ffdc645f6c72c0c2e4e76b29e3563fddf2f8ebb22a962ec5f796a56a013c5b5a

General

Target

bf0ca780006f939dcd9b205917b8fce0_NeikiAnalytics.exe
Size

12KB
MD5

bf0ca780006f939dcd9b205917b8fce0
SHA1

7099a3b9d23e907de7a91afbb9b91cfac0138c21
SHA256

ffdc645f6c72c0c2e4e76b29e3563fddf2f8ebb22a962ec5f796a56a013c5b5a
SHA512

a005ce0a6ae178d9088e0b3c5175ac89b2394f43d1387c207e1c8588cd99838bd274fea1a16495b710997c8b59273745dd318db6c8cea84dd7a6740b64e9a413
SSDEEP

384:0L7li/2ztq2DcEQvdQcJKLTp/NK9xa6c:itMCQ9c6c

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2700	tmp27BD.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2700	tmp27BD.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2016	bf0ca780006f939dcd9b205917b8fce0_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	bf0ca780006f939dcd9b205917b8fce0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2360	2016	bf0ca780006f939dcd9b205917b8fce0_NeikiAnalytics.exe	28
PID 2016 wrote to memory of 2360	2016	bf0ca780006f939dcd9b205917b8fce0_NeikiAnalytics.exe	28
PID 2016 wrote to memory of 2360	2016	bf0ca780006f939dcd9b205917b8fce0_NeikiAnalytics.exe	28
PID 2016 wrote to memory of 2360	2016	bf0ca780006f939dcd9b205917b8fce0_NeikiAnalytics.exe	28
PID 2360 wrote to memory of 2580	2360	vbc.exe	30
PID 2360 wrote to memory of 2580	2360	vbc.exe	30
PID 2360 wrote to memory of 2580	2360	vbc.exe	30
PID 2360 wrote to memory of 2580	2360	vbc.exe	30
PID 2016 wrote to memory of 2700	2016	bf0ca780006f939dcd9b205917b8fce0_NeikiAnalytics.exe	31
PID 2016 wrote to memory of 2700	2016	bf0ca780006f939dcd9b205917b8fce0_NeikiAnalytics.exe	31
PID 2016 wrote to memory of 2700	2016	bf0ca780006f939dcd9b205917b8fce0_NeikiAnalytics.exe	31
PID 2016 wrote to memory of 2700	2016	bf0ca780006f939dcd9b205917b8fce0_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\bf0ca780006f939dcd9b205917b8fce0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bf0ca780006f939dcd9b205917b8fce0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5dewg03f\5dewg03f.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29FD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3955CEB76736417B8CFAF9EBB867BAD.TMP"
    3⤵
    PID:2580
- C:\Users\Admin\AppData\Local\Temp\tmp27BD.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp27BD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bf0ca780006f939dcd9b205917b8fce0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5dewg03f\5dewg03f.0.vb

Filesize
2KB

MD5
cdf2bd789086fdb92d6a3e6a66114d2f

SHA1
5eeff5f75f2da6a4c3f94408ecfbe05d6a398ae8

SHA256
45fc66bc4dc67d0f9535dc33e7c94c7dfd131f54c70ede47a0922431f9e7ebe2

SHA512
626a9b31edba65a6153a44415ecdea76f61cb4b394601823fd6528635aa79d298dba206efcfc80b95c002ea8fa74743824379784886c1c17b7141d1412928c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5dewg03f\5dewg03f.cmdline

Filesize
273B

MD5
5a7a16e27730926fbfc1c7b91b154421

SHA1
1b52ea2e2c27e31a817801078e908047ea10991d

SHA256
f0ab7ac32c7ad8306de5c3f6959178dea140ba4d043e877fa07c052f6047775f

SHA512
52e1c80e5528ac10c220242a2a29ebb513da94adcc65afc363e283d7bf2d8eadc8a9dd51047559524ad9b144ba75b60b5ef484ca04044ce81dbdba5987dc84ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
5621209dc7dbb170b9bf0751aa3e7923

SHA1
0e59650dc61ed9527c4c612b42e515beaa0f436a

SHA256
6018c4c5e902119f521ad694cfae5816683da1d3ff29e6d098e19bf017b8fd44

SHA512
3288c7f342d665bb51f7e3e2a75f068cde5ed290a6abd521db746e4ae9be620ea70d3e9ff9b75f3d369404dad6cae693d05d6dd75f7b7d3a4f628a53bfb4048d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES29FD.tmp

Filesize
1KB

MD5
7c0abae035d617c9e5d051df2f91b2ac

SHA1
17749a790da71fc527e2c0c4088dfa1099e3cef3

SHA256
01fb4c66083f69a4fbf1712fe7dd7c90c4046eb606957f75afdb44c08878fa8c

SHA512
5149722511b7007d5efa1161115ef5e7d385261acae303db53de5884dde8debe407dcef4b197f55d38c23f4949c715f4c519cdc8914f644ee4a532c9c9bae705

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp27BD.tmp.exe

Filesize
12KB

MD5
39e6cb16083852e3bcfe50e767e2c676

SHA1
9f3f1152939c962e664ac8b9ef177b0e31545cc5

SHA256
b59ca9cef43920893701674ba2ee70686f93f5923342edd40d4aeae6a3ae337d

SHA512
124d417d4ecece976d5d37a9b7f3a0e6096835ddf0c62785d3786a24a6958d1b3ea42384aa0ea4d67d308cf06cd7775af1dbb6c16160727c23c7b7638e150c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3955CEB76736417B8CFAF9EBB867BAD.TMP

Filesize
1KB

MD5
2286c99869200371f68e8f77510a9869

SHA1
b711c7f99ad96cd5db4cac80055f1f7c36a45069

SHA256
cfe5e8aef832f94a3b13e1efcad1cf85fc9c18b61e87fa0153aececc295b6316

SHA512
838a6c99dbfdcae669199cb8dbef7f29753d285fa52b237e711106b1c52703222524859a58af10155a297045b9c740d7e213e7035d65e2a41b0c0ea616a75d56

Download Submit
memory/2016-0-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

Filesize
4KB

Download
memory/2016-1-0x0000000000B40000-0x0000000000B4A000-memory.dmp

Filesize
40KB

Download
memory/2016-8-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2016-23-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2700-24-0x0000000001000000-0x000000000100A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing