Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30/05/2024, 01:22
Static task
static1
Behavioral task
behavioral1
Sample
5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe
-
Size
12KB
-
MD5
5e7d3090a4a4d29a3489992fdeba41b0
-
SHA1
f3771fa931e91fd34772d17dfd3245153b14eca9
-
SHA256
be85695b3b872d21ed9f3964b33263e9c53638fab301614aac13cde64b7510ab
-
SHA512
cc7f63b2fc748ceefde3dc0819cddef7388f9c475348e9df71ece489edef6a067838fc1065f9a7a38d48a10a430518bc74af78bb2d72262811985a379d44906c
-
SSDEEP
384:iL7li/2zWq2DcEQvdhcJKLTp/NK9xar5:8WM/Q9cr5
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2732 tmp1A45.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2732 tmp1A45.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 2972 5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2972 5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2972 wrote to memory of 1744 2972 5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe 28 PID 2972 wrote to memory of 1744 2972 5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe 28 PID 2972 wrote to memory of 1744 2972 5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe 28 PID 2972 wrote to memory of 1744 2972 5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe 28 PID 1744 wrote to memory of 2400 1744 vbc.exe 30 PID 1744 wrote to memory of 2400 1744 vbc.exe 30 PID 1744 wrote to memory of 2400 1744 vbc.exe 30 PID 1744 wrote to memory of 2400 1744 vbc.exe 30 PID 2972 wrote to memory of 2732 2972 5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe 31 PID 2972 wrote to memory of 2732 2972 5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe 31 PID 2972 wrote to memory of 2732 2972 5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe 31 PID 2972 wrote to memory of 2732 2972 5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sqsi2jmq\sqsi2jmq.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C09.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1B6EA7FC1D47410197F8E8AFD2931E2C.TMP"3⤵PID:2400
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1A45.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1A45.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2732
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a97063714b84737fc77f6fce4ad4d3f7
SHA1583584fdc0f722e9fcc26fed46ba75bb0fea1a74
SHA25634df7c97d889d94d665cff8f1c4cae29aa3f2b9c19aca980a6aa06ce8fe5e182
SHA51200581e4726f11a14f3a403060de2572cc3a75b03dd62d1a249d104b918368300026fb42b0d2c4b217c2199209002d14ba58fa493973876bb21ee9a1eb4a6084e
-
Filesize
1KB
MD5b909d94d7a92f03b08de5e4e5ca9e593
SHA14d7bb4d28b47712a42bb30bedb89858d2ca46100
SHA25623e4a9552a389d540e1f35a8a136ad8f399cadc6211c92b138dcb9d3fc8bfa70
SHA5128ae4d96f55e2bd0f160898d2c66a2a34ebefe3f166c0947ed7719ae34732afbf046144a2b380d4a32d22ac3cc760751a800b55b246aebe6f1fde5795ea923aa8
-
Filesize
2KB
MD58bdf955aa9328da5f8ee11272e7887eb
SHA171b8d962763de28244f72d83ceb576405a2fc4c1
SHA256c73568bce98bdf7c0076bd05f7e0d09497d482d3260ea862b49d2d29904d5971
SHA51218aa11eff803e8df84ee08aeba70524d084e07f1276beee96125c20fe3e2127c8cfb5336e6f9ddb04426c39c0d72a984e7d377a32465828a0d9ee3eaa0e16d22
-
Filesize
273B
MD56784ab54b573c8a6a287b21cddbb58db
SHA14bc6715a0ab4fe2ab0e028c387f1787a83f98259
SHA25637e678787a0c5bf30667f700f3af4b0e4ce319da09503130aa4f13e57f6ffda5
SHA512631fbcfa1e89581d3c38c11db8dde30e4fe8014c4db9908ed5435b9c5afd261f2521dc048dec11c7e5b6f552d486a52e01cef10c1b9872ceef3664758ccda611
-
Filesize
12KB
MD5ef2d269c32fd1dd7d354f38fb00e9209
SHA1d3e74b775d96a263ef4a10eb93cc3134e5b73a9b
SHA25658ea275814f34df73dbb50d00acfa4d70d7979e7207ce8dbfb678846138363be
SHA51242736feb85bd35c14910a065043bc57400a1a727fd823c0bb8d920a0a0395ae06c1e574d378b2b87ab5c19e197731cc41ffd5b079962d96ad1b98d4887fa53bd
-
Filesize
1KB
MD57ba54c5eba3d935f8450c1dbcc67d434
SHA1d41945b18d307c6b8622208eabc6ccad776ab13c
SHA256d59712bbe4150495cc10c34a850994f4cecbd174f06a274acf8ffbbc4bf3789b
SHA5121c11002105db08dc648db6f2b590aee753b48a8b4add3212e8d22a7f75f790d44f51f0f8a56799538e95ab5e82166f41213af5f443e1b384d221d23caa66dbc8