dcbe3a9fecf82f78ba628fb6375e0e800b7d04bae2bc8f78b220926f5c51

General

Target

514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe
Size

12KB
MD5

514721b58189a2cb0132f06b1061f900
SHA1

2f55a861874e9e32990d9ee8ea86695ece396fa7
SHA256

55f4dcbe3a9fecf82f78ba628fb6375e0e800b7d04bae2bc8f78b220926f5c51
SHA512

f0fd4c584fd83d4442964fd556c383acdf436b790deda81fe5fcc5509c99c7e89995b03fc37e14b2ff74cba520de1e606d1b959dc247eca367b5bc58de2a39f3
SSDEEP

384:XL7li/2zsq2DcEQvdQcJKLTp/NK9xaAY:bYMCQ9cAY

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2612	tmpA084.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2612	tmpA084.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1932	514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2188	1932	514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe	28
PID 1932 wrote to memory of 2188	1932	514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe	28
PID 1932 wrote to memory of 2188	1932	514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe	28
PID 1932 wrote to memory of 2188	1932	514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe	28
PID 2188 wrote to memory of 2984	2188	vbc.exe	30
PID 2188 wrote to memory of 2984	2188	vbc.exe	30
PID 2188 wrote to memory of 2984	2188	vbc.exe	30
PID 2188 wrote to memory of 2984	2188	vbc.exe	30
PID 1932 wrote to memory of 2612	1932	514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe	31
PID 1932 wrote to memory of 2612	1932	514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe	31
PID 1932 wrote to memory of 2612	1932	514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe	31
PID 1932 wrote to memory of 2612	1932	514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3p25ocp5\3p25ocp5.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA860.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD4A2A210C2CD4A3C8BC8256F499734.TMP"
    3⤵
    PID:2984
- C:\Users\Admin\AppData\Local\Temp\tmpA084.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA084.tmp.exe" C:\Users\Admin\AppData\Local\Temp\514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3p25ocp5\3p25ocp5.0.vb

Filesize
2KB

MD5
951bbf616245ffe083632ae320104e82

SHA1
be2b84820b70a3740342309f6d6413c34256179c

SHA256
6f9aab0d12c289938ef61a7f8df1721981cc6276b7ae5f4185f00eddbafa4c8f

SHA512
6d19f9475cec1687260efb46e335eadc8c5e0bd61f60cb48563895d5ce18b062730b8f10512ce9204f76382c0dbedaf663c9420aefaf1efe8ebc87331c483e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\3p25ocp5\3p25ocp5.cmdline

Filesize
273B

MD5
3041a81507b779c59522b113bd67f955

SHA1
aff3d432d08ab773c994c92dad1c4e4dfcdd4644

SHA256
8030ddf34c5478ad294c4c4216c932ce70d1ac633ddbb1ba6e56e5bf7ba8287e

SHA512
650642952b636ac134d4f031fce0c6013ffd704a1dc3a3663326cf1a9a3e8e7946210a16d69c29068e30b0b1111cf5e86e48e5a1e8f46dae862c66744156f771

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
4a0ad59927914a24c2683d2e3d3d550c

SHA1
a8c0ef86d7b4abc8738a7aa1d7f3492811cf47c4

SHA256
cf78c81629dbbefbe8cb9940b3e1f5f88b97c7eb303613447be41c16e935e94e

SHA512
db454db9d8d8ba2fc1953f89b8b911c2cc16d54ee7752b34741754c882ade0753b07742f73fb154c9a7384146c4f40d4e0917af4be16fc06ba53805df63fecbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA860.tmp

Filesize
1KB

MD5
2ce5aca724ae0a3b570f9d8eb6746a98

SHA1
afe451c11c939577808455c0ce5ceaa9e30175d1

SHA256
a65f5b6f5cf7899597a64fa8ff258c70292e0252afc04961a7da149ac1f61e12

SHA512
23088864fba00a413dd2257e45c15f7006c0a478300c89dbc1510f6927f562b66d1a9851fd6c2e97c38bb03d003b5f532fa3f359072f042266e4b3be64865463

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA084.tmp.exe

Filesize
12KB

MD5
e49182b992236064a53a0eca217428f4

SHA1
9aff70fe1390aba67ccb7b6c0b0ab2013d9bb9e4

SHA256
618bf71b54e371ea2aa86149b385be0b616180aad3c82c8ba6a6bedcff2c8e6f

SHA512
00f1db79b183bb8a7d0bbc4c05dab55bd064b2f96c272cd3456cfa0fff162cc7b3ad9e138121968c42978ad937adb295a5b8c724351987018a0bbde0c9a63365

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD4A2A210C2CD4A3C8BC8256F499734.TMP

Filesize
1KB

MD5
726fbf154a7707e26a64aa0f50fecea6

SHA1
a3af96ae8d68a603be571ab1301e0a791f43bed5

SHA256
13ee32e28b8a792e8e1088ba358f41a7dd0b2f1a59cfc606e631b85ef07f168a

SHA512
836e1bce61ff22a6236f851d124f611fc137aae5b46ad1212ba6428ae71365a1fdfa100002663b274705c1b8e48e0508b4ffbb69aa6468734622e622f33a6a97

Download Submit
memory/1932-0-0x0000000073FFE000-0x0000000073FFF000-memory.dmp

Filesize
4KB

Download
memory/1932-1-0x0000000000960000-0x000000000096A000-memory.dmp

Filesize
40KB

Download
memory/1932-6-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/1932-24-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/2612-23-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing